feat!: outsource grpc mtls handling to sdk (istio)

Signed-off-by: Sebastian Becker <sebastian.becker@de.bosch.com>
carbynestack · Feb 19, 2025 · c27d260 · c27d260
1 parent 73b9491
commit c27d260
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 96 deletions.
diff --git a/charts/ephemeral/templates/discovery.yaml b/charts/ephemeral/templates/discovery.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2021-2024 - for information on the respective copyright owner
+# Copyright (c) 2021-2023 - for information on the respective copyright owner
 # see the NOTICE file and/or the repository https://github.com/carbynestack/ephemeral.
 #
 # SPDX-License-Identifier: Apache-2.0
@@ -39,16 +39,10 @@ spec:
         volumeMounts:
           - name: config-volume
             mountPath: /etc/config
-          - name: tls-secret-volume
-            mountPath: /etc/tls
-            readOnly: true
       volumes:
         - name: config-volume
           configMap:
             name: discovery-config
-        - name: tls-secret-volume
-          secret:
-            secretName: {{ .Values.tls.secret }}
       serviceAccountName: discovery
 ---
 kind: Service
@@ -66,7 +60,7 @@ spec:
   ports:
     - protocol: TCP
       port: 8080
-      name: cs-tcp
+      name: grpc-my
       targetPort: 8080
 ---
 apiVersion: v1
@@ -80,54 +74,9 @@ data:
       "frontendURL": "{{ .Values.discovery.frontendUrl }}",
       "masterHost": "{{ .Values.discovery.master.host }}",
       "masterPort": "{{ .Values.discovery.master.port }}",
-      "tlsEnabled": {{ .Values.tls.enabled }},
       "slave": {{ if .Values.discovery.isMaster }}false{{ else }}true{{ end }},
       "playerCount": {{ .Values.playerCount }},
       "stateTimeout": "{{ .Values.discovery.stateTimeout }}",
       "computationTimeout": "{{ .Values.discovery.computationTimeout }}",
       "connectTimeout": "{{ .Values.discovery.slave.connectTimeout }}"
     }
----
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: discovery-service
-spec:
-  selector:
-    istio: ingressgateway # use istio default controller
-  servers:
-{{- if .Values.tls.enabled }}
-    - port:
-        number: 31400
-        name: cs-grpc
-        protocol: HTTPS
-      tls:
-        mode: MUTUAL # enables mTLS on the Gateway
-        credentialName: {{ .Values.tls.secret }} # the name of the Secret that holds the TLS certs and CA certificate
-      hosts:
-        - "*"
-{{- else }}
-    - port:
-        number: 31400
-        name: cs-grpc
-        protocol: GRPC
-      hosts:
-        - "*"
-{{- end }}
-
----
-apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: discovery-service
-spec:
-  hosts:
-    - "*"
-  gateways:
-    - discovery-service
-  http:
-    - route:
-        - destination:
-            host: {{ include "ephemeral.fullname" . }}-discovery.default.svc.cluster.local
-            port:
-              number: 8080
diff --git a/cmd/discovery/main.go b/cmd/discovery/main.go
@@ -1,17 +1,14 @@
-// Copyright (c) 2021-2024 - for information on the respective copyright owner
+// Copyright (c) 2021-2023 - for information on the respective copyright owner
 // see the NOTICE file and/or the repository https://github.com/carbynestack/ephemeral.
 //
 // SPDX-License-Identifier: Apache-2.0
 package main
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"time"
-
 	"github.com/carbynestack/ephemeral/pkg/discovery"
 	c "github.com/carbynestack/ephemeral/pkg/discovery/transport/client"
 	cl "github.com/carbynestack/ephemeral/pkg/discovery/transport/client"
@@ -24,6 +21,7 @@ import (
 	"github.com/carbynestack/ephemeral/pkg/utils"
 	mb "github.com/vardius/message-bus"
 	"go.uber.org/zap"
+	"time"
 )
 
 const (
@@ -34,7 +32,6 @@ const (
 	// DefaultPortRange is the range of ports used for MCP communication between the players.
 	DefaultPortRange      = "30000:30100"
 	defaultConfigLocation = "/etc/config/config.json"
-	defaultTlsConfig      = "/etc/tls"
 )
 
 func main() {
@@ -58,16 +55,6 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
-
-	var tlsConfig *tls.Config
-	if config.TlsEnabled {
-		var err error
-		tlsConfig, err = utils.CreateTLSConfig(defaultTlsConfig)
-		if err != nil {
-			panic(err)
-		}
-	}
-
 	var upstreamConfig *DiscoveryClientTypedConfig
 	if config.Slave {
 		upstreamConfig = &DiscoveryClientTypedConfig{
@@ -76,7 +63,7 @@ func main() {
 			ConnectTimeout: config.ConnectTimeout,
 		}
 	}
-	client, mode, err := NewClient(upstreamConfig, tlsConfig, logger, errCh)
+	client, mode, err := NewClient(upstreamConfig, logger, errCh)
 	if err != nil {
 		panic(err)
 	}
@@ -99,7 +86,7 @@ func main() {
 // NewClient returns a new client with parameters specific to the server mode. If upstreamClient is defined, the client
 // will be configured to forward incoming events to an upstream master server. With upstreamClient set to nil, the
 // service is considered to be the master service.
-func NewClient(upstreamConfig *types.DiscoveryClientTypedConfig, tlsConfig *tls.Config, logger *zap.SugaredLogger, errCh chan error) (*cl.Client, string, error) {
+func NewClient(upstreamConfig *types.DiscoveryClientTypedConfig, logger *zap.SugaredLogger, errCh chan error) (*cl.Client, string, error) {
 	logger.Debug("Creating new discovery client")
 	mode := ModeMaster
 	client := &cl.Client{}
@@ -118,7 +105,6 @@ func NewClient(upstreamConfig *types.DiscoveryClientTypedConfig, tlsConfig *tls.
 			ConnectTimeout: upstreamConfig.ConnectTimeout,
 			Logger:         logger,
 			Context:        context.Background(),
-			TlsConfig:      tlsConfig,
 		}
 		client, err = c.NewClient(grpcClientConf)
 		if err != nil {
@@ -195,12 +181,10 @@ func ParseConfig(path string) (*DiscoveryTypedConfig, error) {
 	if err != nil {
 		return nil, errors.New(fmt.Sprintf("invalid connection timeout format: %v", err))
 	}
-
 	return &DiscoveryTypedConfig{
 		FrontendURL:        conf.FrontendURL,
 		MasterHost:         conf.MasterHost,
 		MasterPort:         conf.MasterPort,
-		TlsEnabled:         conf.TlsEnabled,
 		Slave:              conf.Slave,
 		StateTimeout:       stateTimeout,
 		ComputationTimeout: computationTimeout,

diff --git a/cmd/discovery/main_test.go b/cmd/discovery/main_test.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2021-2024 - for information on the respective copyright owner
+// Copyright (c) 2021-2023 - for information on the respective copyright owner
 // see the NOTICE file and/or the repository https://github.com/carbynestack/ephemeral.
 //
 // SPDX-License-Identifier: Apache-2.0
@@ -30,7 +30,7 @@ var _ = Describe("Main", func() {
 		}
 		logger := zap.NewNop().Sugar()
 		errCh := make(chan error)
-		cl, mode, err := NewClient(conf, nil, logger, errCh)
+		cl, mode, err := NewClient(conf, logger, errCh)
 		Expect(err).NotTo(HaveOccurred())
 		Expect(mode).To(Equal(ModeSlave))
 		Expect(cl).NotTo(BeNil())

diff --git a/pkg/discovery/transport/client/client.go b/pkg/discovery/transport/client/client.go
@@ -1,23 +1,20 @@
-// Copyright (c) 2021-2024 - for information on the respective copyright owner
+// Copyright (c) 2021-2023 - for information on the respective copyright owner
 // see the NOTICE file and/or the repository https://github.com/carbynestack/ephemeral.
 //
 // SPDX-License-Identifier: Apache-2.0
 package client
 
 import (
 	"context"
-	"crypto/tls"
 	"errors"
+	pb "github.com/carbynestack/ephemeral/pkg/discovery/transport/proto"
 	"io"
 	"time"
 
-	pb "github.com/carbynestack/ephemeral/pkg/discovery/transport/proto"
-
 	. "github.com/carbynestack/ephemeral/pkg/types"
 
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -44,8 +41,6 @@ type TransportClientConfig struct {
 	Logger *zap.SugaredLogger
 
 	Context context.Context
-
-	TlsConfig *tls.Config
 }
 
 // TransportConn is an interface for the underlying gRPC transport connection.
@@ -106,17 +101,7 @@ func (c *Client) GetOut() chan *pb.Event {
 func (c *Client) Connect() (*grpc.ClientConn, error) {
 	ctx, cancelConnect := context.WithTimeout(context.Background(), c.conf.ConnectTimeout)
 	defer cancelConnect()
-
-	var opts []grpc.DialOption
-	if c.conf.TlsConfig != nil {
-		c.conf.Logger.Debug("Using TLS for gRPC connection")
-		creds := credentials.NewTLS(c.conf.TlsConfig)
-		opts = append(opts, grpc.WithTransportCredentials(creds))
-	} else {
-		opts = append(opts, grpc.WithInsecure())
-	}
-
-	conn, err := grpc.DialContext(ctx, c.conf.Host+":"+c.conf.Port, append(opts, grpc.WithBlock())...)
+	conn, err := grpc.DialContext(ctx, c.conf.Host+":"+c.conf.Port, grpc.WithBlock(), grpc.WithInsecure())
 	if err != nil {
 		c.conf.Logger.Errorf("Error establishing a gRPC connection: %v", err)
 		return nil, err

diff --git a/pkg/types/types.go b/pkg/types/types.go
@@ -6,11 +6,11 @@ package types
 
 import (
 	"context"
+	"crypto/tls"
 	"github.com/carbynestack/ephemeral/pkg/amphora"
 	"github.com/carbynestack/ephemeral/pkg/castor"
 	pb "github.com/carbynestack/ephemeral/pkg/discovery/transport/proto"
 	"github.com/carbynestack/ephemeral/pkg/opa"
-	"crypto/tls"
 	"math/big"
 	"time"
 
@@ -36,7 +36,6 @@ type DiscoveryConfig struct {
 	FrontendURL        string `json:"frontendURL"`
 	MasterHost         string `json:"masterHost"`
 	MasterPort         string `json:"masterPort"`
-	TlsEnabled         bool   `json:"tlsEnabled"`
 	Slave              bool   `json:"slave"`
 	StateTimeout       string `json:"stateTimeout"`
 	ComputationTimeout string `json:"computationTimeout"`
@@ -52,7 +51,6 @@ type DiscoveryTypedConfig struct {
 	FrontendURL        string
 	MasterHost         string
 	MasterPort         string
-	TlsEnabled         bool
 	Slave              bool
 	StateTimeout       time.Duration
 	ComputationTimeout time.Duration