Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Example of envoy with HTTPS connection to grpc backend

See original GitHub issue

I cannot for the life of me figure out how to use Envoy to proxy grpc-web requests to a grpc backend over HTTPs.

My use case is that I’d like to use grpc-web with a service on GCP Run. GCP Run deployments are individual Docker containers, so to accomplish this, I have two options:

Put my grpc server and envoy into the same container. This is generally considered bad practice: containers should be single-purpose. I hit all sorts of sharp edges, and the general response is, “stop running multiple services in a single container.”
Separate my grpc server from my envoy server. This is a tad heavyweight, but clearly the way Docker and GCP Run “want” me to do it.

The “problem” is that service-to-service communication between GCP Run deployments is over HTTPS. That’s not a problem per se, but I simply can’t make it work. I’d include the config I’m using, but I’ve tried so many things and I can’t include them all. I’ve essentially been trying to combine the envoy.yaml in the Hello World example with this: https://farcaller.medium.com/how-to-configure-https-backends-in-envoy-b446727b2eb3.

The symptoms I’m seeing are:

When I use TLS, envoy generally doesn’t send a response back to the client. The client just hangs forever.
Depending on the exact details of the configuration I’m using, I see either “503” or “404” in the envoy debug logs, and no further information besides the status code.

Establishing a secure connection to a grpc backend seems like it should be a supported configuration, so can we get an example of it in the docs?

Issue Analytics

State:
Created 3 years ago
Reactions:4
Comments:7

Top GitHub Comments

3reactions

robcecilcommented, Mar 8, 2021

@hjfreyer The yaml doesn’t seem complete… How does it work? I don’t see any tls_certificates, nor trusted_ca… Shouldn’t you have something like this under transport_sockets:

    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        # sni: server-f2dxgbokta-uc.a.run.app
        common_tls_context:
          tls_certificates:
            - certificate_chain: { filename: "/etc/server_crt.pem" }
              private_key: { filename: "/etc/server_key.pem" }
          validation_context:
            match_subject_alt_names:
            - exact: "server-f2dxgbokta-uc.a.run.app"
            trusted_ca:
              filename: /etc/ssl/certs/ca-certificates/my_ca.crt

3reactions

hjfreyercommented, Feb 1, 2021

@stanley-cheung That config doesn’t run on v1.17.

I did manage to get it working, but it took a lot of guesswork. Here’s the config I landed on: https://github.com/hjfreyer/pictophone-be/blob/d72c869535f25ff289e806e9edac26d08f13eeba/config/envoy/envoy.yaml