I've developed a gRPC service that is deployed on a Kubernetes cluster, and I'm using grpc-web from nodejs clients to connect to it. This means I need a proxy in front of the service. Everything works perfectly with this envoy configuration without SSL, but now I need to secure the connections to get it ready for production.
Here are the steps I've gone through
1) Generated the keys, entering my domain simulation.terrarium.ai
when asked using this tutorial
2) Edit the Dockerfile to add the keys
FROM envoyproxy/envoy:latest
COPY envoy-proxy-tls.yaml /etc/envoy.yaml
EXPOSE 9091
ADD ./certs/simulation.terrarium.ai.crt /etc/simulation.terrarium.ai.crt
ADD ./certs/simulation.terrarium.ai.key /etc/simulation.terrarium.ai.key
ADD ./certs/rootCA.crt /etc/rootCA.crt
WORKDIR /etc/envoy
CMD /usr/local/bin/envoy -c /etc/envoy.yaml
3) Updated the envoy config to use tls on the port
It's much easier to read this config file with highlighting so here is a gist of it.
What's Happening
I make calls to my service like this
var simService = new SimulationServiceClient(ServerAddress, null, null);
var request = new CreateSpectatorRequest();
request.setApi(API_VERSION);
request.setId(this.clientId);
var metadata = {};
var stream = simService.createSpectator(request, metadata);
stream.on("data", this.onData);
stream.on("status", this.onStatus);
stream.on("end", this.onEnd);
At this point I have my grpc service and the envoy proxy running in a kubernetes cluster, the same way I did before adding TLS. When I try to connect from my browser I get this error:
https://simulation.terrarium.ai:9091/v1.SimulationService/SubscribeSpectatorToRegion net::ERR_CERT_AUTHORITY_INVALID
I'm having a really hard time debugging this as I'm not sure exactly where the error could be occurring. Any help would be appreciated!
I'm using GKE and just found this link that shows how to use a Google Managed SSL Certificate.
It works perfectly for me! Sorry I couldn't solve this issue exactly but this is a way easier alternative as they also handle automation for the certificates.