Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to configure and use tls with grpc traffic #2358

Closed
wants to merge 1 commit into from
Closed

Add ability to configure and use tls with grpc traffic #2358

wants to merge 1 commit into from

Conversation

jmccann
Copy link

@jmccann jmccann commented Feb 28, 2018

This PR is to add ability to encrypt GRPC traffic. I also split the grpc setup code to a grpc.go file for each the server and agent. If you prefer not to have that done I can work to undo it.

At a minimum the following is required to be configured:

Server

  • DRONE_GRPC_CERT_FILE
  • DRONE_GRPC_KEY_FILE

Agent

  • DRONE_GRPC_TLS_ENABLE

This code can also be used to configure another layer of authentication using server/client cert/key verification. The following additional options are also provided to help facilitate that.

Server

  • DRONE_GRPC_CA_FILE
  • DRONE_GRPC_VERIFY_MODE

Agent

  • DRONE_GRPC_CERT_FILE
  • DRONE_GRPC_KEY_FILE
  • DRONE_GRPC_CA_FILE

Finally, on the agent you can also specify DRONE_GRPC_SERVERNAME to override the hostname to use to match the certificate on the server. This is primarily for testing purposes.

I have done some manual testing of this with a private drone instance built from source.

@jmccann
Copy link
Author

jmccann commented Feb 28, 2018

Some logs from my manual tests:

server

...
drone-server    | [GIN-debug] GET    /version                  --> github.com/drone/drone/server.Version (12 handlers)
drone-server    | [GIN-debug] GET    /healthz                  --> github.com/drone/drone/server.Health (12 handlers)
drone-server    | time="2018-02-28T16:20:06Z" level=debug msg="grpc: Configuring TLS" 
drone-server    | time="2018-02-28T16:20:06Z" level=debug msg="agent connected: 434cc4feecbe: polling" 
drone-server    | time="2018-02-28T16:20:06Z" level=debug msg="agent connected: 434cc4feecbe: polling" 
drone-server    | time="2018-02-28T16:20:07Z" level=debug msg="user feed: connection opened"

agent

drone-agent     | {"time":"2018-02-28T16:20:06Z","level":"debug","message":"grpc: Configuring TLS"}
drone-agent     | {"time":"2018-02-28T16:20:06Z","level":"debug","message":"request next execution"}
drone-agent     | {"time":"2018-02-28T16:20:06Z","level":"debug","message":"request next execution"}

jmccann
jmccann commented Feb 28, 2018
View reviewed changes
cmd/drone-server/server.go
if err != nil {
logrus.Error(err)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed this from Error to Fatal as if invalid tls config was provided the server would start and hang and not return the error from TLS.

I think this is because of the errorgroup setup. The grpc server and http servers are started in g.Go calls then later g.Wait() is called. If the TLS config wants to return an error but g.Wait() is waiting for http server to finish which it never does. So this change forces Drone to fail and returns any TLS config errors encountered.

@moosh3
Copy link

moosh3 commented Mar 19, 2018

\o/ this was exactly what I've been looking for. Drone is so goofy with the whole jsonrpc2 calls. Thanks for this.

@moosh3 moosh3 mentioned this pull request Mar 19, 2018
Closed
@bradrydzewski
Copy link

bradrydzewski commented Mar 19, 2018
edited
Loading

Drone is so goofy with the whole jsonrpc2 calls. Thanks for this.

FYI, drone no longer uses jsonrpc2. It has used grpc as the transport protocol for a while now. This pull requests adds tls to the existing grpc implementation.

@strk
Copy link

strk commented Jul 18, 2018

@bradrydzewski without this PR we cannot upgrade Drone to avoid sending possibly sensitive information on the wire unencrypted, any reason not to accept it, beside the conflict ?

@tboerger
Copy link

It's not merged because 0.9 will get lots of improvements.

@strk
Copy link

strk commented Jul 19, 2018 via email

@pyry
Copy link

pyry commented Sep 6, 2018

@bradrydzewski Any updates when this might be introduced to drone? Securing communications between agents and server is a quite must for us for few use cases.

@bradrydzewski
Copy link

bradrydzewski commented Sep 6, 2018
edited
Loading

@pyry the next drone release removes support for GRPC in favor of plain old REST. This means agent-to-server communication will be encrypted as long as you have SSL enabled for your regular Drone http traffic. The next version should land in a few weeks.

@strk
Copy link

strk commented Sep 6, 2018 via email

@tboerger
Copy link

tboerger commented Sep 6, 2018
edited
Loading

Great news! Will it be feasible/easy to upgrade
from 0.5 to such a new release ?

The pipeline schema will entirely change, but at least it will be versioned than.

@jmccann
Copy link
Author

jmccann commented Sep 7, 2018

Closing this issue since GRPC goes away with 0.9

@jmccann jmccann closed this Sep 7, 2018
@jmccann jmccann mentioned this pull request Sep 29, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@jmccann @moosh3 @bradrydzewski @strk @tboerger @pyry