initial POC for grpc tls

celestiaorg · Nov 5, 2024 · 457c1c5 · 457c1c5
1 parent ace6840
commit 457c1c5
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 28 deletions.
diff --git a/nodebuilder/core/config.go b/nodebuilder/core/config.go
@@ -16,9 +16,10 @@ var MetricsEnabled bool
 
 // Config combines all configuration fields for managing the relationship with a Core node.
 type Config struct {
-	IP       string
-	RPCPort  string
-	GRPCPort string
+	IP        string
+	RPCPort   string
+	GRPCPort  string
+	EnableTLS bool
 }
 
 // DefaultConfig returns default configuration for managing the

diff --git a/nodebuilder/state/core.go b/nodebuilder/state/core.go
@@ -30,8 +30,7 @@ func coreAccessor(
 	*modfraud.ServiceBreaker[*state.CoreAccessor, *header.ExtendedHeader],
 	error,
 ) {
-	ca, err := state.NewCoreAccessor(keyring, string(keyname), sync, corecfg.IP, corecfg.GRPCPort,
-		network.String(), opts...)
+	ca, err := state.NewCoreAccessor(keyring, string(keyname), sync, corecfg.IP, corecfg.GRPCPort, corecfg.EnableTLS, network.String(), opts...)
 
 	sBreaker := &modfraud.ServiceBreaker[*state.CoreAccessor, *header.ExtendedHeader]{
 		Service:   ca,

diff --git a/state/core_access.go b/state/core_access.go
@@ -2,11 +2,18 @@ package state
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"sync"
 	"time"
 
+	"github.com/celestiaorg/celestia-app/v3/app"
+	"github.com/celestiaorg/celestia-app/v3/app/encoding"
+	apperrors "github.com/celestiaorg/celestia-app/v3/app/errors"
+	"github.com/celestiaorg/celestia-app/v3/pkg/user"
+	libhead "github.com/celestiaorg/go-header"
+	libshare "github.com/celestiaorg/go-square/v2/share"
 	nodeservice "github.com/cosmos/cosmos-sdk/client/grpc/node"
 	"github.com/cosmos/cosmos-sdk/client/grpc/tmservice"
 	"github.com/cosmos/cosmos-sdk/crypto/keyring"
@@ -20,15 +27,9 @@ import (
 	"github.com/tendermint/tendermint/proto/tendermint/crypto"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/connectivity"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 
-	"github.com/celestiaorg/celestia-app/v3/app"
-	"github.com/celestiaorg/celestia-app/v3/app/encoding"
-	apperrors "github.com/celestiaorg/celestia-app/v3/app/errors"
-	"github.com/celestiaorg/celestia-app/v3/pkg/user"
-	libhead "github.com/celestiaorg/go-header"
-	libshare "github.com/celestiaorg/go-square/v2/share"
-
 	"github.com/celestiaorg/celestia-node/header"
 )
 
@@ -67,10 +68,11 @@ type CoreAccessor struct {
 
 	prt *merkle.ProofRuntime
 
-	coreConn *grpc.ClientConn
-	coreIP   string
-	grpcPort string
-	network  string
+	coreConn  *grpc.ClientConn
+	coreIP    string
+	grpcPort  string
+	enableTLS bool
+	network   string
 
 	// these fields are mutatable and thus need to be protected by a mutex
 	lock            sync.Mutex
@@ -86,15 +88,7 @@ type CoreAccessor struct {
 // NewCoreAccessor dials the given celestia-core endpoint and
 // constructs and returns a new CoreAccessor (state service) with the active
 // connection.
-func NewCoreAccessor(
-	keyring keyring.Keyring,
-	keyname string,
-	getter libhead.Head[*header.ExtendedHeader],
-	coreIP,
-	grpcPort string,
-	network string,
-	options ...Option,
-) (*CoreAccessor, error) {
+func NewCoreAccessor(keyring keyring.Keyring, keyname string, getter libhead.Head[*header.ExtendedHeader], coreIP, grpcPort string, enableTLS bool, network string, options ...Option) (*CoreAccessor, error) {
 	// create verifier
 	prt := merkle.DefaultProofRuntime()
 	prt.RegisterOpDecoder(storetypes.ProofOpIAVLCommitment, storetypes.CommitmentOpDecoder)
@@ -106,6 +100,7 @@ func NewCoreAccessor(
 		getter:               getter,
 		coreIP:               coreIP,
 		grpcPort:             grpcPort,
+		enableTLS:            enableTLS,
 		prt:                  prt,
 		network:              network,
 	}
@@ -124,9 +119,15 @@ func (ca *CoreAccessor) Start(ctx context.Context) error {
 
 	// dial given celestia-core endpoint
 	endpoint := fmt.Sprintf("%s:%s", ca.coreIP, ca.grpcPort)
+	grpcOpts := make([]grpc.DialOption, 0)
+	if ca.enableTLS {
+		grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{})))
+	} else {
+		grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	}
 	client, err := grpc.NewClient(
 		endpoint,
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpcOpts...,
 	)
 	if err != nil {
 		return err

diff --git a/state/core_access_test.go b/state/core_access_test.go
@@ -264,7 +264,7 @@ func buildAccessor(t *testing.T) (*CoreAccessor, []string) {
 		WithAppCreator(appCreator) // needed until https://github.com/celestiaorg/celestia-app/pull/3680 merges
 	cctx, _, grpcAddr := testnode.NewNetwork(t, config)
 
-	ca, err := NewCoreAccessor(cctx.Keyring, accounts[0].Name, nil, "127.0.0.1", extractPort(grpcAddr), chainID)
+	ca, err := NewCoreAccessor(cctx.Keyring, accounts[0].Name, nil, "127.0.0.1", extractPort(grpcAddr), false, chainID)
 	require.NoError(t, err)
 	return ca, getNames(accounts)
 }

diff --git a/state/integration_test.go b/state/integration_test.go
@@ -52,7 +52,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 	s.Require().Greater(len(s.accounts), 0)
 	accountName := s.accounts[0].Name
 
-	accessor, err := NewCoreAccessor(s.cctx.Keyring, accountName, localHeader{s.cctx.Client}, "", "", "")
+	accessor, err := NewCoreAccessor(s.cctx.Keyring, accountName, localHeader{s.cctx.Client}, "", "", false, "")
 	require.NoError(s.T(), err)
 	setClients(accessor, s.cctx.GRPCClient)
 	s.accessor = accessor