英文:
How do you do GRPC authentication in an istio mTLS setup?
问题
我有一堆使用自签名证书的GRPC微服务。我将身份验证信息添加到GRPC通道中,然后用于识别端点并提供正确的服务。
现在我想迁移到Istio的mTLS。
在第一阶段,我让Istio绕过所有的GRPC连接,我的服务仍然可以正常工作。
在第二阶段,我想将TLS交给Istio处理,但我不知道如何将身份验证信息传递给GRPC?
在Istio的mTLS设置中,你是如何处理身份验证的?
GRPC可以支持其他身份验证机制。有人使用过这个机制将Istio的身份验证信息注入到GRPC中吗?你在设置中是如何实现的?如果有的话,还有其他建议吗?
我正在使用Go语言,如果这对提供其他额外信息有用的话。
谢谢!
英文:
I have bunch of GRPC microservices and they are using self signed certs. I add authentication info to the GRPC channel which is then used to identify endpoints and provide right services.
Now I want migrate to Istio mTLS.
In phase one, I got Istio to BYPASS all GRPC connections and my services works as it is now.
In Phase two, I want to hand off TLS to Istio, but I am stuck on how to pass the authentication information to GRPC?
How do you handle auth in Istio mTLS setup?
GRPC can support other authentication mechanisms Has anyone used this to inject Istio auth info to GRPC? any other suggestions on how you implemented this in your setup
I am using go-lang just in case if this can be useful to provide any additional information.
Thanks
答案1
得分: 3
一种方法是使用grpc.WithInsecure()
,这样您就不需要为您的服务添加证书,因为您的Pod中的istio-proxy
容器将终止任何传入的连接。
客户端代码:
conn, _ := grpc.Dial("localhost:50051", grpc.WithInsecure())
服务器端代码:
s := grpc.NewServer()
lis, _ := net.Listen("tcp", "localhost:50051")
// 省略错误处理
s.Serve(lis)
如果您仍然需要在本地部署等情况下使用TLS,您可以使用配置选项来指定,例如:
var conn *grpc.ClientConn
var err error
// 省略错误处理,请不要直接复制粘贴
if (config.IstioEnabled) {
conn, err = grpc.Dial("localhost:50051", grpc.WithInsecure())
} else {
creds, _ := credentials.NewClientTLSFromFile(certFile, "")
conn, err = grpc.Dial("localhost:50051", grpc.WithTransportCredentials(creds))
}
参考链接。
英文:
One way of doing this is using grpc.WithInsecure()
, this way you don't have to add certificates to your services, since istio-proxy
containers in your pods will TLS terminate any incoming connections.
Client side:
conn, _ := grpc.Dial("localhost:50051", grpc.WithInsecure())
Server side:
s := grpc.NewServer()
lis, _ := net.Listen("tcp", "localhost:50051")
// error handling omitted
s.Serve(lis)
If you still need to use TLS for on-prem deployments, etc. you can simply use a configuration option to specify this such as:
var conn *grpc.ClientConn
var err error
// error handling omitted do not copy paste
if ( config.IstioEnabled ) {
conn, err = grpc.Dial("localhost:50051", grpc.WithInsecure())
} else {
creds, _ := credentials.NewClientTLSFromFile(certFile, "")
conn, err = grpc.Dial("localhost:50051", grpc.WithTransportCredentials(creds))
}
答案2
得分: 0
我通过为我的请求生成JWT令牌,并使用拦截器注入令牌来解决了这个问题。从GRPC interceptor for authorization with jwt中获得了灵感。
英文:
I resolved this by generating JWT token for my requests, and injected the token using an Interceptor. Took inspiration from GRPC interceptor for authorization with jwt
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论