Add support for https channel to remote execution and actions serversvalentindavid/remote_execution_configuration

Fixes #780.

2 files changed, 35 insertions, 11 deletions

diff --git a/buildstream/sandbox/_sandboxremote.py b/buildstream/sandbox/_sandboxremote.py
index 9b54f2e58..a842f08d3 100644
--- a/buildstream/sandbox/_sandboxremote.py
+++ b/buildstream/sandbox/_sandboxremote.py
@@ -62,10 +62,32 @@ class SandboxRemote(Sandbox):
         self.storage_url = config.storage_service['url']
         self.exec_url = config.exec_service['url']
 
+        exec_certs = {}
+        for key in ['client-cert', 'client-key', 'server-cert']:
+            if key in config.exec_service:
+                with open(config.exec_service[key], 'rb') as f:
+                    exec_certs[key] = f.read()
+
+        self.exec_credentials = grpc.ssl_channel_credentials(
+            root_certificates=exec_certs.get('server-cert'),
+            private_key=exec_certs.get('client-key'),
+            certificate_chain=exec_certs.get('client-cert'))
+
+        action_certs = {}
+        for key in ['client-cert', 'client-key', 'server-cert']:
+            if key in config.action_service:
+                with open(config.action_service[key], 'rb') as f:
+                    action_certs[key] = f.read()
+
         if config.action_service:
             self.action_url = config.action_service['url']
+            self.action_credentials = grpc.ssl_channel_credentials(
+                root_certificates=action_certs.get('server-cert'),
+                private_key=action_certs.get('client-key'),
+                certificate_chain=action_certs.get('client-cert'))
         else:
             self.action_url = None
+            self.action_credentials = None
 
         self.server_instance = config.exec_service.get('instance', None)
         self.storage_instance = config.storage_service.get('instance', None)
@@ -109,10 +131,10 @@ class SandboxRemote(Sandbox):
         remote_exec_storage_config = require_node(remote_config, 'storage-service')
         remote_exec_action_config = remote_config.get('action-cache-service', {})
 
-        _yaml.node_validate(remote_exec_service_config, ['url', 'instance'])
+        _yaml.node_validate(remote_exec_service_config, ['url', 'instance'] + tls_keys)
         _yaml.node_validate(remote_exec_storage_config, ['url', 'instance'] + tls_keys)
         if remote_exec_action_config:
-            _yaml.node_validate(remote_exec_action_config, ['url'])
+            _yaml.node_validate(remote_exec_action_config, ['url'] + tls_keys)
         else:
             remote_config['action-service'] = None
 
@@ -142,8 +164,11 @@ class SandboxRemote(Sandbox):
                 return path
 
         for key in tls_keys:
-            if key in remote_config['execution-service']:
-                remote_config['execution-service'][key] = resolve_path(remote_config['execution-service'][key])
+            for d in (remote_config['execution-service'],
+                      remote_config['storage-service'],
+                      remote_exec_action_config):
+                if key in d:
+                    d[key] = resolve_path(d[key])
 
         spec = RemoteExecutionSpec(remote_config['execution-service'],
                                    remote_config['storage-service'],
@@ -305,6 +330,8 @@ class SandboxRemote(Sandbox):
                                "for example: http://buildservice:50051.")
         if url.scheme == 'http':
             channel = grpc.insecure_channel('{}:{}'.format(url.hostname, url.port))
+        elif url.scheme == 'https':
+            channel = grpc.secure_channel('{}:{}'.format(url.hostname, url.port), self.exec_credentials)
         else:
             raise SandboxError("Remote execution currently only supports the 'http' protocol "
                                "and '{}' was supplied.".format(url.scheme))
@@ -362,11 +389,11 @@ class SandboxRemote(Sandbox):
         if not url.port:
             raise SandboxError("You must supply a protocol and port number in the action-cache-service url, "
                                "for example: http://buildservice:50051.")
-        if not url.scheme == "http":
-            raise SandboxError("Currently only support http for the action cache"
-                               "and {} was supplied".format(url.scheme))
+        if url.scheme == 'http':
+            channel = grpc.insecure_channel('{}:{}'.format(url.hostname, url.port))
+        elif url.scheme == 'https':
+            channel = grpc.secure_channel('{}:{}'.format(url.hostname, url.port), self.action_credentials)
 
-        channel = grpc.insecure_channel('{}:{}'.format(url.hostname, url.port))
         request = remote_execution_pb2.GetActionResultRequest(action_digest=action_digest)
         stub = remote_execution_pb2_grpc.ActionCacheStub(channel)
         try:
diff --git a/doc/source/format_project.rst b/doc/source/format_project.rst
index 08e8a0861..c3555e0c1 100644
--- a/doc/source/format_project.rst
+++ b/doc/source/format_project.rst
@@ -244,9 +244,6 @@ using the `remote-execution` option:
     action-cache-service:
       url: http://bar.action.com:50052
 
-The execution-service part of remote execution does not support encrypted
-connections yet, so the protocol must always be http.
-
 storage-service specifies a remote CAS store and the parameters are the
 same as those used to specify an :ref:`artifact server <artifacts>`.