• Stars
    star
    111
  • Rank 314,454 (Top 7 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A gRPC via HTTP/1 Enabling Library for Go

grpc-http1: A gRPC via HTTP/1 Enabling Library for Go

This library enables using all the functionality of a gRPC server even if it is exposed behind a reverse proxy which does not support HTTP/2, or only supports it for clients (such as Amazon's ALB). This is accomplished via either adaptive downgrading to the gRPC-Web response format or utilizing WebSockets.

For a high-level overview, see this Medium post about the gRPC-Web downgrade option and this Medium post about the gRPC-WebSocket option.

Connection Compatibility Overview

The following table shows what can be expected when a client/server instrumented with the capability offered by this library compared to an unmodified gRPC client/server, both when accessing it directly and when accessing it via a reverse proxy not supporting HTTP/2.

Plain Old gRPC ServerHTTP/1 Downgrading gRPC Server
directbehind reverse proxydirectbehind reverse proxy
Plain Old gRPC Client
gRPC-Web downgrade client mode(✅)
gRPC-WebSocket client mode

The (✅) for the gRPC-Web downgrading client indicates a subset of gRPC calls will be possible, but not all. These include all calls that do not rely on client-side streaming (i.e., all unary and server-streaming calls).

As you can see, when using the client in gRPC-Web downgrade mode, it is possible to instrument the client or the server without any (functional) regressions - there may be a small but fairly negligible performance penalty. This means rolling this feature out to your clients and servers does not need to happen in a strictly synchronous fashion. However, you will only be able to work with a server behind an HTTP/2-incompatible reverse proxy if both the client and the server have been instrumented via this library. To use the client in gRPC-WebSocket mode, both the client and server must be instrumented via this library.

Usage

This library has the canonical import path golang.stackrox.io/grpc-http1. It fully supports Go modules and requires Go version 1.13+ to be built and used. To add it as a dependency in your current project, run go get golang.stackrox.io/grpc-http1.

Server-side

For using this library on the server-side, you'll need to bypass the regular (*grpc.Server).Serve method and instead use the ServeHTTP method of the *grpc.Server object -- it is experimental, but we found it to be fairly stable and reliable.

The only exported function in the golang.grpc.io/grpc-http1/server package is CreateDowngradingHandler, which returns a http.Handler that can be served by a Go HTTP server. It is crucial this server is configured to support HTTP/2; otherwise, your clients using the vanilla gRPC client will no longer be able to talk to it. You can find an example of how to do so in the _integration-tests/ directory.

Client-Side

For connecting to a gRPC server via a client-side proxy, use the ConnectViaProxy function exported from the golang.grpc.io/grpc-http1/client package. This function has the following signature:

func ConnectViaProxy(ctx context.Context, endpoint string, tlsClientConf *tls.Config, opts ...ConnectOption) (*grpc.ClientConn, error)

The first two arguments are the same as for grpc.DialContext. The third argument specifies the TLS client config to be used for connecting to the target address. Note that this is different from the usual gRPC API, which specifies client TLS config via the grpc.WithTransportCredentials. For a plaintext (unencrypted) connection to the server, pass a nil TLS config; however, this does not free you from passing the grpc.WithInsecure() (nor grpc.WithTransportCredentials(insecure.NewCredentials())) gRPC dial option.

The last (variadic) parameter specifies options that modify the dialing behavior. You can pass any gRPC dial options via client.DialOpts(...); however, the grpc.WithTransportCredentials option will not be needed. By default, adaptive gRPC-Web downgrading is used. To use WebSockets, pass true to the client.UseWebSocket option.

Another important option is client.ForceHTTP2(), which needs to be used for a plaintext connection to a server that is not HTTP/1.1 capable (e.g., the vanilla gRPC server). This option is ignored when WebSockets are used. Again, check out the code in the _integration-tests directory.

More Repositories

1

kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
Go
2,914
star
2

stackrox

The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
Go
1,119
star
3

Kubernetes_Security_Specialist_Study_Guide

HCL
420
star
4

admission-controller-webhook-demo

Kubernetes admission controller webhook example
Go
245
star
5

helm-charts

Helm charts for StackRox Kubernetes Security Platform
Smarty
62
star
6

collector

Runtime data collection for the StackRox Kubernetes Security Platform using eBPF
C++
52
star
7

contributions

Samples for customer implementations & integrations
Python
47
star
8

scanner

Go
42
star
9

bsidessf-2020-workshop

Materials for a live workshop at BSidesSF on deployment-level Kubernetes security controls
Go
36
star
10

network-policy-examples

YAML files accompanying the StackRox Network Policies guide.
34
star
11

kube-linter-action

GitHub action for automating KubeLinter.
33
star
12

blog-examples

Sample code and files from StackRox blog posts
Open Policy Agent
27
star
13

ansible-demo

Create sales demos on k8s/OpenShift with Ansible
Jinja
15
star
14

k8s-i-use

Source for k8siuse, a site in the style of caniuse that visualizes GVKs and their fields over different versions of the Kubernetes API
CSS
14
star
15

acs-fleet-manager

Go
13
star
16

helmtest

helmtest is a Go-based framework for testing helm charts in various configurations
Go
13
star
17

stackrox-env

Stackrox development environment
Nix
8
star
18

berserker

Workload generator for ACS Collector
Rust
7
star
19

jenkins-plugin

The StackRox Jenkins Plugin for image scanning and security
Java
5
star
20

dev-docs

5
star
21

kernel-packer

📦 Crawl and repackage kernel headers for collector
Python
5
star
22

roxctl-installer-action

5
star
23

k8s-cves

Curated repo of Kubernetes CVEs
Go
4
star
24

central-login

TypeScript
4
star
25

prometheus-metric-parser

Utility to parse prometheus metrics and compare them against other metrics
Go
3
star
26

workflow

Shell
3
star
27

falcosecurity-libs

Internal Fork of https://github.com/falcosecurity/libs
C
3
star
28

rox-ci-image

Dockerfile
3
star
29

istio-cves

Go
3
star
30

dotnet-scraper

.NET scraper houses .NET vulnerabilities, a primitive scraper and a cron job to ensure that we have all the most updated vulns
Go
3
star
31

image-prefetcher

A utility for pre-fetching images onto k8s nodes in parallel
Go
3
star
32

k8s-istio-cve-pusher

This repo pulls CVEs from NVD, filters them and pushes to stackrox google cloud bucket.
Go
2
star
33

junit-parse

Junit parsing CLI
Go
2
star
34

infra

🌧️ Automated infrastructure and demo provisioning
Go
2
star
35

actions

Various Reusable GitHub Actions
Shell
1
star
36

nvdtools

Go
1
star
37

bleve

Go
1
star
38

goland-indexes

Shared indexes for stackrox project
1
star
39

automation-standard

🤖 A micro-framework for building standardized cluster automation entrypoints
Go
1
star
40

docker-registry-client

Public fork of github.com/heroku/docker-registry-client
Go
1
star
41

release-registry

A mechanism to mark, identify and search release artifacts using Quality Milestones.
Go
1
star