Enable TLS on gRPCIngress if RAY_USE_TLS is on

[ashahab]

Enabling TLS for the serve GRPC endpoints.

Why are these changes needed?

Related issue number

Checks

• I've signed off every commit(by using the -s flag, i.e., git commit -s) in this PR.
• I've run scripts/format.sh to lint the changes in this PR.
• I've included any doc changes needed for https://docs.ray.io/en/master/.
  • I've added any new APIs to the API Reference. For example, if I added a
    method in Tune, I've added it in doc/source/tune/api/ under the
    corresponding .rst file.
• I've made sure the tests are passing. Note that there might be a few flaky tests, see the recent failures at https://flakey-tests.ray.io/
• Testing Strategy
  • Unit tests
  • Release tests
  • This PR is not tested :(

[sihanwang41]

In high level, we should make secured/insecure configurable.

[ashahab]

I used the add_port_to_grpc_server(self.server, address) function, which internally depends on RAY_USE_TLS environment variable. Does that make it configurable? I can add a comment in my code to indicate this

[sihanwang41]

Hi @ashahab , RAY_USE_TLS will trigger all communication internally with TLS, is this the case you are expecting? Or you only want to ingress port to be TLS secured?

[sihanwang41]

I suggest having separate variable to control it

[ashahab]

@sihanwang41 Thank you for your review.
If RAY_USE_TLS is separate from another variable (e.g. RAY_USE_TLS_INGRESS), that may confuse the meaning of "RAY_USE_TLS" and allow insecure communication when it's on.
IMHO it is better to error on the side of caution and ensure all endpoints(ingress, headnode, and worker) encrypt on the wire when RAY_USE_TLS is on. This also allows reusing the add_port_to_grpc_server function which already has built in support. Happy to hear more on your thoughts.

[sihanwang41]

hi @ashahab , if you set RAY_USE_TLS, all internal communication will be under TLS (potentially hurting performance), I think you only want to have ingress port as TLS right?
If yes above,
RAY_SERVE_GRPC_TLS_INGRESS = True or RAY_USE_TLS = True, we both set the secure port. Otherwise we use insecure port, what do you think?

[ashahab]

@sihanwang41 Thank you for the prompt response.

Yes, I agree with you on the potential performance hit with RAY_USE_TLS.
My intent and proposal is to encrypt all the endpoints, and not just the ingress port. From a security perspective, this is the safer approach, given that if the data that is consumed by the endpoint needs to be encrypted between client and RayServe, it is unlikely that it does not need to be encrypted when it's routed from head to worker.

As for performance, I plan to follow this up with some benchmarks and potential improvements on the TLS communication:

1. Ensuring TLS 1.3 is used at each endpoint, reducing handshake time by merging server hello, client key verify, cert, and verify.
2. Session resumption
3. Dynamic record sizes.

[ashahab]

@sihanwang41 I'd like. your feedback on this. Thank you!

[sihanwang41]

lint is still failing

[ashahab]

@sihanwang41 Thank you for the approval. Please let me know when/how it can be merged? We plan to use this capability soon. Thank you!

[sihanwang41]

Hi @edoakes ^^ can you take a look?