diff options
-rw-r--r-- | buildstream/sandbox/_sandboxremote.py | 43 | ||||
-rw-r--r-- | doc/source/format_project.rst | 3 |
2 files changed, 35 insertions, 11 deletions
diff --git a/buildstream/sandbox/_sandboxremote.py b/buildstream/sandbox/_sandboxremote.py index 9b54f2e58..a842f08d3 100644 --- a/buildstream/sandbox/_sandboxremote.py +++ b/buildstream/sandbox/_sandboxremote.py @@ -62,10 +62,32 @@ class SandboxRemote(Sandbox): self.storage_url = config.storage_service['url'] self.exec_url = config.exec_service['url'] + exec_certs = {} + for key in ['client-cert', 'client-key', 'server-cert']: + if key in config.exec_service: + with open(config.exec_service[key], 'rb') as f: + exec_certs[key] = f.read() + + self.exec_credentials = grpc.ssl_channel_credentials( + root_certificates=exec_certs.get('server-cert'), + private_key=exec_certs.get('client-key'), + certificate_chain=exec_certs.get('client-cert')) + + action_certs = {} + for key in ['client-cert', 'client-key', 'server-cert']: + if key in config.action_service: + with open(config.action_service[key], 'rb') as f: + action_certs[key] = f.read() + if config.action_service: self.action_url = config.action_service['url'] + self.action_credentials = grpc.ssl_channel_credentials( + root_certificates=action_certs.get('server-cert'), + private_key=action_certs.get('client-key'), + certificate_chain=action_certs.get('client-cert')) else: self.action_url = None + self.action_credentials = None self.server_instance = config.exec_service.get('instance', None) self.storage_instance = config.storage_service.get('instance', None) @@ -109,10 +131,10 @@ class SandboxRemote(Sandbox): remote_exec_storage_config = require_node(remote_config, 'storage-service') remote_exec_action_config = remote_config.get('action-cache-service', {}) - _yaml.node_validate(remote_exec_service_config, ['url', 'instance']) + _yaml.node_validate(remote_exec_service_config, ['url', 'instance'] + tls_keys) _yaml.node_validate(remote_exec_storage_config, ['url', 'instance'] + tls_keys) if remote_exec_action_config: - _yaml.node_validate(remote_exec_action_config, ['url']) + _yaml.node_validate(remote_exec_action_config, ['url'] + tls_keys) else: remote_config['action-service'] = None @@ -142,8 +164,11 @@ class SandboxRemote(Sandbox): return path for key in tls_keys: - if key in remote_config['execution-service']: - remote_config['execution-service'][key] = resolve_path(remote_config['execution-service'][key]) + for d in (remote_config['execution-service'], + remote_config['storage-service'], + remote_exec_action_config): + if key in d: + d[key] = resolve_path(d[key]) spec = RemoteExecutionSpec(remote_config['execution-service'], remote_config['storage-service'], @@ -305,6 +330,8 @@ class SandboxRemote(Sandbox): "for example: http://buildservice:50051.") if url.scheme == 'http': channel = grpc.insecure_channel('{}:{}'.format(url.hostname, url.port)) + elif url.scheme == 'https': + channel = grpc.secure_channel('{}:{}'.format(url.hostname, url.port), self.exec_credentials) else: raise SandboxError("Remote execution currently only supports the 'http' protocol " "and '{}' was supplied.".format(url.scheme)) @@ -362,11 +389,11 @@ class SandboxRemote(Sandbox): if not url.port: raise SandboxError("You must supply a protocol and port number in the action-cache-service url, " "for example: http://buildservice:50051.") - if not url.scheme == "http": - raise SandboxError("Currently only support http for the action cache" - "and {} was supplied".format(url.scheme)) + if url.scheme == 'http': + channel = grpc.insecure_channel('{}:{}'.format(url.hostname, url.port)) + elif url.scheme == 'https': + channel = grpc.secure_channel('{}:{}'.format(url.hostname, url.port), self.action_credentials) - channel = grpc.insecure_channel('{}:{}'.format(url.hostname, url.port)) request = remote_execution_pb2.GetActionResultRequest(action_digest=action_digest) stub = remote_execution_pb2_grpc.ActionCacheStub(channel) try: diff --git a/doc/source/format_project.rst b/doc/source/format_project.rst index 08e8a0861..c3555e0c1 100644 --- a/doc/source/format_project.rst +++ b/doc/source/format_project.rst @@ -244,9 +244,6 @@ using the `remote-execution` option: action-cache-service: url: http://bar.action.com:50052 -The execution-service part of remote execution does not support encrypted -connections yet, so the protocol must always be http. - storage-service specifies a remote CAS store and the parameters are the same as those used to specify an :ref:`artifact server <artifacts>`. |