feat: add tls termination support to proxy (twitter#428)

Adds TLS support to proxy. Currently this is implemented by terminating TLS at the proxy and using plaintext to the backends.
brayniac · May 24, 2022 · 02a0678 · 02a0678
1 parent bdb8918
commit 02a0678
Show file tree

Hide file tree

Showing 9 changed files with 498 additions and 76 deletions.
diff --git a/.github/actions/ca/action.yml b/.github/actions/ca/action.yml
@@ -0,0 +1,18 @@
+name: 'Configure and Run Smallstep CA'
+description: 'Configure and Run Smallstep CA'
+runs:
+  using: "composite"
+  steps:
+    - name: Configure and run
+      run: |
+          curl -O -L https://dl.step.sm/gh-release/cli/docs-ca-install/v0.19.0/step-cli_0.19.0_amd64.deb
+          sudo dpkg -i step-cli_0.19.0_amd64.deb
+          curl -O -L https://dl.step.sm/gh-release/certificates/docs-ca-install/v0.19.0/step-ca_0.19.0_amd64.deb
+          sudo dpkg -i step-ca_0.19.0_amd64.deb
+          mkdir ${HOME}/.step
+          echo password > ${HOME}/.step/password
+          step ca init --deployment-type=standalone --name=127.0.0.1 --dns=127.0.0.1 --address=127.0.0.1:443 --provisioner=ci@github.com --password-file=${HOME}/.step/password
+          sudo step-ca --password-file=${HOME}/.step/password ${HOME}/.step/config/ca.json &
+          sleep 10
+          step ca root --ca-url=127.0.0.1:443 root.crt
+      shell: bash
diff --git a/.github/actions/pingproxy/action.yml b/.github/actions/pingproxy/action.yml
@@ -0,0 +1,44 @@
+name: 'Configure and run pingproxy'
+description: 'Configures and runs the pingproxy'
+inputs:
+  tls:
+    description: 'Enable TLS'
+    required: false
+    default: false
+runs:
+  using: "composite"
+  steps:
+    - name: Configure
+      run: echo "$BASE_CONFIG" >> proxy.toml
+      env:
+        BASE_CONFIG: |
+          [admin]
+          port = "9997"
+
+          [backend]
+          endpoints = ["127.0.0.1:12321"]
+      shell: bash
+    - name: Generate TLS Key/Cert
+      run: |
+        if ${{ inputs.tls }}; then
+          step ca certificate --san=127.0.0.1 --ca-url=127.0.0.1:443 --provisioner-password-file=${HOME}/.step/password localhost proxy.crt proxy.key
+        fi
+      shell: bash
+    - name: Configure TLS
+      run: if ${{ inputs.tls }}; then echo "$TLS_CONFIG" >> proxy.toml; fi
+      env:
+        TLS_CONFIG: |
+          [tls]
+          certificate_chain = "root.crt"
+          certificate = "proxy.crt"
+          private_key = "proxy.key"
+      shell: bash
+    - name: Build pingproxy
+      run: |
+        cd pelikan && cargo build --release --bin pelikan_pingproxy_rs
+      shell: bash
+    - name: Run pingproxy
+      run: |
+        ./pelikan/target/release/pelikan_pingproxy_rs proxy.toml &
+        sleep 10
+      shell: bash
diff --git a/.github/actions/pingserver/action.yml b/.github/actions/pingserver/action.yml
@@ -0,0 +1,50 @@
+name: 'Configure and run pingserver'
+description: 'Configures and runs the pingserver'
+env:
+  BASE_CONFIG: |
+    [admin]
+    port = "9999"
+  TLS_CONFIG: |
+    [tls]
+    certificate_chain = "root.crt"
+    certificate = "server.crt"
+    private_key = "server.key"
+inputs:
+  tls:
+    description: 'Enable TLS'
+    required: false
+    default: false
+runs:
+  using: "composite"
+  steps:
+    - name: Configure
+      run: echo "$BASE_CONFIG" >> server.toml
+      env:
+        BASE_CONFIG: |
+          [admin]
+          port = "9999"
+      shell: bash
+    - name: Generate TLS Key/Cert
+      run: |
+        if ${{ inputs.tls }}; then
+          step ca certificate --san=127.0.0.1 --ca-url=127.0.0.1:443 --provisioner-password-file=${HOME}/.step/password localhost server.crt server.key
+        fi
+      shell: bash
+    - name: Configure TLS
+      run: if ${{ inputs.tls }}; then echo "$TLS_CONFIG" >> server.toml; fi
+      env:
+        TLS_CONFIG: |
+          [tls]
+          certificate_chain = "root.crt"
+          certificate = "server.crt"
+          private_key = "server.key"
+      shell: bash
+    - name: Build pingserver
+      run: |
+        cd pelikan && cargo build --release --bin pelikan_pingserver_rs
+      shell: bash
+    - name: Run pingserver
+      run: |
+        ./pelikan/target/release/pelikan_pingserver_rs server.toml &
+        sleep 10
+      shell: bash
diff --git a/.github/actions/rpc-perf/action.yml b/.github/actions/rpc-perf/action.yml
@@ -0,0 +1,91 @@
+name: 'Run rpc-perf'
+description: 'Builds, configures, and runs rpc-perf'
+inputs:
+  port:
+    description: 'Port number for endpoint'
+    required: true
+    default: '12321'
+  protocol:
+    description: 'Name of the protocol'
+    required: true
+    default: 'memcache'
+  tls:
+    description: 'Enable TLS connections to endpoint'
+    required: false
+    default: false
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout rpc-perf
+      uses: actions/checkout@v2
+      with:
+        repository: twitter/rpc-perf
+        path: rpc-perf
+    - name: Build Cache for rpc-perf
+      uses: Swatinem/rust-cache@v1
+      with:
+        key: rpc-perf
+        working-directory: rpc-perf
+    - name: Build rpc-perf
+      run: cd rpc-perf && cargo build --release
+      shell: bash
+    - name: Configure
+      run: echo "$BASE_CONFIG" >> client.toml
+      env:
+        BASE_CONFIG: |
+          [general]
+          protocol = "${{ inputs.protocol }}"
+          threads = 1
+
+          [target]
+          endpoints = ["127.0.0.1:${{ inputs.port }}"]
+
+          [connection]
+          poolsize = 20
+
+          [request]
+          ratelimit = 1000
+      shell: bash
+    - name: Generate TLS Key/Cert
+      run: |
+        if ${{ inputs.tls }}; then
+          step ca certificate --san=127.0.0.1 --ca-url=127.0.0.1:443 --provisioner-password-file=${HOME}/.step/password localhost client.crt client.key
+        fi
+      shell: bash
+    - name: Configure Workload
+      run: |
+        if [ ${{ inputs.protocol }} == "memcache" ]; then
+        echo "$MEMCACHE_WORKLOAD" >> client.toml
+        elif [ ${{ inputs.protocol }} == "ping" ]; then
+        echo "$PING_WORKLOAD" >> client.toml
+        fi
+      env:
+          MEMCACHE_WORKLOAD: |
+            [[keyspace]]
+            commands = [
+              { verb = "get", weight = 8 },
+              { verb = "set", weight = 2 }
+            ]
+            length = 3
+            values = [
+              { length = 16 }
+            ]
+          PING_WORKLOAD: |
+            [[keyspace]]
+            commands = [
+              { verb = "ping", weight = 1 },
+            ]
+      shell: bash
+    - name: Configure TLS
+      run: if ${{ inputs.tls }}; then echo "$TLS_CONFIG" >> client.toml; fi
+      env:
+        TLS_CONFIG: |
+          [tls]
+          verify = false
+          certificate_chain = "root.crt"
+          certificate = "client.crt"
+          private_key = "client.key"
+      shell: bash
+    - name: Run rpc-perf
+      run: rpc-perf/target/release/rpc-perf client.toml
+      shell: bash
diff --git a/.github/workflows/cargo.yml b/.github/workflows/cargo.yml
@@ -138,3 +138,109 @@ jobs:
         run: |
           cargo install cargo-audit
           cargo audit
+
+  smoketest-pingserver:
+    name: smoketest-pingserver
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          path: pelikan
+      - name: Build Cache for Pelikan
+        uses: Swatinem/rust-cache@v1
+        with:
+          key: pelikan
+          working-directory: pelikan
+      - uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+      - uses: ./pelikan/.github/actions/ca
+      - uses: ./pelikan/.github/actions/pingserver
+        with:
+          tls: false
+      - uses: ./pelikan/.github/actions/rpc-perf
+        with:
+          protocol: ping
+          port: 12321
+          tls: false
+
+  smoketest-pingserver-tls:
+    name: smoketest-pingserver-tls
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          path: pelikan
+      - name: Build Cache for Pelikan
+        uses: Swatinem/rust-cache@v1
+        with:
+          key: pelikan
+          working-directory: pelikan
+      - uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+      - uses: ./pelikan/.github/actions/ca
+      - uses: ./pelikan/.github/actions/pingserver
+        with:
+          tls: true
+      - uses: ./pelikan/.github/actions/rpc-perf
+        with:
+          protocol: ping
+          port: 12321
+          tls: true
+
+  smoketest-pingproxy:
+    name: smoketest-pingproxy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          path: pelikan
+      - name: Build Cache for Pelikan
+        uses: Swatinem/rust-cache@v1
+        with:
+          key: pelikan
+          working-directory: pelikan
+      - uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+      - uses: ./pelikan/.github/actions/ca
+      - uses: ./pelikan/.github/actions/pingserver
+        with:
+          tls: false
+      - uses: ./pelikan/.github/actions/pingproxy
+        with:
+          tls: false
+      - uses: ./pelikan/.github/actions/rpc-perf
+        with:
+          protocol: ping
+          port: 12322
+          tls: false
+
+  smoketest-pingproxy-tls-terminating:
+    name: smoketest-pingproxy-tls-terminating
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          path: pelikan
+      - name: Build Cache for Pelikan
+        uses: Swatinem/rust-cache@v1
+        with:
+          key: pelikan
+          working-directory: pelikan
+      - uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+      - uses: ./pelikan/.github/actions/ca
+      - uses: ./pelikan/.github/actions/pingserver
+        with:
+          tls: false
+      - uses: ./pelikan/.github/actions/pingproxy
+        with:
+          tls: true
+      - uses: ./pelikan/.github/actions/rpc-perf
+        with:
+          protocol: ping
+          port: 12322
+          tls: true