This article demonstrates how to use Gravitee as a centralized location to secure and manage your gRPC APIs.
gRPC is well-suited for use cases that require real-time performance and treat an API like a JAVA class method that is instead executing on a remote server. A gRPC API relies on a Protocol Buffers definition to serve an application and can use either Protocol Buffers or JSON for the message exchange format. What matters to Gravitee is that gRPC runs on HTTP/2 protocol, so you can easily create an HTTP proxy.
The following examples explain how to create a gRPC proxy API on top of an existing gRPC service, secure it with plans, document it, publish it in a Developer Portal, deploy it in a Gateway, and monitor its activity and logs. For these examples, we’ll be using a simple set of sample gRPC services and a default deployment of Gravitee API Management running in local Docker containers.
- Example 1: Create a gRPC proxy API in Gravitee APIM
- Example 2: Create multiple gRPC services
- Example 3: Secure your gRPC call with an API Key
To use the samples, the proper services must be running in the Docker containers:
- Docker Engine (e.g., Docker Desktop on MacOS)
- The correct setup of gRPC samples and Gravitee installation in Docker, e.g., load the setup using
docker-compose
- The proper network configuration
- The protofile related to each service
{% hint style="info" %} You can adapt the following instructions to use your own gRPC services and setup {% endhint %}
-
Download the
docker-compose
file -
Copy it to the directory from which you'll be launching the
docker-compose
command -
Run the following:
{% code overflow="wrap" %}
> docker compose -f docker-compose-gravitee-grpc-demo.yml up -d
{% endcode %}
-
Verify the containers initialize and run
In this exercise, we will use a virtual host and dynamic routing to configure our API in Gravitee. To make that work, we need to modify the network configuration by adding the following lines to the /etc/hosts
file:
Since a gRPC service is a little different from a REST service, there are some subtleties that can be overlooked when creating a gRPC proxy API in Gravitee.
Follow the steps below to expose a simple gRPC service with one API on the Gateway. This exercise creates a gRPC proxy on port 8082 of the Gateway to expose the gRPC service method helloworld.Greeter.SayHello
running in the local container grpcbackend-1
.
-
Log in to your APIM Console
-
Create a new API using the v4 API creation wizard
-
Enter the name, version, and description of your API (e.g., HelloService gRPC / 1.0 / Simple gRPC proxy service)
-
Select Proxy Upstream Protocol
-
Enter the context-path /helloworld.Greeter (do not enable virtual hosts for this API)
-
Configure your API endpoint:
- Set the Target URL to
grpc://grpc-backend1:8888/helloworld.Greeter
- Set the Security Configuration option to HTTP 2
- Leave all other settings as default
- Set the Target URL to
-
Configure and validate a KEY_LESS security plan
-
Check that all values are correct in the summary, then deploy your API
-
Verify that your API HelloService gRPC is accessible from the APIs menu of the APIM Console
-
Click on your API and confirm it has started, e.g., by checking the Danger Zone section for the Stop the API action
{% hint style="info" %} Click Publish the API to publish HelloService gRPC in the Developer Portal that is also available in this Docker installation. See the Developer Portal documentation for more information on capabilities and benefits. {% endhint %}
To test HelloService gRPC on Mac OS, use the command line grpcurl
.
-
Download the
.proto
files -
Open a terminal and go to the directory that contains the
.proto
files -
Call your service using the
helloworld.proto
file and a sample body message:{% code overflow="wrap" %}
> grpcurl -plaintext -proto ./helloworld.proto -import-path . -d '{"name":"Adrien"}' localhost:8082 helloworld.Greeter.SayHello
{% endcode %}
-
Verify the expected response:
{% code overflow="wrap" %}
{ "message": "Hello Adrien" }
{% endcode %}
{% hint style="success" %} Your gRPC service is now accessible through Gravitee and you can manage the whole lifecycle of HelloService gRPC. {% endhint %}
The steps below use the virtual host feature to expose multiple gRPC services running in the same container with a single entrypoint.
-
Log in to your APIM Console
-
Create a new API using the v4 API creation wizard
-
Enter the name, version, and description of your API (e.g., gRPC Proxy / 1.0 / Simple gRPC proxy service)
-
Select Proxy Upstream Protocol
-
Configure your API entrypoints to use virtual hosts and set the Virtual host to
grpc.gravitee.io
(same as the entry in the/etc/hosts
file), then click Validate my entrypoints -
Configure your API endpoint:
- Set the Target URL to
grpc://grpc-backend1:8888
- Set the Security Configuration option to HTTP 2
- Leave all other settings as default
- Set the Target URL to
-
Configure and validate a KEY_LESS security plan
-
Check that all values are correct in the summary, then deploy your API
-
Verify that your API gRPC Proxy is accessible from the APIs menu of the APIM Console
-
Click on your API and confirm it has started, e.g., by checking the Danger Zone section for the Stop the API action
To test gRPC Proxy on Mac OS, use the command line grpcurl
.
-
Download the
.proto
files -
Open a terminal and go to the directory that contains the
.proto
files -
Call your service using the
helloworld.proto
file and a sample body message:{% code overflow="wrap" %}
> grpcurl -plaintext -proto ./helloworld.proto -import-path . -d '{"name":"here"}' -authority grpc.gravitee.io grpc.gravitee.io:8082 helloworld.Greeter.SayHello
{% endcode %}
-
Verify the expected response:
{% code overflow="wrap" %}
{ "message": "Hello here" }
{% endcode %}
-
Call your second service:
{% code overflow="wrap" %}
> grpcurl -plaintext -proto ./route_guide.proto -import-path . -d '{"latitude": 413628156, "longitude": -749015468}' -authority grpc.gravitee.io grpc.gravitee.io:8082 routeguide.RouteGuide/GetFeature
{% endcode %}
-
Verify the expected response:
{% code overflow="wrap" %}
{ "name": "U.S. 6, Shohola, PA 18458, USA", "location": { "latitude": 413628156, "longitude": -749015468 } }
{% endcode %}
{% hint style="success" %} Both of your gRPC services are now accessible through Gravitee and you can manage the whole lifecycle of gRPC Proxy. {% endhint %}
Every Gravitee API requires at least one plan, which provides a service and access layer on top of your API and includes a security type, e.g., Keyless (the default plan type). To add an API Key plan to an existing API, follow the steps below.
-
Open your API definition in APIM Console
-
Click on Consumers in the inner left nav
-
Under the Plans tab, click Add new plan and choose API Key
-
Name your plan, e.g., “API Key Plan”
-
Toggle the Auto Validate subscription option ON (you can leave this OFF to add an extra step of manual validation for each subscription)
-
Click through additional configuration pages, leaving the default settings, then click Create
-
Under the Plans header tab, go to the Staging tab and click the publish icon to promote the API Key plan to the PUBLISHED Stage
-
Verify that the API Key plan appears under the PUBLISHED tab
-
Click on the API Key Plan, then select the Subscriptions tab
-
Using an existing application, click Create a subscription using the API Key plan (this example uses a Default application , but you can create your own)
-
To retrieve the API Key, select the Subscriptions tab and scroll down to the bottom of the page
-
Open a terminal
-
Go to the directory where you can access the
.proto
files -
Run the following command after replacing
<yourapikeyhere>
with your API Key:{% code overflow="wrap" %}
> grpcurl -plaintext -proto ./helloworld.proto -import-path . -d '{"name":"here"}' -H 'X-Gravitee-Api-Key: <yourapikeyhere>' -authority grpc.gravitee.io grpc.gravitee.io:8082 helloworld.Greeter.SayHello
{% endcode %}
-
Verify the expected response:
{% code overflow="wrap" %}
{ "message": "Hello here" }
{% endcode %}
-
Test with the
routeguide.RouteGuide
service:{% code overflow="wrap" %}
> grpcurl -plaintext -proto ./route_guide.proto -import-path . -d '{"latitude": 413628156, "longitude": -749015468}' -H 'X-Gravitee-Api-Key: <yourapikeyhere>' -authority grpc.gravitee.io grpc.gravitee.io:8082 routeguide.RouteGuide/GetFeature
{% endcode %}
-
Verify the expected response:
{% code overflow="wrap" %}
{ "name": "U.S. 6, Shohola, PA 18458, USA", "location": { "latitude": 413628156, "longitude": -749015468 } }
{% endcode %}
-
Close plans for the API except for the API Key plan:
- Under the Plans header tab, select the PUBLISHED tab
- Click on the X icon to close a plan
-
Confirm that if you try to connect to the gRPC proxy service without an API Key, the Gateway will block the call:
-
Run the following command:
{% code overflow="wrap" %}
grpcurl -plaintext -proto ./helloworld.proto -import-path . -d '{"name":"here"}' -authority grpc.gravitee.io grpc.gravitee.io:8082 helloworld.Greeter.SayHello
{% endcode %}
-
Verify the expected response:
{% code overflow="wrap" %}
ERROR: Code: Unauthenticated Message: unexpected HTTP status code received from server: 401 (Unauthorized); transport: received unexpected content-type "text/plain"
{% endcode %}
-
{% hint style="success" %} Success! The API Key plan is protecting access to the backend service. {% endhint %}