search

longhorn / longhorn

Cloud-Native distributed storage built on and for Kubernetes
https://longhorn.io
Apache License 2.0
5.93k stars 584 forks source link

[IMPROVEMENT] Support mTLS encrypted communication for remaining gRPC services in instance manager #7787

Open innobead opened 7 months ago

innobead commented 7 months ago

Is your improvement request related to a feature? Please describe (👍 if you like this request)

IM has supported TLS-based encrypted connections since Longhorn 1.3, but it was unexpectedly broken following the introduction of a Proxy at the same time. This issue will be resolved at https://github.com/longhorn/longhorn/issues/7040.

Nevertheless, certain services have not yet implemented the mTLS mechanism, including disk, ~deprecated process manager~, and the SPDK service. This improvement is to support mTLS for the remaining services in the instance manager.

/app/cmd/start.go#L228-L279


    // Start disk server
    diskGRPCServer, diskGRPCListener, err := setupDiskGRPCServer(ctx, addresses[types.DiskGrpcService], addresses[types.SpdkGrpcService], spdkEnabled)
    if err != nil {
        logrus.WithError(err).Errorf("Failed to setup %s", types.DiskGrpcService)
        return err
    }
    servers[types.DiskGrpcService] = diskGRPCServer
    listeners[types.DiskGrpcService] = diskGRPCListener

    // Start instance server
    instanceGRPCServer, instanceRPCListener, err := setupInstanceGRPCServer(ctx, logsDir,
        addresses[types.InstanceGrpcService], addresses[types.ProcessManagerGrpcService],
        addresses[types.SpdkGrpcService], tlsConfig, spdkEnabled)
    if err != nil {
        logrus.WithError(err).Errorf("Failed to set up %s", types.InstanceGrpcService)
        return err
    }
    servers[types.InstanceGrpcService] = instanceGRPCServer
    listeners[types.InstanceGrpcService] = instanceRPCListener

    // Start proxy server
    proxyGRPCServer, proxyGRPCListener, err := setupProxyGRPCServer(ctx, logsDir,
        addresses[types.ProxyGRPCService], addresses[types.DiskGrpcService], addresses[types.SpdkGrpcService], tlsConfig)
    if err != nil {
        logrus.WithError(err).Errorf("Failed to set up %s", types.ProxyGRPCService)
        return err
    }
    servers[types.ProxyGRPCService] = proxyGRPCServer
    listeners[types.ProxyGRPCService] = proxyGRPCListener

    // Start process-manager server
    pm, pmGRPCServer, pmGRPCListener, err := setupProcessManagerGRPCServer(ctx, processPortRange, logsDir, addresses[types.ProcessManagerGrpcService])
    if err != nil {
        logrus.WithError(err).Errorf("Failed to set up %s", types.ProcessManagerGrpcService)
        return err
    }
    servers[types.ProcessManagerGrpcService] = pmGRPCServer
    listeners[types.ProcessManagerGrpcService] = pmGRPCListener

    // Start spdk server
    if spdkEnabled {
        spdkGRPCServer, spdkGRPCListener, err := setupSPDKGRPCServer(ctx, spdkPortRange, addresses[types.SpdkGrpcService])
        if err != nil {
            logrus.WithError(err).Errorf("Failed to set up %s", types.SpdkGrpcService)
            return err
        }
        servers[types.SpdkGrpcService] = spdkGRPCServer
        listeners[types.SpdkGrpcService] = spdkGRPCListener
    }

    g, ctx := errgroup.WithContext(ctx)

Describe the solution you'd like

Describe alternatives you've considered

Additional context

innobead commented 7 months ago

cc @derekbit @c3y1huang @ejweber

derekbit commented 7 months ago

@innobead Can you elaborate more on deprecated processes?

innobead commented 7 months ago

It's process manager, but it is deprecated, so not required anymore.

derekbit commented 7 months ago

Process gRPC is not required anymore.

I see. The connection to process manager gRPC is in the intranet of an instance-manager pod. We can remove the connection from longhorn-manager in v1.7.0+.