Adds gRPC Server-side TLS Support

[danehans]

Adds gRPC Server-side TLS support to Fortio grpc client and server. Addresses TODO: option to specify certs. in fgrpc/grpcrunner.go.

[ldemailly]

I don't think we should put self signed certs in the release docker image

maybe it can be a volume/mount like the json data dir ?

for testing we can have indeed a script generating a sample

[danehans]

Thank you for taking a look at the PR.

I don't think we should put self signed certs in the release docker image

Agreed, that is why I did not update release/Dockerfile.

maybe it can be a volume/mount like the json data dir ?

I'm not familiar with how the json data dir is mounted. Do you have a pointer?

for testing we can have indeed a script generating a sample

Agreed, I wanted to make sure we can perform e2e testing on the feature. This is why I updated the non-release Docker image. Maybe I don't understand how the non-release and release images work with one another.

[ldemailly]

Thank you for taking a look at the PR.

I haven't yet, really. will now

I'm not familiar with how the json data dir is mounted. Do you have a pointer?

https://github.com/istio/fortio/blob/master/Dockerfile#L33

Agreed, I wanted to make sure we can perform e2e testing on the feature. This is why I updated the non-release Docker image. Maybe I don't understand how the non-release and release images work with one another.

Dockerfile is the release for istio/fortio
there is additional code in release/ that extract a tgz out of it but it's secondary

[ldemailly]

tbh in addition to all the technical issues/details below,

I'm really not a fan of adding all this code - it might grow on me though once simplified and working but... not sure.... I'll give it some more thoughts

[ldemailly]

undo all this

[ldemailly]

I don't think we need a brand new top level package just for this

it can be a file inside fnet

[ldemailly]

this seems overly complicated for a testing tool we only need
https://godoc.org/google.golang.org/grpc/credentials#NewClientTLSFromFile
no ?

(though maybe it is worth having this for http tls too)

[danehans]

I thought this would be needed to setup one or more trusted CA for authorizing client/server connections.

[ldemailly]

I don't think the switch between standard CA vs custom CA should be based on https:// prefix
it's a config option, to be added to grpcoptions

[ldemailly]

if they are hard coded what is the point of passing constants.
we need some grpcoptions struct to control tls instead of just 1 boolean

[ldemailly]

how would you put both the standard CA and additional one in 1 config ?

[danehans]

Change CAFile to be of type []string that represent one or more paths to trusted CA certs. Provide the slice to NewCertPool. Create a cmdline flag that allows a user to specify multiple comma-separated cert paths. Is that acceptable?

[ldemailly]

i'd rather have just the NewClientTLSFromFile for now I think; and less code

[codecov]

Codecov Report

Merging #204 into master will increase coverage by 0.2%.
The diff coverage is 87.5%.

@@           Coverage Diff            @@
##           master    #204     +/-   ##
========================================
+ Coverage    90.2%   90.5%   +0.2%     
========================================
  Files          10      10             
  Lines        1906    1899      -7     
========================================
- Hits         1720    1718      -2     
+ Misses        119     116      -3     
+ Partials       67      65      -2

Impacted Files	Coverage Δ
fgrpc/pingsrv.go	88.1% <84.6%> (+0.9%)	⬆️
fgrpc/grpcrunner.go	90.8% <90.9%> (+2.6%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update be80813...81b16cd. Read the comment docs.

[danehans]

@ldemailly Thanks for your review. I addressed your comments and have updated the PR. The purpose of this PR is to address TODO: option to specify certs. I should have created an issue to discuss my intentions before getting this far. If my approach is unwanted, let me know how you would like to address the TODO.

[danehans]

OK. I'll strip most of this stuff out and update the PR.

[ldemailly]

Sorry been crazy busy... will look more soon

[ldemailly]

let's use --key --cert --cacert
like curl
and
https://istio.io/docs/tasks/security/mutual-tls.html#testing-the-authentication-setup

[ldemailly]

we still need a way to standard TLS no?

[danehans]

This PR provides backwards compatibility. Instead of passing the -grpc-secure bool, Dial will use the one of the following:

A. The cert from -server-cert if it's provided. I can easily add the flag back in, but IMO it no longer adds value.
B. Us nil creds if dest is an https prefix (this provides backwards compatibility)
C. Insecure Dial if A or C do not apply.

I thought this is a cleaner approach than setting the bool and cert/key flags. IMO having both sets of flags causes user confusion. Using the legacy bool flag made sense, a user flips the secure/insecure switch.

[ldemailly]

I'm not following - how do I get the previous behavior exactly ?

[danehans]

The previous behavior is accomplished by using an https prefix with the grpc destination.
For example:

grpc client

fortio grpcping https://fortio.istio.io

or any client that uses GRPCRunnerOptions

fortio curl -loglevel debug http://localhost:8080/fortio/fetch/localhost:8080/fortio/?url=https://fortio.istio.io:443&load=Start&qps=-1&json=on&n=100&runner=grpc

[ldemailly]

ic I missed that - does it work with fortio load -grpc https://... too ? (it should I guess as destination is passed down unchanged if I recall)

we should put tls/no tls in the (json) result object

we should probably document that behavior somewhere (that grpc host:port is insecure unless a cert is given and https://host:port is secure)

[danehans]

does it work with fortio load -grpc https://... too ?

It does. I extensively tested this patch today. I documented the details here.

we should probably document that behavior somewhere (that grpc host:port is insecure unless a cert is given and https://host:port is secure)

I updated the Readme.

[ldemailly]

add a new line to minimize the diff
(go can be annoying with reformatting to align - also as mentioned I think the grpc-secure flag is still needed, the cert,ca,key are optional)

[danehans]

Will do. For clarity, the ca flag was dropped since refactoring this PR based on your initial feedback.

[ldemailly]

I'm thinking we should add some GRPC(Server)Options instead of 5 string params
(shared between the client and server maybe)
but maybe that can be a followup

[danehans]

I would like to address that in a follow-on PR. This PR has been around for a while. I opened issue
#220 and assigned myself.

[ldemailly]

k, ty

[ldemailly]

the 2 are different

[danehans]

Understood. See my response above and let me know your thoughts. I want to make sure we're on the same page before I rebase this PR (it was a PITA the last time I rebased).

[ldemailly]

k

[ldemailly]

for this I think we should just use the flags (if you want a fortio UI using different cert, start a new one with different cert path)

[danehans]

From what I see, the challenge with that approach is:

1. uihandler.go creates instance o of the fgrpc.GRPCRunnerOptions object .
2. The flags created in fortio_main.go are not available to uihandler.go or any other pkg for that matter. Therefore, the Cert field in o can not be populated based on any flags.

I believe what you are asking for can be accomplished by putting Fortio flags into a pkg (i.e. cli ) and having fortio_main.go and any other dependent pkg's import cli. If this has your interest, please create an Issue, assign me and I'll work on refactoring the Fortio cli into a separate pkg. However, I don't think that work should block this PR.

[ldemailly]

we could also pass those global options to ui.Serve()

[danehans]

Yes, assuming the cli options are in a separate pkg. As I mentioned, I am happy to take on this Fortio cli refactoring. Just create an Issue and assign me. Until then, I think providing a field to enter the cert path is a reasonable option.

[danehans]

Thanks for the follow-up review!

[danehans]

This PR provides backwards compatibility. Instead of passing the -grpc-secure bool, Dial will use the one of the following:

A. The cert from -server-cert if it's provided. I can easily add the flag back in, but IMO it no longer adds value.
B. Us nil creds if dest is an https prefix (this provides backwards compatibility)
C. Insecure Dial if A or C do not apply.

I thought this is a cleaner approach than setting the bool and cert/key flags. IMO having both sets of flags causes user confusion. Using the legacy bool flag made sense, a user flips the secure/insecure switch.

[danehans]

Will do. For clarity, the ca flag was dropped since refactoring this PR based on your initial feedback.

[danehans]

I would like to address that in a follow-on PR. This PR has been around for a while. I opened issue
#220 and assigned myself.

[danehans]

Understood. See my response above and let me know your thoughts. I want to make sure we're on the same page before I rebase this PR (it was a PITA the last time I rebased).

[danehans]

From what I see, the challenge with that approach is:

1. uihandler.go creates instance o of the fgrpc.GRPCRunnerOptions object .
2. The flags created in fortio_main.go are not available to uihandler.go or any other pkg for that matter. Therefore, the Cert field in o can not be populated based on any flags.

I believe what you are asking for can be accomplished by putting Fortio flags into a pkg (i.e. cli ) and having fortio_main.go and any other dependent pkg's import cli. If this has your interest, please create an Issue, assign me and I'll work on refactoring the Fortio cli into a separate pkg. However, I don't think that work should block this PR.

[ldemailly]

ic this is where the https/tls behaviour is

[danehans]

Yeah, all the intelligence is in Dial.

[ldemailly]

ic I missed that - does it work with fortio load -grpc https://... too ? (it should I guess as destination is passed down unchanged if I recall)

we should put tls/no tls in the (json) result object

we should probably document that behavior somewhere (that grpc host:port is insecure unless a cert is given and https://host:port is secure)

[ldemailly]

k, ty

[ldemailly]

k

[ldemailly]

which case is that change for ?

[ldemailly]

isn't this relative path making success dependent on where it is ran from ? (somehow doubt it works from both parent or different directories?)

not sure we need a new directory - tbd if go testing has provision for files relative to test files?

[danehans]

I tested by copying the cert/key from the testdata directory to the project's root directory and updating the following in grpcrunner_test.go:

	svrCrt = "../server.crt"
	svrKey = "../server.key"

The tests passed.

not sure we need a new directory - tbd if go testing has provision for files relative to test files?

I like the idea of storing all test data for a project in a specific directory. I think it's clean and makes it very apparent to devs. Let me know where I should move the test cert/key if you want me to remove the directory.

[ldemailly]

this is good, do you have time to raise the coverage ? (for instance pass invalid credentials, connect to the wrong port/settings,...)

[ldemailly]

where is -cacert ? I see in the example you pass a cert to the client, I assume that implies it expects that cert, but it should be a CA instead ?

[ldemailly]

add:

"unless https:// destination is used, in which case standard TLS is expected (with valid server certificates signed by the internet standard CAs)"

or some such

[ldemailly]

I wonder here if we're confusing client and server cert

we should be able to do mTLS by providing an optional client cert; and expect a server cert signed by a custom CA

[danehans]

I updated the name of this PR to properly reflect the implemented functionality. This PR originally provided mTLS, but I simplified things based on your initial feedback. This PR will allow clients (i.e. grpcping) to authenticate the Fortio gRPC server and encrypt the data exchanged. In my original PR, the server cert was fetched from the CA (Fortio server). Since refactoring, the server cert must be shipped with the client-side application. This blog provides details of the original and current approach for this PR. Let me know how you would like to proceed.

[danehans]

This section provides a detailed explanation of the basic TLS handshake implemented by this PR.

[danehans]

@ldemailly will this PR be ready to merge after I fix the conflicts?

[ldemailly]

almost, see below

[ldemailly]

$(CERT_TEMP) ?

[danehans]

removed

[ldemailly]

CERT_TEMP_DIR := ...

[danehans]

done

[ldemailly]

when merging make sure there is 0.9.1 everywhere

[danehans]

Looks like docs are now using 0.10.0. I have changed to 0.10.0.

[ldemailly]

it's actually 0.10.1 now :-)

[ldemailly]

remove that part (localhost san) as it doesn't matter / is also out of scope ? - or mentioned the makefile can generate test only certs

[danehans]

done

[ldemailly]

missing close 3 ` - please make sure you preview/look over the changes

[danehans]

done

[ldemailly]

change so it works with https://github.com/istio/fortio/blob/master/Makefile#L112

ie: add the file name to the list and use istio/fortio.build:v7 directly so sed finds it when we go to v8

[ldemailly]

that change isn't reflected in the README.md

see release/updateFlags.sh for how to update

we also need to document somewhere that https:// replaces -grpc-secure

[danehans]

I have updated the readme to remove the -secure-grpc flag and ran the updateFlags.sh script.

[danehans]

done

[danehans]

@ldemailly thanks for the feedback. I need a couple days to wrap-up something I'm working on and I'll push a new commit that addresses your concerns.

[ldemailly]

thanks for your patience and flexibility !

[danehans]

I'm getting ready to push my latest commit that addresses your feedback.

[danehans]

I have updated the readme to remove the -secure-grpc flag and ran the updateFlags.sh script.

[danehans]

done

[danehans]

done

[danehans]

removed

[danehans]

Looks like docs are now using 0.10.0. I have changed to 0.10.0.

[danehans]

done

[danehans]

done

[danehans]

I'm getting ready to push my latest commit that addresses your feedback.

[danehans]

@ldemailly do you mind reviewing when you have a moment?

[ldemailly]

looking now

[ldemailly]

getting some github (unicorn) errors when I try to open this PR somehow)

qq: why did you remove TestExitedPingServer ?

[ldemailly]

Really almost there now - Thanks!

A few comment and you only need to update where I prefixed by "NeedFix" (4 places)

[ldemailly]

this should probably be "trap"ed too but I guess we can clean that up later

[danehans]

I thought the trap is used for the final Fortio instance, the report mode server. I stop/rm the Docker assets for the secure grpc instance of Fortio server before the script starts the report mode Fortio server.

[ldemailly]

trap means cleanup like a finally, in case of error in any of tbe tests

[ldemailly]

NeedFix: when an error occurs it is very important to log all the input, please add cacert and override to the statement

[danehans]

ack

[ldemailly]

NeedFix: either put the type for all 3 or only once but here it's odd to have string 2 out of 3 args

[danehans]

ack

[ldemailly]

can we have a positive test of CertOverride (where it is set yet works ?)

[ldemailly]

NeedFix: there is a lot of copy paste of this section, why not have the runner options in a variable ?

[danehans]

I guess I find table tests easier to read when testing multiple test cases. WOuld you rather I follow the existing pattern for the test? Something like this:

func TestGRPCRunner(t *testing.T) {
	log.SetLogLevel(log.Info)
	iPort := PingServer("0", "", "", "bar", 0)
	iDest := fmt.Sprintf("localhost:%d", iPort)
	sPort := PingServer("0", svrCrt, svrKey, "bar", 0)
	sDest := fmt.Sprintf("localhost:%d", sPort)
	ro := periodic.RunnerOptions{
		QPS:        100,
		Resolution: 0.00001,
	}

	opts := GRPCRunnerOptions{
		RunnerOptions: ro,
		Destination: iDest,
		Profiler:    "test.profile",
	}
	res, err := RunGRPCTest(&opts)
	if err != nil {
		t.Error(err)
		return
	}
	totalReq := res.DurationHistogram.Count
	ok := res.RetCodes[grpc_health_v1.HealthCheckResponse_SERVING]
	if totalReq != ok {
		t.Errorf("Mismatch between requests %d and ok %v", totalReq, res.RetCodes)
	}
	// Test a grpc runner with TLS enabled.
	opts.Destination = sDest
	opts.CACert = caCrt
	res, err = RunGRPCTest(&opts)
	if err != nil {
		t.Error(err)
		return
	}
	totalReq = res.DurationHistogram.Count
	ok = res.RetCodes[grpc_health_v1.HealthCheckResponse_SERVING]
	if totalReq != ok {
		t.Errorf("Mismatch between requests %d and ok %v", totalReq, res.RetCodes)
	}
}

Keep in mind the above example is only exercising 2 test cases.

[ldemailly]

NeedFix: same

[ldemailly]

this could probably be a single log info instead of 2 but it's ok as is too

[danehans]

Please see my feedback and example refactor of TestGRPCRunner. I would like to make sure we're on the same page before I refactor TestGRPCRunner and TestGRPCRunnerWithError.

[danehans]

I thought the trap is used for the final Fortio instance, the report mode server. I stop/rm the Docker assets for the secure grpc instance of Fortio server before the script starts the report mode Fortio server.

[danehans]

ack

[danehans]

ack

[danehans]

I guess I find table tests easier to read when testing multiple test cases. WOuld you rather I follow the existing pattern for the test? Something like this:

func TestGRPCRunner(t *testing.T) {
	log.SetLogLevel(log.Info)
	iPort := PingServer("0", "", "", "bar", 0)
	iDest := fmt.Sprintf("localhost:%d", iPort)
	sPort := PingServer("0", svrCrt, svrKey, "bar", 0)
	sDest := fmt.Sprintf("localhost:%d", sPort)
	ro := periodic.RunnerOptions{
		QPS:        100,
		Resolution: 0.00001,
	}

	opts := GRPCRunnerOptions{
		RunnerOptions: ro,
		Destination: iDest,
		Profiler:    "test.profile",
	}
	res, err := RunGRPCTest(&opts)
	if err != nil {
		t.Error(err)
		return
	}
	totalReq := res.DurationHistogram.Count
	ok := res.RetCodes[grpc_health_v1.HealthCheckResponse_SERVING]
	if totalReq != ok {
		t.Errorf("Mismatch between requests %d and ok %v", totalReq, res.RetCodes)
	}
	// Test a grpc runner with TLS enabled.
	opts.Destination = sDest
	opts.CACert = caCrt
	res, err = RunGRPCTest(&opts)
	if err != nil {
		t.Error(err)
		return
	}
	totalReq = res.DurationHistogram.Count
	ok = res.RetCodes[grpc_health_v1.HealthCheckResponse_SERVING]
	if totalReq != ok {
		t.Errorf("Mismatch between requests %d and ok %v", totalReq, res.RetCodes)
	}
}

Keep in mind the above example is only exercising 2 test cases.

[danehans]

Please see my feedback and example refactor of TestGRPCRunner. I would like to make sure we're on the same page before I refactor TestGRPCRunner and TestGRPCRunnerWithError.

[ldemailly]

in theory should have an if that it is set/started (as it's not started right away unlike DOCKERID) but it's ok, you didn't have to change it (for that reason as well - I'll try - one test is interrupt or have a test error out and see if it still finishes correctly/cleansup without too many additional errors)

[ldemailly]

optional: here too (override logging)

[ldemailly]

I didn't mean to have to put a big switch here :( why can't those be above directly ?

[ldemailly]

closing for #249 (this PR makes github choke so redone there)
to see history/comments check with incognito window (and/or when github fixes that bug)