mirror of
https://github.com/falcosecurity/falco.git
synced 2026-01-29 21:48:32 +00:00
new(userspace/falco): config certificates for the gRPC server
Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato
committed by
Leo Di Donato
Leo Di Donato
parent
f7c19517de
commit
c96f096821
@@ -172,9 +172,9 @@ grpc:
|
||||
enabled: false
|
||||
bind_address: "0.0.0.0:5060"
|
||||
threadiness: 8
|
||||
private_key: ""
|
||||
cert_chain: ""
|
||||
root_certs: ""
|
||||
private_key: "/etc/falco/certs/server.key"
|
||||
cert_chain: "/etc/falco/certs/server.crt"
|
||||
root_certs: "/etc/falco/certs/ca.crt"
|
||||
|
||||
grpc_output:
|
||||
enabled: true
|
||||
@@ -152,9 +152,9 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
|
||||
m_grpc_bind_address = m_config->get_scalar<string>("grpc", "bind_address", "0.0.0.0:5060");
|
||||
m_grpc_threadiness = m_config->get_scalar<uint32_t>("grpc", "threadiness", 8); // todo > limit it to avoid overshubscription? std::thread::hardware_concurrency()
|
||||
// todo(fntlnz,leodido) > chose correct paths
|
||||
m_grpc_private_key = m_config->get_scalar<string>("grpc", "private_key", "");
|
||||
m_grpc_cert_chain = m_config->get_scalar<string>("grpc", "cert_chain", "");
|
||||
m_grpc_root_certs = m_config->get_scalar<string>("grpc", "root_certs", "");
|
||||
m_grpc_private_key = m_config->get_scalar<string>("grpc", "private_key", "/etc/falco/certs/server.key");
|
||||
m_grpc_cert_chain = m_config->get_scalar<string>("grpc", "cert_chain", "/etc/falco/certs/server.crt");
|
||||
m_grpc_root_certs = m_config->get_scalar<string>("grpc", "root_certs", "/etc/falco/certs/ca.crt");
|
||||
|
||||
falco_outputs::output_config grpc_output;
|
||||
grpc_output.name = "grpc";
|
||||
|
||||
@@ -1177,7 +1177,7 @@ int falco_init(int argc, char **argv)
|
||||
{
|
||||
// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per thread, or implement
|
||||
// different queuing mechanisms, round robin, fanout? What we want to achieve?
|
||||
grpc_server.init(config.m_grpc_bind_address, config.m_grpc_threadiness);
|
||||
grpc_server.init(config.m_grpc_bind_address, config.m_grpc_threadiness, config.m_grpc_private_key, config.m_grpc_cert_chain, config.m_grpc_root_certs);
|
||||
grpc_server_thread = std::thread([&grpc_server] {
|
||||
grpc_server.run();
|
||||
});
|
||||
|
||||
@@ -188,10 +188,13 @@ void read(const std::string& filename, std::string& data)
|
||||
return;
|
||||
}
|
||||
|
||||
void falco_grpc_server::init(std::string server_addr, int threadiness)
|
||||
void falco_grpc_server::init(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs)
|
||||
{
|
||||
m_server_addr = server_addr;
|
||||
m_threadiness = threadiness;
|
||||
m_private_key = private_key;
|
||||
m_cert_chain = cert_chain;
|
||||
m_root_certs = root_certs;
|
||||
}
|
||||
|
||||
void falco_grpc_server::run()
|
||||
@@ -200,9 +203,9 @@ void falco_grpc_server::run()
|
||||
string cert_chain;
|
||||
string root_certs;
|
||||
|
||||
read("/tmp/server.crt", cert_chain);
|
||||
read("/tmp/server.key", private_key);
|
||||
read("/tmp/ca.crt", root_certs);
|
||||
read(m_cert_chain, cert_chain);
|
||||
read(m_private_key, private_key);
|
||||
read(m_root_certs, root_certs);
|
||||
|
||||
grpc::SslServerCredentialsOptions::PemKeyCertPair cert_pair{private_key, cert_chain};
|
||||
|
||||
@@ -266,10 +269,3 @@ void falco_grpc_server::stop()
|
||||
{
|
||||
}
|
||||
}
|
||||
|
||||
bool start_grpc_server(std::string server_address, int threadiness)
|
||||
{
|
||||
falco_grpc_server srv(server_address, threadiness);
|
||||
srv.run();
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -31,14 +31,17 @@ public:
|
||||
falco_grpc_server()
|
||||
{
|
||||
}
|
||||
falco_grpc_server(std::string server_addr, int threadiness):
|
||||
falco_grpc_server(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs):
|
||||
m_server_addr(server_addr),
|
||||
m_threadiness(threadiness)
|
||||
m_threadiness(threadiness),
|
||||
m_private_key(private_key),
|
||||
m_cert_chain(cert_chain),
|
||||
m_root_certs(root_certs)
|
||||
{
|
||||
}
|
||||
virtual ~falco_grpc_server() = default;
|
||||
|
||||
void init(std::string server_addr, int threadiness);
|
||||
void init(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs);
|
||||
void thread_process(int thread_index);
|
||||
void run();
|
||||
void stop();
|
||||
@@ -47,14 +50,16 @@ public:
|
||||
std::unique_ptr<grpc::ServerCompletionQueue> m_completion_queue;
|
||||
|
||||
private:
|
||||
std::unique_ptr<grpc::Server> m_server;
|
||||
std::string m_server_addr;
|
||||
int m_threadiness = 0;
|
||||
int m_threadiness;
|
||||
std::string m_private_key;
|
||||
std::string m_cert_chain;
|
||||
std::string m_root_certs;
|
||||
|
||||
std::unique_ptr<grpc::Server> m_server;
|
||||
std::vector<std::thread> m_threads;
|
||||
};
|
||||
|
||||
bool start_grpc_server(std::string server_address, int threadiness);
|
||||
|
||||
class request_context_base
|
||||
{
|
||||
public:
|
||||
|
||||
Reference in New Issue
Block a user