Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

initial POC for grpc tls #3917

Closed
wants to merge 1 commit into from
Closed

Conversation

jhawk28
Copy link

@jhawk28 jhawk28 commented Nov 5, 2024

Initial concept for gRPC tls support

@github-actions github-actions bot added the external Issues created by non node team members label Nov 5, 2024
@a26nine
Copy link

a26nine commented Nov 5, 2024

I was able to sync a light node with:

[Core]
  IP = "xxx.celestia-mainnet.quiknode.pro"
  RPCPort = "443"
  GRPCPort = "9090"
  EnableTLS = true

using this build.

@codecov-commenter
Copy link

codecov-commenter commented Nov 5, 2024

Codecov Report

Attention: Patch coverage is 57.89474% with 8 lines in your changes missing coverage. Please review.

Project coverage is 45.42%. Comparing base (2469e7a) to head (d187ddd).
Report is 376 commits behind head on main.

Files with missing lines Patch % Lines
nodebuilder/core/flags.go 55.55% 3 Missing and 1 partial ⚠️
state/core_access.go 66.66% 1 Missing and 2 partials ⚠️
nodebuilder/state/core.go 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3917      +/-   ##
==========================================
+ Coverage   44.83%   45.42%   +0.58%     
==========================================
  Files         265      307      +42     
  Lines       14620    21849    +7229     
==========================================
+ Hits         6555     9924    +3369     
- Misses       7313    10855    +3542     
- Partials      752     1070     +318     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@@ -124,9 +119,15 @@ func (ca *CoreAccessor) Start(ctx context.Context) error {

// dial given celestia-core endpoint
endpoint := fmt.Sprintf("%s:%s", ca.coreIP, ca.grpcPort)
grpcOpts := make([]grpc.DialOption, 0)
if ca.enableTLS {
grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{})))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without specifying valid certificates in the tls.Config object will not secure gRPC connection. By default, an empty tls.Config{} means that no certificate or private key is provided, which leads to an insecure setup.

Node already has TLS certificates handling logic here for web socket, so you can reuse the certificate for the grpc connection.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a proof of concept to get the Light node working against a Quicknode celestia endpoint. QN doesn't support client certs. gRPC auth for a QN endpoint occurs over the x-token header

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more point here is the solution is not generic. You may not support the certificates but if someone does, the connection won't be established. Also, it is recommended to manually specify the MinTLSVersion(linter confirmed it)

IP string
RPCPort string
GRPCPort string
EnableTLS bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's avoid growing the node's config. We have an env variable that signals that TLS should be enabled.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just wanted to create a POC. My recommended approach would be to have a RPC url and gRPC url.

@vgonkivs
Copy link
Member

closed in favor of #3954

@vgonkivs vgonkivs closed this Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
external Issues created by non node team members
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants