Lagom with gRPC with SSL enabled in production

elman.isero · September 4, 2019, 5:31pm

I’m following the sample project “grpc-example-scala” and trying to implement a proof of concept for a system of microservices communicating using gRPC. I have issues when running it outside of SBT with SSL enabled, issues caused it seems by the fact that the HTTPS port is not exposed.

I added all the workarounds necessary to run the project in DEV mode (hard-coded HTTPS ports, mapping from service name to the HTTPS url) and I manage to run the runAll command using the provided SBT wrapper.

Now as a next step, I perform a docker:publish and start one service in a container using

docker run IMAGE_ID

I connect to the container using

docker container ls
docker exec -i -t CONTAINER_ID /bin/bash

and inside the container I do

bash-4.4$ netstat -tnlp

This outputs:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN 1/java
tcp 0 0 172.17.0.2:8558 0.0.0.0:* LISTEN 1/java

As you can see only the HTTP and the default Akka HTTP ports are exposed. The hard-coded HTTPS port is missing.

Same behavior can be observed when running the services inside a Kubernetes cluster and using the command to connect to the pod:

kubectl exec info-service-impl-deployment-7d44bffcf9-pfcml -c info-service-impl -it bash

I created the Kubernetes service using this YML file

---
apiVersion: "v1"
kind: Service
metadata:
  name: info-service-impl-service
spec:
  ports:
    - name: http
      port: 80
      targetPort: 9000
    - name: https
      port: 443
      targetPort: 11000
  selector:
    app: info-service-impl
  type: LoadBalancer

where 11000 is defined in build.sbt

val info-service-impl-HTTPS-port = 11000
.settings(lagomServiceHttpsPort := info-service-impl-HTTPS-port)

The loaders are implemented along these lines

class InfoServiceLoader extends LagomApplicationLoader {

    def load(context: LagomApplicationContext): LagomApplication =
        new InfoServiceApplication(context) with AkkaDiscoveryComponents

    override def loadDevMode(context: LagomApplicationContext): LagomApplication =
        new InfoServiceApplication(context) with LagomDevModeComponents
}

and application.conf includes the required settings

play.application.loader = com.lagomgrpc.InfoServiceLoader
play.server.pidfile.path = /dev/null
play.http.secret.key = "change+me"
akka.discovery.method = akka-dns

Can you see any obvious explanation for this behavior?

TimMoore · September 5, 2019, 1:19am

lagomServiceHttpsPort only affects development mode. For production configuration, you should follow these instructions:

https://www.playframework.com/documentation/2.7.x/ConfiguringHttps

Topic		Replies	Views
Small typo in the document Lagom	1	546	November 24, 2018
Lagom 1.5.0-M3 Released Lagom	0	1068	September 4, 2018
Service of type websocket not accessible when running in Kubernetes Lagom Service API websockets	4	3315	June 24, 2019
Lagom 1.5.0-M4 released Lagom	0	1065	October 15, 2018
Lagom deployment: how to add a custom script & invoke before the service starts Lagom Persistence API scala , sbt	2	1097	August 21, 2019

Lagom with gRPC with SSL enabled in production

Related Topics