In this experiment, we evaluate gRPC authentication in Go using Application Layer Transport Security (ALTS).

To have a comprehensive overview of how ALTS works take a look at the gRPC ALTS authentication doc page. To have an in-depth understanding of its concepts and design take a look at the ALTS whitepaper

ALTS is used for gRPC service-to-service authentication for applications running on Google Cloud infrastructure. ALTS will use the server's identity, usually the instance service account, to establish the encrypted communication.

The image below shows a visual explanation of how ALTS works:

In this example, we deploy three services to GKE and establish a secure communication between two of them. See the image below for more details.

The checkout service uses Envoy as sidecar to handle egress traffic and, instead of implementing the client ALTS credentials, we use the type.googleapis.com/envoy.extensions.transport_sockets.alts.v3.Alts config to allow the client to authenticate with the server.

Notice that since the three services are deployed to the same GKE cluster and all nodes have the same Service Account, we don't need to explicitly provide the service account in the ALTS configuration.

To run this code

Create a GKE cluster and configure your kubeconfig to access the new cluster

gke_cluster=my-cluster
gke_zone=us-central1-a

gcloud container clusters $gke_cluster --num-nodes 3 --zone $gke_zone
gcloud container get-credentials $gke_cluster --zone $gke_zone

Deploy the services to GKE

kubectl create ns checkout

for s in shipping payment checkout; do
  kubectl apply -f "$s"/.kube.yaml -n checkout
done

Before running the client, expose the checkout service port

kubectl port-forward $(kubectl get pods -n checkout -l app=checkout -o jsonpath="{.items[0].metadata.name}") 50054:50054 -n checkout
# keep this session running

Run the client

cd client
go build
go run main.go

If you make changes to the code, re-build and push the new image. Example:

cd checkout
docker build -t your_dockerhub_account/alts-checkout:v1 .
docker push your_dockerhub_account/alts-checkout:v1

# Remember to update the image in the .kube.yaml file and apply 

If you make changes in the protobuf, re-build it:

# Install the protoc in a local folder
./install_protoc_grpc_go.sh

# Generate the stubs for all services
./protogen

As per today, it seems that ALTS does not support the workload identity feature.

These are some resources that helped me during this experiment:

• https://grpc.io/docs/protoc-installation/
• https://grpc.io/docs/languages/go/alts/
• https://github.com/grpc/grpc-go/tree/master/examples/features/encryption/ALTS
• https://github.com/GoogleCloudPlatform/microservices-demo
• https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/alts/v3/alts.proto
• https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/
• https://www.envoyproxy.io/docs/envoy/latest/start/docker
• https://cloud.google.com/blog/topics/developers-practitioners/health-checking-your-grpc-servers-gke
• https://github.com/envoyproxy/envoy/blob/main/examples/grpc-bridge/server/envoy-proxy.yaml
• https://medium.com/google-cloud/grpc-application-layertransport-security-alts-helloworld-f26e4b05f329