[full-ci] Introduce TLS Settings for go-micro based grpc services and clients (#4901)

* Introduce TLS Settings for go-micro based grpc services and clients TLS for the services can be configure by setting the OCIS_MICRO_GRPC_TLS_ENABLED" "OCIS_MICRO_GRPC_TLS_CERTIFICATE" and "OCIS_MICRO_GRPC_TLS_KEY" enviroment variables. TLS for the clients can configured by setting the "OCIS_MICRO_GRPC_CLIENT_TLS_MODE" and "OCIS_MICRO_GRPC_CLIENT_TLS_CACERT" variables. By default TLS is disabled. Co-authored-by: Martin <github@diemattels.at> * Unify TLS configuration for all grpc services All grpc service (whether they're based on reva) or go-micro use the same set of config vars now. TLS for the services can be configure by setting the OCIS_GRPC_TLS_ENABLED, OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY enviroment variables. TLS for the clients can configured by setting the OCIS_GRPC_CLIENT_TLS_MODE and OCIS_MICRO_GRPC_CLIENT_TLS_CACERT variables. There are no individual per service config vars currently. If really needed, per service tls configurations can be specified via config file. Co-authored-by: Martin <github@diemattels.at> Co-authored-by: Martin <github@diemattels.at>
2026-04-26 05:58:27 -05:00 · 2022-11-03 10:17:08 +01:00
parent b7482e5410
commit ee974afebf
91 changed files with 746 additions and 313 deletions
@@ -51,12 +51,10 @@ type Debug struct {
 }

 type GRPCConfig struct {
-	Addr       string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
-	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
-	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
-	Namespace  string `yaml:"-"`
-	Protocol   string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr      string                 `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLS       *shared.GRPCServiceTLS `yaml:"tls"`
+	Namespace string                 `yaml:"-"`
+	Protocol  string                 `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }

 type AuthProviders struct {
@@ -104,9 +104,8 @@ func EnsureDefaults(cfg *config.Config) {

 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address:   cfg.Commons.Reva.Address,
-			TLSMode:   cfg.Commons.Reva.TLSMode,
-			TLSCACert: cfg.Commons.Reva.TLSCACert,
+			Address: cfg.Commons.Reva.Address,
+			TLS:     cfg.Commons.Reva.TLS,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
@@ -120,6 +119,14 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.TokenManager = &config.TokenManager{}
 	}

+	if cfg.GRPC.TLS == nil {
+		cfg.GRPC.TLS = &shared.GRPCServiceTLS{}
+		if cfg.Commons != nil && cfg.Commons.GRPCServiceTLS != nil {
+			cfg.GRPC.TLS.Enabled = cfg.Commons.GRPCServiceTLS.Enabled
+			cfg.GRPC.TLS.Cert = cfg.Commons.GRPCServiceTLS.Cert
+			cfg.GRPC.TLS.Key = cfg.Commons.GRPCServiceTLS.Key
+		}
+	}
 }

 func Sanitize(cfg *config.Config) {
@@ -21,9 +21,9 @@ func AuthBasicConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
 			"tls_settings": map[string]interface{}{
-				"enabled":     cfg.GRPC.TLSEnabled,
-				"certificate": cfg.GRPC.TLSCert,
-				"key":         cfg.GRPC.TLSKey,
+				"enabled":     cfg.GRPC.TLS.Enabled,
+				"certificate": cfg.GRPC.TLS.Cert,
+				"key":         cfg.GRPC.TLS.Key,
 			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{