initialize secureGRPCServer.
(args *PilotArgs, trustDomain string)
| 777 | |
| 778 | // initialize secureGRPCServer. |
| 779 | func (s *Server) initSecureDiscoveryService(args *PilotArgs, trustDomain string) error { |
| 780 | if args.ServerOptions.SecureGRPCAddr == "" { |
| 781 | log.Info("The secure discovery port is disabled, multiplexing on httpAddr ") |
| 782 | return nil |
| 783 | } |
| 784 | |
| 785 | peerCertVerifier, err := s.createPeerCertVerifier(args.ServerOptions.TLSOptions, trustDomain) |
| 786 | if err != nil { |
| 787 | return err |
| 788 | } |
| 789 | if peerCertVerifier == nil { |
| 790 | // Running locally without configured certs - no TLS mode |
| 791 | log.Warnf("The secure discovery service is disabled") |
| 792 | return nil |
| 793 | } |
| 794 | log.Info("initializing secure discovery service") |
| 795 | |
| 796 | cfg := &tls.Config{ |
| 797 | GetCertificate: s.getIstiodCertificate, |
| 798 | ClientAuth: tls.VerifyClientCertIfGiven, |
| 799 | ClientCAs: peerCertVerifier.GetGeneralCertPool(), |
| 800 | VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { |
| 801 | err := peerCertVerifier.VerifyPeerCert(rawCerts, verifiedChains) |
| 802 | if err != nil { |
| 803 | log.Infof("Could not verify certificate: %v", err) |
| 804 | } |
| 805 | return err |
| 806 | }, |
| 807 | MinVersion: tls.VersionTLS12, |
| 808 | CipherSuites: args.ServerOptions.TLSOptions.CipherSuites, |
| 809 | } |
| 810 | if args.ServerOptions.TLSOptions.MinVersion != 0 { |
| 811 | cfg.MinVersion = args.ServerOptions.TLSOptions.MinVersion |
| 812 | } |
| 813 | // Compliance for xDS server TLS. |
| 814 | sec_model.EnforceGoCompliance(cfg) |
| 815 | |
| 816 | tlsCreds := credentials.NewTLS(cfg) |
| 817 | |
| 818 | s.secureGrpcAddress = args.ServerOptions.SecureGRPCAddr |
| 819 | |
| 820 | interceptors := []grpc.UnaryServerInterceptor{ |
| 821 | // setup server prometheus monitoring (as final interceptor in chain) |
| 822 | grpcprom.UnaryServerInterceptor, |
| 823 | } |
| 824 | opts := istiogrpc.ServerOptions(args.KeepaliveOptions, xdspkg.RecordRecvSize, interceptors...) |
| 825 | opts = append(opts, grpc.Creds(tlsCreds)) |
| 826 | |
| 827 | s.secureGrpcServer = grpc.NewServer(opts...) |
| 828 | s.XDSServer.Register(s.secureGrpcServer) |
| 829 | reflection.Register(s.secureGrpcServer) |
| 830 | |
| 831 | s.addStartFunc("secure gRPC", func(stop <-chan struct{}) error { |
| 832 | go func() { |
| 833 | <-stop |
| 834 | s.secureGrpcServer.Stop() |
| 835 | }() |
| 836 | return nil |
no test coverage detected