feat: add grpc server opts config (#1524)

* feat: add grpc server opts config * chore: bump base image * chore: temp ignore cve
ory · Apr 24, 2024 · 7278e44 · 7278e44
1 parent 9455714
commit 7278e44
Show file tree

Hide file tree

Showing 9 changed files with 31 additions and 4 deletions.
diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build
@@ -23,7 +23,7 @@ RUN go build -buildvcs=false -tags sqlite -o /usr/bin/keto .
 
 #########################
 
-FROM gcr.io/distroless/base-nossl-debian11:nonroot AS runner
+FROM gcr.io/distroless/base-nossl-debian12:nonroot AS runner
 
 COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/keto /usr/bin/keto

diff --git a/.docker/Dockerfile-distroless-static b/.docker/Dockerfile-distroless-static
@@ -1,4 +1,4 @@
-FROM gcr.io/distroless/static-debian11:nonroot
+FROM gcr.io/distroless/static-debian12:nonroot
 
 COPY keto /usr/bin/keto
 EXPOSE 4466 4467

diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,2 @@
+# Temp ignore, as 2.36-9+deb12u6 is not yet available in debian
+CVE-2024-2961
diff --git a/cmd/client/grpc_client.go b/cmd/client/grpc_client.go
@@ -77,7 +77,6 @@ func (d *connectionDetails) dialOptions() (opts []grpc.DialOption) {
 	if d.block {
 		opts = append(opts, grpc.WithBlock())
 	}
-
 	return opts
 }
 

diff --git a/internal/driver/daemon.go b/internal/driver/daemon.go
@@ -490,6 +490,7 @@ func (r *RegistryDefault) newGrpcServer(ctx context.Context) *grpc.Server {
 		grpc.ChainStreamInterceptor(r.streamInterceptors(ctx)...),
 		grpc.ChainUnaryInterceptor(r.unaryInterceptors(ctx)...),
 	}
+	opts = append(opts, r.defaultGRPCServerOptions...)
 	if r.grpcTransportCredentials != nil {
 		opts = append(opts, grpc.Creds(r.grpcTransportCredentials))
 	}
@@ -503,7 +504,6 @@ func (r *RegistryDefault) ReadGRPCServer(ctx context.Context) *grpc.Server {
 	grpcHealthV1.RegisterHealthServer(s, r.HealthServer())
 	rts.RegisterVersionServiceServer(s, r)
 	reflection.Register(s)
-
 	for _, h := range r.allHandlers() {
 		if h, ok := h.(ReadHandler); ok {
 			h.RegisterReadGRPC(s)

diff --git a/internal/driver/registry_default.go b/internal/driver/registry_default.go
@@ -77,6 +77,7 @@ type (
 
 		defaultUnaryInterceptors  []grpc.UnaryServerInterceptor
 		defaultStreamInterceptors []grpc.StreamServerInterceptor
+		defaultGRPCServerOptions  []grpc.ServerOption
 		defaultHttpMiddlewares    []func(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc)
 		grpcTransportCredentials  credentials.TransportCredentials
 		defaultMigrationOptions   []popx.MigrationBoxOption

diff --git a/internal/driver/registry_factory.go b/internal/driver/registry_factory.go
@@ -82,6 +82,7 @@ func NewDefaultRegistry(ctx context.Context, flags *pflag.FlagSet, withoutNetwor
 		ctxer:                     options.Contextualizer(),
 		defaultUnaryInterceptors:  options.GRPCUnaryInterceptors(),
 		defaultStreamInterceptors: options.GRPCStreamInterceptors(),
+		defaultGRPCServerOptions:  options.GRPCServerOptions(),
 		defaultHttpMiddlewares:    options.HTTPMiddlewares(),
 		extraMigrations:           options.ExtraMigrations(),
 		defaultMigrationOptions:   options.MigrationOptions(),

diff --git a/ketoctx/options.go b/ketoctx/options.go
@@ -23,6 +23,7 @@ type (
 		httpMiddlewares        []func(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc)
 		grpcUnaryInterceptors  []grpc.UnaryServerInterceptor
 		grpcStreamInterceptors []grpc.StreamServerInterceptor
+		grpcServerOptions      []grpc.ServerOption
 		migrationOpts          []popx.MigrationBoxOption
 		readyCheckers          healthx.ReadyCheckers
 		extraMigrations        []fs.FS
@@ -73,6 +74,13 @@ func WithGRPCStreamInterceptors(i ...grpc.StreamServerInterceptor) Option {
 	}
 }
 
+// WithGRPCServerOptions adds gRPC server options.
+func WithGRPCServerOptions(serverOpts ...grpc.ServerOption) Option {
+	return func(o *opts) {
+		o.grpcServerOptions = serverOpts
+	}
+}
+
 // WithExtraMigrations adds additional database migrations.
 func WithExtraMigrations(o ...fs.FS) Option {
 	return func(opts *opts) {
@@ -125,6 +133,10 @@ func (o *opts) GRPCStreamInterceptors() []grpc.StreamServerInterceptor {
 	return o.grpcStreamInterceptors
 }
 
+func (o *opts) GRPCServerOptions() []grpc.ServerOption {
+	return o.grpcServerOptions
+}
+
 func (o *opts) ExtraMigrations() []fs.FS {
 	return o.extraMigrations
 }

diff --git a/ketoctx/options_test.go b/ketoctx/options_test.go
@@ -5,6 +5,10 @@ package ketoctx
 
 import (
 	"testing"
+	"time"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/keepalive"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -23,4 +27,12 @@ func TestOptions(t *testing.T) {
 		opts := Options(WithContextualizer(ctxer))
 		assert.Equal(t, ctxer, opts.Contextualizer())
 	})
+	t.Run("case=overwrites grpcServerOpts", func(t *testing.T) {
+		sp := keepalive.ServerParameters{
+			MaxConnectionAge:      time.Second * 30,
+			MaxConnectionAgeGrace: time.Second * 10,
+		}
+		opts := Options(WithGRPCServerOptions(grpc.KeepaliveParams(sp)))
+		assert.NotNil(t, opts.grpcServerOptions)
+	})
 }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Temp ignore, as 2.36-9+deb12u6 is not yet available in debian
		CVE-2024-2961
-Original file line number
+Diff line change
@@ Expand Up @@
     	if d.block {
     		opts = append(opts, grpc.WithBlock())
     	}
     	return opts
     }
@@ Expand Down @@