doumi7854 2018-02-14 03:21
浏览 141
已采纳

如何为gRPC TLS连接设置docker-compose容器?

I have a gRPC client and a server as two docker containers declared with docker-compose.

version: '3.3'
services:
  apiserver:
    image: golang:latest
    container_name: apiserver
    expose:
      - "3000"
    ports:
      - "3000:3000"
    command: go run cmd/apiserver/main.go

  userserver:
    image: golang:latest
    container_name: userserver
    expose:
      - "3001"
    ports:
      - "3001:3001"
    command: go run cmd/userserver/main.go

I omitted some things like volumes etc as I think they are not related to the issue.

When a client tries to dial server I get an error TLS handshake error from 172.22.0.1:34824: tls: oversized record received with length 21536

server (userserver):

lis, err := net.Listen("tcp", "userserver:3001")
if err != nil {
    logger.Critical(ctx, "failed to listen: %v", err)
}

grpcServer := grpc.NewServer()
userServer := userserver.New()
pb.RegisterDomainServer(grpcServer, userServer)
rpcErr := grpcServer.Serve(lis)

if rpcErr != nil {
    logger.Critical(ctx, "failed to serve: %v", rpcErr)
}

client (apiserver):

conn, err := grpc.Dial("userserver:3001", grpc.WithInsecure())
if err != nil {
    return err
}
defer conn.Close()

client := pb.NewDomainClient(conn)
_, err = client.Dispatch(ctx, &pb.Command{
    Name:    command,
    Payload: payload,
})

Info

the client is apiserver and the userserver is gRPC server, the reason why client is called apiserver is because it also works as http proxy. So the apiserver container tries to dial userserver container

  • 写回答

1条回答 默认 最新

  • dongyan1808 2018-02-14 08:44
    关注

    You are missing grpc.Creads(...)

    We are use this code:

    package main
    
    import(
        "crypto/tls"
        "crypto/x509"
        "crypto/x509/pkix"
        "io/ioutil"
    
        "google.golang.org/grpc"
        "google.golang.org/grpc/credentials"
        "mysource.com/packages/grpcserver"
    )
    
    func main(){
        cert := "/path/to/cert.crt"
        key := "/path/to/cert.key"
        caCrt := "/path/to/my.ca"
    
        certificate, err := tls.LoadX509KeyPair(cert, key)
        if err != nil {
            return
        }   
        certPool := x509.NewCertPool()
    
        ca, err := ioutil.ReadFile(caCrt)
        if err != nil {
            return
        }
    
        if ok := certPool.AppendCertsFromPEM(ca); !ok {
            return
        }
        creds := credentials.NewTLS(&tls.Config{
            ClientAuth:   tls.RequireAndVerifyClientCert,
            Certificates: []tls.Certificate{certificate},
            ClientCAs:    certPool,
            MinVersion:   tls.VersionTLS12,
        })
    
        grpcServer := grpc.NewServer(grpc.Creds(creds))
        server := grpcserver.NewGrpcServer()
        grpcserver.RegisterGrpcServer(grpcServer, server)
    
        lis, err := net.Listen("tcp", "0.0.0.0:11311")      
        log.Fatal(grpcServer.Serve(lis))
    }
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?