Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

initial POC for grpc tls #3917

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

initial POC for grpc tls #3917

wants to merge 1 commit into from

Conversation

jhawk28
Copy link

@jhawk28 jhawk28 commented Nov 5, 2024

Initial concept for gRPC tls support

@github-actions github-actions bot added the external Issues created by non node team members label Nov 5, 2024
@a26nine
Copy link

a26nine commented Nov 5, 2024

I was able to sync a light node with:

[Core]
  IP = "xxx.celestia-mainnet.quiknode.pro"
  RPCPort = "443"
  GRPCPort = "9090"
  EnableTLS = true

using this build.

@codecov-commenter
Copy link

codecov-commenter commented Nov 5, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 57.89474% with 8 lines in your changes missing coverage. Please review.

Project coverage is 45.42%. Comparing base (2469e7a) to head (d187ddd).
Report is 376 commits behind head on main.

Files with missing lines Patch % Lines
nodebuilder/core/flags.go 55.55% 3 Missing and 1 partial ⚠️
state/core_access.go 66.66% 1 Missing and 2 partials ⚠️
nodebuilder/state/core.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3917      +/-   ##
==========================================
+ Coverage   44.83%   45.42%   +0.58%     
==========================================
  Files         265      307      +42     
  Lines       14620    21849    +7229     
==========================================
+ Hits         6555     9924    +3369     
- Misses       7313    10855    +3542     
- Partials      752     1070     +318

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

vgonkivs
vgonkivs requested changes Nov 5, 2024
View reviewed changes
state/core_access.go
@@ -124,9 +119,15 @@ func (ca *CoreAccessor) Start(ctx context.Context) error {

// dial given celestia-core endpoint
endpoint := fmt.Sprintf("%s:%s", ca.coreIP, ca.grpcPort)
grpcOpts := make([]grpc.DialOption, 0)
if ca.enableTLS {
grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{})))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without specifying valid certificates in the tls.Config object will not secure gRPC connection. By default, an empty tls.Config{} means that no certificate or private key is provided, which leads to an insecure setup.

Node already has TLS certificates handling logic here for web socket, so you can reuse the certificate for the grpc connection.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a proof of concept to get the Light node working against a Quicknode celestia endpoint. QN doesn't support client certs. gRPC auth for a QN endpoint occurs over the x-token header

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more point here is the solution is not generic. You may not support the certificates but if someone does, the connection won't be established. Also, it is recommended to manually specify the MinTLSVersion(linter confirmed it)

nodebuilder/core/config.go
IP string
RPCPort string
GRPCPort string
EnableTLS bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's avoid growing the node's config. We have an env variable that signals that TLS should be enabled.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just wanted to create a POC. My recommended approach would be to have a RPC url and gRPC url.

@vgonkivs vgonkivs mentioned this pull request Nov 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vgonkivs vgonkivs vgonkivs requested changes

@renaynay renaynay Awaiting requested review from renaynay renaynay will be requested when the pull request is marked ready for review renaynay is a code owner

@Wondertan Wondertan Awaiting requested review from Wondertan Wondertan will be requested when the pull request is marked ready for review Wondertan is a code owner

@walldiss walldiss Awaiting requested review from walldiss walldiss will be requested when the pull request is marked ready for review walldiss is a code owner

@cristaloleg cristaloleg Awaiting requested review from cristaloleg cristaloleg will be requested when the pull request is marked ready for review cristaloleg is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
external Issues created by non node team members
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jhawk28 @a26nine @codecov-commenter @vgonkivs