Skip to content

Commit e455c31

Browse files
zaibonzaibon
authored
feat: allow to configure TLS for gRPC servers (#303)
Allow to add path to files containing TLS server certificate and private key for gRPC servers. The files must contain PEM encoded data. fixes #302 Signed-off-by: Christophe de Carvalho <[email protected]>
1 parent 0293a89 commit e455c31

File tree

11 files changed

+479
-120
lines changed

11 files changed

+479
-120
lines changed

app/artifact-cas/configs/samples/config.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ server:
99
grpc:
1010
addr: 0.0.0.0:9001
1111
timeout: 1s
12+
tls_config:
13+
certificate: "./configs/tls/server.crt"
14+
private_key: "./configs/tls/server.key"
1215
http_metrics:
1316
addr: 0.0.0.0:5001
1417

app/artifact-cas/internal/conf/conf.pb.go

Lines changed: 126 additions & 41 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/artifact-cas/internal/conf/conf.proto

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,10 +43,16 @@ message Server {
4343
string addr = 2;
4444
google.protobuf.Duration timeout = 3;
4545
}
46+
message TLS {
47+
// path to certificate and private key
48+
string certificate = 1;
49+
string private_key = 2;
50+
}
4651
message GRPC {
4752
string network = 1;
4853
string addr = 2;
4954
google.protobuf.Duration timeout = 3;
55+
TLS tls_config = 4;
5056
}
5157
// Regular HTTP endpoint
5258
HTTP http = 1;

app/artifact-cas/internal/server/grpc.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ package server
1717

1818
import (
1919
"context"
20+
"crypto/tls"
2021
"fmt"
2122
"os"
2223
"regexp"
@@ -99,6 +100,21 @@ func NewGRPCServer(c *conf.Server, authConf *conf.Auth, byteService *service.Byt
99100
if c.Grpc.Timeout != nil {
100101
opts = append(opts, grpc.Timeout(c.Grpc.Timeout.AsDuration()))
101102
}
103+
if tlsConf := c.Grpc.GetTlsConfig(); tlsConf != nil {
104+
cert := tlsConf.GetCertificate()
105+
privKey := tlsConf.GetPrivateKey()
106+
if cert != "" && privKey != "" {
107+
cert, err := tls.LoadX509KeyPair(cert, privKey)
108+
if err != nil {
109+
return nil, fmt.Errorf("loading gRPC server TLS certificate: %w", err)
110+
}
111+
opts = append(opts, grpc.TLSConfig(&tls.Config{
112+
Certificates: []tls.Certificate{cert},
113+
MinVersion: tls.VersionTLS12, // gosec complains about insecure minimum version we use default value
114+
}))
115+
}
116+
}
117+
102118
srv := grpc.NewServer(opts...)
103119

104120
bytestream.RegisterByteStreamServer(srv.Server, byteService)

app/cli/api/attestation/v1/crafting_state.pb.go

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/cmd/wire_gen.go

Lines changed: 5 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/configs/samples/config.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
server:
2+
grpc:
3+
tls_config:
4+
certificate: "./configs/tls/server.crt"
5+
private_key: "./configs/tls/server.key"
6+
17
auth:
28
# Development credentials for the SSO authentication roundtrip
39
oauth:

0 commit comments

Comments
 (0)