This repository has been archived by the owner on Oct 24, 2023. It is now read-only.
forked from twitter/pelikan
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add tls termination support to proxy (twitter#428)
Adds TLS support to proxy. Currently this is implemented by terminating TLS at the proxy and using plaintext to the backends.
- Loading branch information
Showing
9 changed files
with
498 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
name: 'Configure and Run Smallstep CA' | ||
description: 'Configure and Run Smallstep CA' | ||
runs: | ||
using: "composite" | ||
steps: | ||
- name: Configure and run | ||
run: | | ||
curl -O -L https://dl.step.sm/gh-release/cli/docs-ca-install/v0.19.0/step-cli_0.19.0_amd64.deb | ||
sudo dpkg -i step-cli_0.19.0_amd64.deb | ||
curl -O -L https://dl.step.sm/gh-release/certificates/docs-ca-install/v0.19.0/step-ca_0.19.0_amd64.deb | ||
sudo dpkg -i step-ca_0.19.0_amd64.deb | ||
mkdir ${HOME}/.step | ||
echo password > ${HOME}/.step/password | ||
step ca init --deployment-type=standalone --name=127.0.0.1 --dns=127.0.0.1 --address=127.0.0.1:443 --provisioner=ci@github.com --password-file=${HOME}/.step/password | ||
sudo step-ca --password-file=${HOME}/.step/password ${HOME}/.step/config/ca.json & | ||
sleep 10 | ||
step ca root --ca-url=127.0.0.1:443 root.crt | ||
shell: bash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
name: 'Configure and run pingproxy' | ||
description: 'Configures and runs the pingproxy' | ||
inputs: | ||
tls: | ||
description: 'Enable TLS' | ||
required: false | ||
default: false | ||
runs: | ||
using: "composite" | ||
steps: | ||
- name: Configure | ||
run: echo "$BASE_CONFIG" >> proxy.toml | ||
env: | ||
BASE_CONFIG: | | ||
[admin] | ||
port = "9997" | ||
[backend] | ||
endpoints = ["127.0.0.1:12321"] | ||
shell: bash | ||
- name: Generate TLS Key/Cert | ||
run: | | ||
if ${{ inputs.tls }}; then | ||
step ca certificate --san=127.0.0.1 --ca-url=127.0.0.1:443 --provisioner-password-file=${HOME}/.step/password localhost proxy.crt proxy.key | ||
fi | ||
shell: bash | ||
- name: Configure TLS | ||
run: if ${{ inputs.tls }}; then echo "$TLS_CONFIG" >> proxy.toml; fi | ||
env: | ||
TLS_CONFIG: | | ||
[tls] | ||
certificate_chain = "root.crt" | ||
certificate = "proxy.crt" | ||
private_key = "proxy.key" | ||
shell: bash | ||
- name: Build pingproxy | ||
run: | | ||
cd pelikan && cargo build --release --bin pelikan_pingproxy_rs | ||
shell: bash | ||
- name: Run pingproxy | ||
run: | | ||
./pelikan/target/release/pelikan_pingproxy_rs proxy.toml & | ||
sleep 10 | ||
shell: bash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
name: 'Configure and run pingserver' | ||
description: 'Configures and runs the pingserver' | ||
env: | ||
BASE_CONFIG: | | ||
[admin] | ||
port = "9999" | ||
TLS_CONFIG: | | ||
[tls] | ||
certificate_chain = "root.crt" | ||
certificate = "server.crt" | ||
private_key = "server.key" | ||
inputs: | ||
tls: | ||
description: 'Enable TLS' | ||
required: false | ||
default: false | ||
runs: | ||
using: "composite" | ||
steps: | ||
- name: Configure | ||
run: echo "$BASE_CONFIG" >> server.toml | ||
env: | ||
BASE_CONFIG: | | ||
[admin] | ||
port = "9999" | ||
shell: bash | ||
- name: Generate TLS Key/Cert | ||
run: | | ||
if ${{ inputs.tls }}; then | ||
step ca certificate --san=127.0.0.1 --ca-url=127.0.0.1:443 --provisioner-password-file=${HOME}/.step/password localhost server.crt server.key | ||
fi | ||
shell: bash | ||
- name: Configure TLS | ||
run: if ${{ inputs.tls }}; then echo "$TLS_CONFIG" >> server.toml; fi | ||
env: | ||
TLS_CONFIG: | | ||
[tls] | ||
certificate_chain = "root.crt" | ||
certificate = "server.crt" | ||
private_key = "server.key" | ||
shell: bash | ||
- name: Build pingserver | ||
run: | | ||
cd pelikan && cargo build --release --bin pelikan_pingserver_rs | ||
shell: bash | ||
- name: Run pingserver | ||
run: | | ||
./pelikan/target/release/pelikan_pingserver_rs server.toml & | ||
sleep 10 | ||
shell: bash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
name: 'Run rpc-perf' | ||
description: 'Builds, configures, and runs rpc-perf' | ||
inputs: | ||
port: | ||
description: 'Port number for endpoint' | ||
required: true | ||
default: '12321' | ||
protocol: | ||
description: 'Name of the protocol' | ||
required: true | ||
default: 'memcache' | ||
tls: | ||
description: 'Enable TLS connections to endpoint' | ||
required: false | ||
default: false | ||
runs: | ||
using: "composite" | ||
steps: | ||
- name: Checkout rpc-perf | ||
uses: actions/checkout@v2 | ||
with: | ||
repository: twitter/rpc-perf | ||
path: rpc-perf | ||
- name: Build Cache for rpc-perf | ||
uses: Swatinem/rust-cache@v1 | ||
with: | ||
key: rpc-perf | ||
working-directory: rpc-perf | ||
- name: Build rpc-perf | ||
run: cd rpc-perf && cargo build --release | ||
shell: bash | ||
- name: Configure | ||
run: echo "$BASE_CONFIG" >> client.toml | ||
env: | ||
BASE_CONFIG: | | ||
[general] | ||
protocol = "${{ inputs.protocol }}" | ||
threads = 1 | ||
[target] | ||
endpoints = ["127.0.0.1:${{ inputs.port }}"] | ||
[connection] | ||
poolsize = 20 | ||
[request] | ||
ratelimit = 1000 | ||
shell: bash | ||
- name: Generate TLS Key/Cert | ||
run: | | ||
if ${{ inputs.tls }}; then | ||
step ca certificate --san=127.0.0.1 --ca-url=127.0.0.1:443 --provisioner-password-file=${HOME}/.step/password localhost client.crt client.key | ||
fi | ||
shell: bash | ||
- name: Configure Workload | ||
run: | | ||
if [ ${{ inputs.protocol }} == "memcache" ]; then | ||
echo "$MEMCACHE_WORKLOAD" >> client.toml | ||
elif [ ${{ inputs.protocol }} == "ping" ]; then | ||
echo "$PING_WORKLOAD" >> client.toml | ||
fi | ||
env: | ||
MEMCACHE_WORKLOAD: | | ||
[[keyspace]] | ||
commands = [ | ||
{ verb = "get", weight = 8 }, | ||
{ verb = "set", weight = 2 } | ||
] | ||
length = 3 | ||
values = [ | ||
{ length = 16 } | ||
] | ||
PING_WORKLOAD: | | ||
[[keyspace]] | ||
commands = [ | ||
{ verb = "ping", weight = 1 }, | ||
] | ||
shell: bash | ||
- name: Configure TLS | ||
run: if ${{ inputs.tls }}; then echo "$TLS_CONFIG" >> client.toml; fi | ||
env: | ||
TLS_CONFIG: | | ||
[tls] | ||
verify = false | ||
certificate_chain = "root.crt" | ||
certificate = "client.crt" | ||
private_key = "client.key" | ||
shell: bash | ||
- name: Run rpc-perf | ||
run: rpc-perf/target/release/rpc-perf client.toml | ||
shell: bash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.