Introduce TLS Settings for all reva grpc services and clients

2025-12-30 17:00:57 -06:00 · 2022-10-13 11:24:07 +02:00
parent e373e48383
commit 3d57f5cc21
63 changed files with 308 additions and 149 deletions
--- a/changelog/unreleased/grpc-tls.md
+++ b/changelog/unreleased/grpc-tls.md
@@ -0,0 +1,6 @@
+Enhancement: Allow to setup TLS for the reva grpc services
+
+We added config options to allow enabling TLS encrption for all reva backed
+grpc services.
+
+https://github.com/owncloud/ocis/pull/4798
--- a/ocis-pkg/shared/reva.go
+++ b/ocis-pkg/shared/reva.go
@@ -0,0 +1,28 @@
+package shared
+
+import "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+
+var defaultRevaConfig = Reva{
+	Address: "127.0.0.1:9142",
+}
+
+func DefaultRevaConfig() *Reva {
+	// copy
+	ret := defaultRevaConfig
+	return &ret
+}
+
+func (r *Reva) GetRevaOptions() []pool.Option {
+	tm, _ := pool.StringToTLSMode(r.TLSMode)
+	opts := []pool.Option{
+		pool.WithTLSMode(tm),
+	}
+	return opts
+}
+
+func (r *Reva) GetGRPCClientConfig() map[string]interface{} {
+	return map[string]interface{}{
+		"tls_mode":   r.TLSMode,
+		"tls_cacert": r.TLSCACert,
+	}
+}
--- a/ocis-pkg/shared/shared_types.go
+++ b/ocis-pkg/shared/shared_types.go
@@ -29,9 +29,11 @@ type TokenManager struct {
 	JWTSecret string `mask:"password" yaml:"jwt_secret" env:"OCIS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."`
 }

-// Reva defines all available REVA configuration.
+// Reva defines all available REVA client configuration.
 type Reva struct {
-	Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
+	Address   string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
+	TLSMode   string `yaml:"tls_mode" env:"REVA_GATEWAY_TLS_MODE" desc:"TLS mode for grpc connection to the CS3 gateway endpoint. Possible values are 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security."`
+	TLSCACert string `yaml:"tls_cacert" env:"REVA_GATEWAY_TLS_CACERT" desc:"The root CA certificate used to validate the gateway's TLS certificate."`
 }

 type CacheStore struct {
--- a/services/app-provider/pkg/config/config.go
+++ b/services/app-provider/pkg/config/config.go
@@ -52,9 +52,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
+	Addr       string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
 }

 type Drivers struct {
--- a/services/app-provider/pkg/config/defaults/defaultconfig.go
+++ b/services/app-provider/pkg/config/defaults/defaultconfig.go
@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "app-provider",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:   shared.DefaultRevaConfig(),
 		Driver: "",
 		Drivers: config.Drivers{
 			WOPI: config.WOPIDriver{
@@ -67,7 +65,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/app-provider/pkg/revaconfig/config.go
+++ b/services/app-provider/pkg/revaconfig/config.go
@@ -15,12 +15,18 @@ func AppProviderConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"tracing_service_name": cfg.Service.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.TokenManager.JWTSecret,
-			"gatewaysvc": cfg.Reva.Address,
+			"jwt_secret":          cfg.TokenManager.JWTSecret,
+			"gatewaysvc":          cfg.Reva.Address,
+			"grpc_client_options": cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"appprovider": map[string]interface{}{
 					"app_provider_url": cfg.ExternalAddr,
--- a/services/app-registry/pkg/config/config.go
+++ b/services/app-registry/pkg/config/config.go
@@ -50,9 +50,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }

 type AppRegistry struct {
--- a/services/app-registry/pkg/config/defaults/defaultconfig.go
+++ b/services/app-registry/pkg/config/defaults/defaultconfig.go
@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "app-registry",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva: shared.DefaultRevaConfig(),
 	}
 }

@@ -132,7 +130,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/app-registry/pkg/revaconfig/config.go
+++ b/services/app-registry/pkg/revaconfig/config.go
@@ -17,12 +17,18 @@ func AppRegistryConfigFromStruct(cfg *config.Config, logger log.Logger) map[stri
 			"tracing_service_name": cfg.Service.Name,
 		},
 		"shared": map[string]interface{}{
-			"jwt_secret": cfg.TokenManager.JWTSecret,
-			"gatewaysvc": cfg.Reva.Address,
+			"jwt_secret":          cfg.TokenManager.JWTSecret,
+			"gatewaysvc":          cfg.Reva.Address,
+			"grpc_client_options": cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"appregistry": map[string]interface{}{
 					"driver": "static",
--- a/services/auth-basic/pkg/config/config.go
+++ b/services/auth-basic/pkg/config/config.go
@@ -51,9 +51,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }

 type AuthProviders struct {
--- a/services/auth-basic/pkg/config/defaults/defaultconfig.go
+++ b/services/auth-basic/pkg/config/defaults/defaultconfig.go
@@ -31,9 +31,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "auth-basic",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:         shared.DefaultRevaConfig(),
 		AuthProvider: "ldap",
 		AuthProviders: config.AuthProviders{
 			LDAP: config.LDAPProvider{
@@ -106,7 +104,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/auth-basic/pkg/revaconfig/config.go
+++ b/services/auth-basic/pkg/revaconfig/config.go
@@ -15,10 +15,16 @@ func AuthBasicConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{
--- a/services/auth-bearer/pkg/config/config.go
+++ b/services/auth-bearer/pkg/config/config.go
@@ -51,9 +51,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }

 type OIDC struct {
--- a/services/auth-bearer/pkg/config/defaults/defaultconfig.go
+++ b/services/auth-bearer/pkg/config/defaults/defaultconfig.go
@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "auth-bearer",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva: shared.DefaultRevaConfig(),
 		OIDC: config.OIDC{
 			Issuer:   "https://localhost:9200",
 			Insecure: false,
@@ -65,7 +63,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/auth-bearer/pkg/revaconfig/config.go
+++ b/services/auth-bearer/pkg/revaconfig/config.go
@@ -15,10 +15,16 @@ func AuthBearerConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{
 					"auth_manager": "oidc",
--- a/services/auth-machine/pkg/config/config.go
+++ b/services/auth-machine/pkg/config/config.go
@@ -51,7 +51,10 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"AUTH_MACHINE_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"AUTH_MACHINE_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"AUTH_MACHINE_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"AUTH_MACHINE_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
--- a/services/auth-machine/pkg/config/defaults/defaultconfig.go
+++ b/services/auth-machine/pkg/config/defaults/defaultconfig.go
@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "auth-machine",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva: shared.DefaultRevaConfig(),
 	}
 }

@@ -60,7 +58,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/auth-machine/pkg/revaconfig/config.go
+++ b/services/auth-machine/pkg/revaconfig/config.go
@@ -17,10 +17,16 @@ func AuthMachineConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{
 					"auth_manager": "machine",
--- a/services/frontend/pkg/config/defaults/defaultconfig.go
+++ b/services/frontend/pkg/config/defaults/defaultconfig.go
@@ -29,9 +29,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "frontend",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:                     shared.DefaultRevaConfig(),
 		PublicURL:                "https://localhost:9200",
 		EnableFavorites:          false,
 		EnableProjectSpaces:      true,
@@ -99,7 +97,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/frontend/pkg/revaconfig/config.go
+++ b/services/frontend/pkg/revaconfig/config.go
@@ -73,6 +73,7 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address, // Todo or address?
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"http": map[string]interface{}{
 			"network": cfg.HTTP.Protocol,
--- a/services/gateway/pkg/config/config.go
+++ b/services/gateway/pkg/config/config.go
@@ -73,9 +73,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"GATEWAY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"GATEWAY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"GATEWAY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"GATEWAY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }

 type StorageRegistry struct {
--- a/services/gateway/pkg/config/defaults/defaultconfig.go
+++ b/services/gateway/pkg/config/defaults/defaultconfig.go
@@ -28,10 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "gateway",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
-
+		Reva:                       shared.DefaultRevaConfig(),
 		CommitShareToStorageGrant:  true,
 		ShareFolder:                "Shares",
 		DisableHomeCreationOnLogin: true,
@@ -90,7 +87,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/gateway/pkg/revaconfig/config.go
+++ b/services/gateway/pkg/revaconfig/config.go
@@ -24,10 +24,16 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]i
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"gateway": map[string]interface{}{
--- a/services/graph/pkg/config/defaults/defaultconfig.go
+++ b/services/graph/pkg/config/defaults/defaultconfig.go
@@ -30,9 +30,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "graph",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva: shared.DefaultRevaConfig(),
 		Spaces: config.Spaces{
 			WebDavBase:   "https://localhost:9200",
 			WebDavPath:   "/dav/spaces/",
--- a/services/graph/pkg/identity/cs3.go
+++ b/services/graph/pkg/identity/cs3.go
@@ -42,7 +42,7 @@ func (i *CS3) UpdateUser(ctx context.Context, nameOrID string, user libregraph.U
 func (i *CS3) GetUser(ctx context.Context, userID string, queryParam url.Values) (*libregraph.User, error) {
 	logger := i.Logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "cs3").Msg("GetUser")
-	client, err := pool.GetGatewayServiceClient(i.Config.Address)
+	client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...)
 	if err != nil {
 		logger.Error().Str("backend", "cs3").Err(err).Msg("could not get client")
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
@@ -70,7 +70,7 @@ func (i *CS3) GetUser(ctx context.Context, userID string, queryParam url.Values)
 func (i *CS3) GetUsers(ctx context.Context, queryParam url.Values) ([]*libregraph.User, error) {
 	logger := i.Logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "cs3").Msg("GetUsers")
-	client, err := pool.GetGatewayServiceClient(i.Config.Address)
+	client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...)
 	if err != nil {
 		logger.Error().Str("backend", "cs3").Err(err).Msg("could not get client")
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
@@ -110,7 +110,7 @@ func (i *CS3) GetUsers(ctx context.Context, queryParam url.Values) ([]*libregrap
 func (i *CS3) GetGroups(ctx context.Context, queryParam url.Values) ([]*libregraph.Group, error) {
 	logger := i.Logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "cs3").Msg("GetGroups")
-	client, err := pool.GetGatewayServiceClient(i.Config.Address)
+	client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...)
 	if err != nil {
 		logger.Error().Str("backend", "cs3").Err(err).Msg("could not get client")
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
@@ -156,7 +156,7 @@ func (i *CS3) CreateGroup(ctx context.Context, group libregraph.Group) (*libregr
 func (i *CS3) GetGroup(ctx context.Context, groupID string, queryParam url.Values) (*libregraph.Group, error) {
 	logger := i.Logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "cs3").Msg("GetGroup")
-	client, err := pool.GetGatewayServiceClient(i.Config.Address)
+	client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...)
 	if err != nil {
 		logger.Error().Str("backend", "cs3").Err(err).Msg("could not get client")
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
--- a/services/graph/pkg/service/v0/service.go
+++ b/services/graph/pkg/service/v0/service.go
@@ -66,7 +66,7 @@ func NewService(opts ...Option) Service {
 	}
 	if options.GatewayClient == nil {
 		var err error
-		svc.gatewayClient, err = pool.GetGatewayServiceClient(options.Config.Reva.Address)
+		svc.gatewayClient, err = pool.GetGatewayServiceClient(options.Config.Reva.Address, options.Config.Reva.GetRevaOptions()...)
 		if err != nil {
 			options.Logger.Error().Err(err).Msg("Could not get gateway client")
 			return nil
--- a/services/groups/pkg/config/config.go
+++ b/services/groups/pkg/config/config.go
@@ -52,9 +52,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"GROUPS_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"GROUPS_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"GROUPS_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"GROUPS_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }

 type Drivers struct {
--- a/services/groups/pkg/config/defaults/defaultconfig.go
+++ b/services/groups/pkg/config/defaults/defaultconfig.go
@@ -31,9 +31,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "groups",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:   shared.DefaultRevaConfig(),
 		Driver: "ldap",
 		Drivers: config.Drivers{
 			LDAP: config.LDAPDriver{
@@ -107,7 +105,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/groups/pkg/revaconfig/config.go
+++ b/services/groups/pkg/revaconfig/config.go
@@ -17,10 +17,16 @@ func GroupsConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"groupprovider": map[string]interface{}{
--- a/services/idp/pkg/config/defaults/defaultconfig.go
+++ b/services/idp/pkg/config/defaults/defaultconfig.go
@@ -29,9 +29,7 @@ func DefaultConfig() *config.Config {
 			TLSKey:    filepath.Join(defaults.BaseDataPath(), "idp", "server.key"),
 			TLS:       false,
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva: shared.DefaultRevaConfig(),
 		Service: config.Service{
 			Name: "idp",
 		},
@@ -155,7 +153,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/notifications/pkg/channels/channels.go
+++ b/services/notifications/pkg/channels/channels.go
@@ -27,7 +27,7 @@ type Channel interface {

 // NewMailChannel instantiates a new mail communication channel.
 func NewMailChannel(cfg config.Config, logger log.Logger) (Channel, error) {
-	gc, err := pool.GetGatewayServiceClient(cfg.Notifications.Reva.Address)
+	gc, err := pool.GetGatewayServiceClient(cfg.Notifications.Reva.Address, cfg.Notifications.Reva.GetRevaOptions()...)
 	if err != nil {
 		logger.Error().Err(err).Msg("could not get gateway client")
 		return nil, err
--- a/services/notifications/pkg/command/server.go
+++ b/services/notifications/pkg/command/server.go
@@ -77,7 +77,10 @@ func Server(cfg *config.Config) *cli.Command {
 			if err != nil {
 				return err
 			}
-			gwclient, err := pool.GetGatewayServiceClient(cfg.Notifications.Reva.Address)
+			gwclient, err := pool.GetGatewayServiceClient(
+				cfg.Notifications.Reva.Address,
+				cfg.Notifications.Reva.GetRevaOptions()...,
+			)
 			if err != nil {
 				logger.Fatal().Err(err).Str("addr", cfg.Notifications.Reva.Address).Msg("could not get reva client")
 			}
--- a/services/notifications/pkg/config/defaults/defaultconfig.go
+++ b/services/notifications/pkg/config/defaults/defaultconfig.go
@@ -37,9 +37,7 @@ func DefaultConfig() *config.Config {
 				ConsumerGroup: "notifications",
 				EnableTLS:     false,
 			},
-			Reva: shared.Reva{
-				Address: "127.0.0.1:9142",
-			},
+			Reva: *shared.DefaultRevaConfig(),
 		},
 	}
 }
--- a/services/ocdav/pkg/command/server.go
+++ b/services/ocdav/pkg/command/server.go
@@ -5,6 +5,7 @@ import (
 	"fmt"

 	"github.com/cs3org/reva/v2/pkg/micro/ocdav"
+	"github.com/cs3org/reva/v2/pkg/sharedconf"
 	"github.com/oklog/run"
 	"github.com/owncloud/ocis/v2/ocis-pkg/broker"
 	"github.com/owncloud/ocis/v2/ocis-pkg/config/configlog"
@@ -38,7 +39,17 @@ func Server(cfg *config.Config) *cli.Command {
 			defer cancel()

 			gr.Add(func() error {
-
+				// init reva shared config explicitly as the go-micro based ocdav does not use
+				// the reva runtime. But we need e.g. the shared client settings to be initialized
+				sc := map[string]interface{}{
+					"jwt_secret":                cfg.TokenManager.JWTSecret,
+					"gatewaysvc":                cfg.Reva.Address,
+					"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+					"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
+				}
+				if err := sharedconf.Decode(sc); err != nil {
+					logger.Error().Err(err).Msg("error decoding shared config for ocdav")
+				}
 				opts := []ocdav.Option{
 					ocdav.Name(cfg.HTTP.Namespace + "." + cfg.Service.Name),
 					ocdav.Version(version.GetString()),
--- a/services/ocdav/pkg/config/defaults/defaultconfig.go
+++ b/services/ocdav/pkg/config/defaults/defaultconfig.go
@@ -30,9 +30,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "ocdav",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:            shared.DefaultRevaConfig(),
 		WebdavNamespace: "/users/{{.Id.OpaqueId}}",
 		FilesNamespace:  "/users/{{.Id.OpaqueId}}",
 		SharesNamespace: "/Shares",
@@ -82,7 +80,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/ocs/pkg/config/defaults/defaultconfig.go
+++ b/services/ocs/pkg/config/defaults/defaultconfig.go
@@ -37,9 +37,7 @@ func DefaultConfig() *config.Config {
 			Name: "ocs",
 		},
 		AccountBackend: "cs3",
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:           shared.DefaultRevaConfig(),
 		IdentityManagement: config.IdentityManagement{
 			Address: "https://localhost:9200",
 		},
@@ -82,7 +80,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/ocs/pkg/service/v0/service.go
+++ b/services/ocs/pkg/service/v0/service.go
@@ -118,7 +118,7 @@ func (o Ocs) NotFound(w http.ResponseWriter, r *http.Request) {
 }

 func (o Ocs) getCS3Backend() backend.UserBackend {
-	revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address)
+	revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address, o.config.Reva.GetRevaOptions()...)
 	if err != nil {
 		o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address)
 	}
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -128,7 +128,7 @@ func Server(cfg *config.Config) *cli.Command {

 func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config) alice.Chain {
 	rolesClient := settingssvc.NewRoleService("com.owncloud.api.settings", grpc.DefaultClient())
-	revaClient, err := pool.GetGatewayServiceClient(cfg.Reva.Address)
+	revaClient, err := pool.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.GetRevaOptions()...)
 	var userProvider backend.UserBackend
 	switch cfg.AccountBackend {
 	case "cs3":
--- a/services/proxy/pkg/config/defaults/defaultconfig.go
+++ b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -49,9 +49,7 @@ func DefaultConfig() *config.Config {
 			},
 		},
 		PolicySelector: nil,
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:           shared.DefaultRevaConfig(),
 		PreSignedURL: config.PreSignedURL{
 			AllowedHTTPMethods: []string{"GET"},
 			Enabled:            true,
@@ -244,7 +242,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/search/pkg/config/defaults/defaultconfig.go
+++ b/services/search/pkg/config/defaults/defaultconfig.go
@@ -30,9 +30,7 @@ func DefaultConfig() *config.Config {
 			Name: "search",
 		},
 		Datapath: path.Join(defaults.BaseDataPath(), "search"),
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:     shared.DefaultRevaConfig(),
 		Events: config.Events{
 			Endpoint:      "127.0.0.1:9233",
 			Cluster:       "ocis-cluster",
@@ -74,7 +72,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/search/pkg/service/v0/service.go
+++ b/services/search/pkg/service/v0/service.go
@@ -88,7 +88,7 @@ func NewHandler(opts ...Option) (searchsvc.SearchProviderHandler, error) {
 		return nil, err
 	}

-	gwclient, err := pool.GetGatewayServiceClient(cfg.Reva.Address)
+	gwclient, err := pool.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.GetRevaOptions()...)
 	if err != nil {
 		logger.Fatal().Err(err).Str("addr", cfg.Reva.Address).Msg("could not get reva client")
 	}
--- a/services/sharing/pkg/config/config.go
+++ b/services/sharing/pkg/config/config.go
@@ -55,9 +55,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"SHARING_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"SHARING_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"SHARING_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"SHARING_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }

 type UserSharingDrivers struct {
--- a/services/sharing/pkg/config/defaults/defaultconfig.go
+++ b/services/sharing/pkg/config/defaults/defaultconfig.go
@@ -31,9 +31,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "sharing",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:              shared.DefaultRevaConfig(),
 		UserSharingDriver: "jsoncs3",
 		UserSharingDrivers: config.UserSharingDrivers{
 			JSON: config.UserSharingJSONDriver{
@@ -103,7 +101,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/sharing/pkg/revaconfig/config.go
+++ b/services/sharing/pkg/revaconfig/config.go
@@ -17,10 +17,16 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"usershareprovider": map[string]interface{}{
--- a/services/storage-publiclink/pkg/config/config.go
+++ b/services/storage-publiclink/pkg/config/config.go
@@ -51,9 +51,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"STORAGE_PUBLICLINK_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"STORAGE_PUBLICLINK_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"STORAGE_PUBLICLINK_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"STORAGE_PUBLICLINK_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }

 type StorageProvider struct {
--- a/services/storage-publiclink/pkg/config/defaults/defaultconfig.go
+++ b/services/storage-publiclink/pkg/config/defaults/defaultconfig.go
@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "storage-publiclink",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva: shared.DefaultRevaConfig(),
 		StorageProvider: config.StorageProvider{
 			MountID: "7993447f-687f-490d-875c-ac95e89a62a4",
 		},
@@ -63,7 +61,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/storage-publiclink/pkg/revaconfig/config.go
+++ b/services/storage-publiclink/pkg/revaconfig/config.go
@@ -17,10 +17,16 @@ func StoragePublicLinkConfigFromStruct(cfg *config.Config) map[string]interface{
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"interceptors": map[string]interface{}{
 				"log": map[string]interface{}{},
 				"prometheus": map[string]interface{}{
--- a/services/storage-shares/pkg/config/config.go
+++ b/services/storage-shares/pkg/config/config.go
@@ -53,7 +53,10 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"STORAGE_SHARES_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"STORAGE_SHARES_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"STORAGE_SHARES_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"STORAGE_SHARES_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
--- a/services/storage-shares/pkg/config/defaults/defaultconfig.go
+++ b/services/storage-shares/pkg/config/defaults/defaultconfig.go
@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "storage-shares",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:                   shared.DefaultRevaConfig(),
 		MountID:                "7639e57c-4433-4a12-8201-722fd0009154",
 		ReadOnly:               false,
 		SharesProviderEndpoint: "localhost:9150",
@@ -63,7 +61,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/storage-shares/pkg/revaconfig/config.go
+++ b/services/storage-shares/pkg/revaconfig/config.go
@@ -17,10 +17,16 @@ func StorageSharesConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"sharesstorageprovider": map[string]interface{}{
 					"usershareprovidersvc": cfg.SharesProviderEndpoint,
--- a/services/storage-system/pkg/config/config.go
+++ b/services/storage-system/pkg/config/config.go
@@ -56,9 +56,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"STORAGE_SYSTEM_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"STORAGE_SYSTEM_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
+	Addr       string `yaml:"addr" env:"STORAGE_SYSTEM_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"STORAGE_SYSTEM_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
 }

 type HTTPConfig struct {
--- a/services/storage-system/pkg/config/defaults/defaultconfig.go
+++ b/services/storage-system/pkg/config/defaults/defaultconfig.go
@@ -36,9 +36,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "storage-system",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:          shared.DefaultRevaConfig(),
 		DataServerURL: "http://localhost:9216/data",
 		Driver:        "ocis",
 		Drivers: config.Drivers{
@@ -75,7 +73,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/storage-system/pkg/revaconfig/config.go
+++ b/services/storage-system/pkg/revaconfig/config.go
@@ -18,10 +18,16 @@ func StorageSystemFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"gateway": map[string]interface{}{
 					// registries are located on the gateway
--- a/services/storage-users/pkg/config/config.go
+++ b/services/storage-users/pkg/config/config.go
@@ -60,9 +60,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"STORAGE_USERS_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"STORAGE_USERS_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
+	Addr       string `yaml:"addr" env:"STORAGE_USERS_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"STORAGE_USERS_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
 }

 type HTTPConfig struct {
--- a/services/storage-users/pkg/config/defaults/defaultconfig.go
+++ b/services/storage-users/pkg/config/defaults/defaultconfig.go
@@ -37,9 +37,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "storage-users",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:             shared.DefaultRevaConfig(),
 		DataServerURL:    "http://localhost:9158/data",
 		MountID:          "1284d238-aa92-42ce-bdc4-0b0000009157",
 		UploadExpiration: 24 * 60 * 60,
@@ -113,7 +111,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/storage-users/pkg/revaconfig/config.go
+++ b/services/storage-users/pkg/revaconfig/config.go
@@ -17,10 +17,16 @@ func StorageUsersConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"storageprovider": map[string]interface{}{
--- a/services/thumbnails/pkg/config/defaults/defaultconfig.go
+++ b/services/thumbnails/pkg/config/defaults/defaultconfig.go
@@ -42,11 +42,9 @@ func DefaultConfig() *config.Config {
 				RootDirectory: path.Join(defaults.BaseDataPath(), "thumbnails"),
 			},
 			WebdavAllowInsecure: false,
-			Reva: shared.Reva{
-				Address: "127.0.0.1:9142",
-			},
-			CS3AllowInsecure: false,
-			DataEndpoint:     "http://127.0.0.1:9186/thumbnails/data",
+			Reva:                *shared.DefaultRevaConfig(),
+			CS3AllowInsecure:    false,
+			DataEndpoint:        "http://127.0.0.1:9186/thumbnails/data",
 		},
 	}
 }
--- a/services/thumbnails/pkg/server/grpc/server.go
+++ b/services/thumbnails/pkg/server/grpc/server.go
@@ -26,7 +26,7 @@ func NewService(opts ...Option) grpc.Service {
 		grpc.Version(version.GetString()),
 	)
 	tconf := options.Config.Thumbnail
-	gc, err := pool.GetGatewayServiceClient(tconf.Reva.Address)
+	gc, err := pool.GetGatewayServiceClient(tconf.Reva.Address, tconf.Reva.GetRevaOptions()...)
 	if err != nil {
 		options.Logger.Error().Err(err).Msg("could not get gateway client")
 		return grpc.Service{}
--- a/services/users/pkg/config/config.go
+++ b/services/users/pkg/config/config.go
@@ -52,9 +52,12 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"USERS_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"USERS_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
+	Addr       string `yaml:"addr" env:"USERS_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"USERS_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
 }

 type Drivers struct {
--- a/services/users/pkg/config/defaults/defaultconfig.go
+++ b/services/users/pkg/config/defaults/defaultconfig.go
@@ -31,9 +31,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "users",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:   shared.DefaultRevaConfig(),
 		Driver: "ldap",
 		Drivers: config.Drivers{
 			LDAP: config.LDAPDriver{
@@ -108,7 +106,9 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
--- a/services/users/pkg/revaconfig/config.go
+++ b/services/users/pkg/revaconfig/config.go
@@ -17,10 +17,16 @@ func UsersConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options":       cfg.Reva.GetGRPCClientConfig(),
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"userprovider": map[string]interface{}{
--- a/services/webdav/pkg/config/defaults/defaultconfig.go
+++ b/services/webdav/pkg/config/defaults/defaultconfig.go
@@ -38,9 +38,7 @@ func DefaultConfig() *config.Config {
 		},
 		OcisPublicURL:   "https://127.0.0.1:9200",
 		WebdavNamespace: "/users/{{.Id.OpaqueId}}",
-		Reva: shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:            *shared.DefaultRevaConfig(),
 	}
 }

--- a/services/webdav/pkg/service/v0/service.go
+++ b/services/webdav/pkg/service/v0/service.go
@@ -60,7 +60,7 @@ func NewService(opts ...Option) (Service, error) {
 	// chi.RegisterMethod("REPORT")
 	m.Use(options.Middleware...)

-	gwc, err := pool.GetGatewayServiceClient(conf.Reva.Address)
+	gwc, err := pool.GetGatewayServiceClient(conf.Reva.Address, conf.Reva.GetRevaOptions()...)
 	if err != nil {
 		return nil, err
 	}