// serverWithAuth builds a gRPC server, possibly with authentication if key / cert files are given.
func serverWithAuth(keyFile, certFile, caCertFile string) *grpc.Server {
if keyFile == "" {
return grpc.NewServer(grpc.MaxMsgSize(maxMsgSize)) // No auth.
}
log.Debug("Loading x509 key pair from key: %s cert: %s", keyFile, certFile)
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
log.Fatalf("Failed to load x509 key pair: %s", err)
}
config := tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequestClientCert,
}
if caCertFile != "" {
cert, err := ioutil.ReadFile(caCertFile)
if err != nil {
log.Fatalf("Failed to read CA cert file: %s", err)
}
config.ClientCAs = x509.NewCertPool()
if !config.ClientCAs.AppendCertsFromPEM(cert) {
log.Fatalf("Failed to find any PEM certificates in CA cert")
}
}
return grpc.NewServer(grpc.Creds(credentials.NewTLS(&config)), grpc.MaxMsgSize(maxMsgSize))
}
// createGRPCServer create the gRPC server we will be using.
// It has to be called after flags are parsed, but before
// services register themselves.
func createGRPCServer() {
// skip if not registered
if !isGRPCEnabled() {
log.Infof("Skipping gRPC server creation")
return
}
var opts []grpc.ServerOption
if GRPCPort != nil && *GRPCCert != "" && *GRPCKey != "" {
config := &tls.Config{}
// load the server cert and key
cert, err := tls.LoadX509KeyPair(*GRPCCert, *GRPCKey)
if err != nil {
log.Fatalf("Failed to load cert/key: %v", err)
}
config.Certificates = []tls.Certificate{cert}
// if specified, load ca to validate client,
// and enforce clients present valid certs.
if *GRPCCA != "" {
b, err := ioutil.ReadFile(*GRPCCA)
if err != nil {
log.Fatalf("Failed to read ca file: %v", err)
}
cp := x509.NewCertPool()
if !cp.AppendCertsFromPEM(b) {
log.Fatalf("Failed to append certificates")
}
config.ClientCAs = cp
config.ClientAuth = tls.RequireAndVerifyClientCert
}
// create the creds server options
creds := credentials.NewTLS(config)
opts = []grpc.ServerOption{grpc.Creds(creds)}
}
// Override the default max message size (which is 4 MiB in gRPC 1.0.0).
// Large messages can occur when users try to insert very big rows. If they
// hit the limit, they'll see the following error:
// grpc: received message length XXXXXXX exceeding the max size 4194304
// Note: For gRPC 1.0.0 it's sufficient to set the limit on the server only
// because it's not enforced on the client side.
if GRPCMaxMessageSize != nil {
opts = append(opts, grpc.MaxMsgSize(*GRPCMaxMessageSize))
}
GRPCServer = grpc.NewServer(opts...)
}
// NewServer is a thin wrapper around grpc.NewServer that registers a heartbeat
// service.
func NewServer(ctx *Context) *grpc.Server {
opts := []grpc.ServerOption{
grpc.MaxMsgSize(math.MaxInt32), // TODO(peter,tamird): need tests before lowering
}
if !ctx.Insecure {
tlsConfig, err := ctx.GetServerTLSConfig()
if err != nil {
panic(err)
}
opts = append(opts, grpc.Creds(credentials.NewTLS(tlsConfig)))
}
s := grpc.NewServer(opts...)
RegisterHeartbeatServer(s, &HeartbeatService{
clock: ctx.localClock,
remoteClockMonitor: ctx.RemoteClocks,
})
return s
}
// NewServer is a thin wrapper around grpc.NewServer that registers a heartbeat
// service.
func NewServer(ctx *Context) *grpc.Server {
opts := []grpc.ServerOption{
// The limiting factor for lowering the max message size is the fact
// that a single large kv can be sent over the network in one message.
// Our maximum kv size is unlimited, so we need this to be very large.
// TODO(peter,tamird): need tests before lowering
grpc.MaxMsgSize(math.MaxInt32),
}
if !ctx.Insecure {
tlsConfig, err := ctx.GetServerTLSConfig()
if err != nil {
panic(err)
}
opts = append(opts, grpc.Creds(credentials.NewTLS(tlsConfig)))
}
s := grpc.NewServer(opts...)
RegisterHeartbeatServer(s, &HeartbeatService{
clock: ctx.localClock,
remoteClockMonitor: ctx.RemoteClocks,
})
return s
}
// NewServer creates a new grpc server.
func NewServer() *grpc.Server {
return grpc.NewServer(
grpc.MaxMsgSize(maxMsgSize),
)
}
