Add TLS Support for gRPC Connection (#885)

ribaraka · Assem-Uber · web-flow · commit 465a8b56033e · 2025-04-30T18:59:11.000+02:00
* TLS GRPC connection

* docs: add TLS usage instructions for Docker

* adding cache 

---------

Co-authored-by: Assem Hafez &lt;137278762+Assem-Uber@users.noreply.github.com&gt;
Co-authored-by: Assem Hafez &lt;assem.hafez@uber.com&gt;
diff --git a/README.md b/README.md
@@ -13,14 +13,15 @@ This web UI is used to view workflows from [Cadence][cadence], see what's runnin
 
 Set these environment variables if you need to change their defaults
 
-| Variable                     | Description                                   | Default          |
-| ---------------------------- | --------------------------------------------- | ---------------- |
-| CADENCE_GRPC_PEERS           | Comma-delimited list of gRPC peers            | 127.0.0.1:7833   |
-| CADENCE_GRPC_SERVICES_NAMES  | Comma-delimited list of gRPC services to call | cadence-frontend |
-| CADENCE_CLUSTERS_NAMES       | Comma-delimited list of cluster names         | cluster0         |
-| CADENCE_WEB_PORT             | HTTP port to serve on                         | 8088             |
-| CADENCE_WEB_HOSTNAME         | Host name to serve on                         | 0.0.0.0          |
-| CADENCE_ADMIN_SECURITY_TOKEN | Admin token for accessing admin methods       | ''               |
+| Variable                     | Description                                                                   | Default          |
+| ---------------------------- | ----------------------------------------------------------------------------- | ---------------- |
+| CADENCE_GRPC_PEERS           | Comma-delimited list of gRPC peers                                            | 127.0.0.1:7833   |
+| CADENCE_GRPC_SERVICES_NAMES  | Comma-delimited list of gRPC services to call                                 | cadence-frontend |
+| CADENCE_CLUSTERS_NAMES       | Comma-delimited list of cluster names                                         | cluster0         |
+| CADENCE_WEB_PORT             | HTTP port to serve on                                                         | 8088             |
+| CADENCE_WEB_HOSTNAME         | Host name to serve on                                                         | 0.0.0.0          |
+| CADENCE_ADMIN_SECURITY_TOKEN | Admin token for accessing admin methods                                       | ''               |
+| CADENCE_GRPC_TLS_CA_FILE     | Path to root CA certificate file for enabling one-way TLS on gRPC connections | ''               |
 
 Note: To connect `cadence-web` to multiple clusters, you will need to add comma-delimted entries for `CADENCE_GRPC_PEERS`, `CADENCE_GRPC_SERVICES_NAMES` & `CADENCE_CLUSTERS_NAMES` for each cluster (each cluster values are grouped by their index within the Comma-delimited lists).
 
@@ -39,6 +40,33 @@ The latest version of `cadence-web` is included in the `cadence` composed docker
 docker-compose -f docker/docker-compose.yml up
 ```
 
+### Using TLS for gRPC
+
+You can run cadence-web with secure gRPC TLS communication by passing your CA certificate file to the container and configure the environment variable accordingly.
+
+#### Steps to Pass the Certificate File in Docker
+
+1. **Prepare your CA certificate file:**  
+   Ensure you have the root CA file (e.g., `ca.pem`) accessible on your host machine.
+
+2. **Mount the certificate file into the container:**  
+   Use Docker volume mounting (`-v` or `--volume`) to make the certificate file available inside the container at a known path.
+
+3. **Set the `CADENCE_GRPC_TLS_CA_FILE` environment variable to the mounted certificate path:**  
+
+Example command (for Linux):
+
+```bash
+docker run -it --rm \
+  -p 8088:8088  \
+  -v /path/on/host/ca.pem:/etc/certs/ca.pem:ro \
+  -e CADENCE_GRPC_TLS_CA_FILE=/etc/certs/ca.pem \
+  ubercadence/server:master-auto-setup
+```
+
+- Replace `/path/on/host/ca.pem` with the actual location of your CA certificate on the host system.
+- `CADENCE_GRPC_TLS_CA_FILE` must point to the path inside the container where the certificate is mounted.
+
 ### Building & developing cadence-web 
 
 `cadence-web` requires node `v18` or greater to be able to run correctly.
@@ -98,12 +126,13 @@ You can customize the YAML file or reuse configurations from the [cadence reposi
 After running `cadence`, start `cadence-web` for development using one of the previous methods ([Running development environment](#running-development-environment), [VSCode Dev Containers](#using-vscode-dev-containers))
 
 
+
 #### NPM scripts
 
 
 | script            | Description                                                                                     |
 | ----------------- | ----------------------------------------------------------------------------------------------- |
-| build             | Generate a production build                                                                       |
+| build             | Generate a production build                                                                     |
 | start             | Start server for existing production build                                                      |
 | dev               | Run a development server                                                                        |
 | install-idl       | Download idl files required for building/running the project                                    |
@@ -122,4 +151,4 @@ After running `cadence`, start `cadence-web` for development using one of the pr
 
 MIT License, please see [LICENSE](https://github.com/cadence-workflow/cadence-web/blob/master/LICENSE) for details.
 
-[cadence]: https://github.com/cadence-workflow/cadence
+[cadence]: https://github.com/cadence-workflow/cadence
diff --git a/src/utils/grpc/grpc-service.ts b/src/utils/grpc/grpc-service.ts
@@ -3,8 +3,10 @@ import type { ServiceClient } from '@grpc/grpc-js/build/src/make-client';
 import * as protoLoader from '@grpc/proto-loader';
 import get from 'lodash/get';
 import merge from 'lodash/merge';
+import * as fs from 'node:fs';
 
 import GRPC_PROTO_DIR_BASE_PATH from '@/config/grpc/grpc-proto-dir-base-path';
+import logger from '@/utils/logger';
 
 import { GRPCError, type GRPCInputError } from './grpc-error';
 
@@ -51,7 +53,7 @@ class GRPCService {
     );
     this.service = new ServiceDefinition(
       peer,
-      grpc.credentials.createInsecure(),
+      getChannelCredentials(),
       GRPC_OPTIONS
     );
     this.requestConfig = requestConfig;
@@ -136,4 +138,26 @@ class GRPCService {
   }
 }
 
+let cachedCredentials: grpc.ChannelCredentials | null = null;
+export function getChannelCredentials() {
+  if (cachedCredentials) {
+    return cachedCredentials;
+  }
+  const caRootPath = process.env.CADENCE_GRPC_TLS_CA_FILE?.trim();
+  if (caRootPath) {
+    try {
+      const rootCert = fs.readFileSync(caRootPath);
+      cachedCredentials = grpc.credentials.createSsl(rootCert);
+    } catch (e) {
+      logger.error({
+        message: `Failed to read GRPC TLS CA file`,
+        error: e,
+      });
+    }
+  } else {
+    cachedCredentials = grpc.credentials.createInsecure();
+  }
+  return cachedCredentials;
+}
+
 export default GRPCService;
