Allow to have the health probes without TLS

[cdprete]

Hello.

In K8s / OCP deployment environments, the gRPC probes don't support TLS.
Unfortunately, the server SSL configuration gets applied globally (for what I can see/read) and therefore it then protects also the Health service.

Would it be possible to have some sort of configuration where to say that some services should not be protected through TLS?
Or, alternatively, is there maybe a way to do this already?

[dsyer]

I don't think there's any way to tell the server to only use TLS for some of the endpoints (but you could ask the grpc-java community I guess). I think that would have to be 2 servers? It should be possible to disable client certificate authentication (in fact I think that should be switched off for "Health" already by default).

[cdprete]

I think that would have to be 2 servers?

That's what I'm doing so far by starting Netty (WebFlux) on 8080 and calling its actuator endpoint.
But that's an overkill 'cause we don't need an HTTP server as well at all.

It should be possible to disable client certificate authentication

I don't have client authentication configured (unless it gets enabled implicitly by default).

[cdprete]

(but you could ask the grpc-java community I guess)

Done: grpc/grpc-java#12354

[cdprete]

@dsyer wouldn't have been better to keep this open for when/if grpc/grpc-java#12354 gets implemented so that you can also offer it from your side?

[cdprete]

They closed it in favor of grpc/grpc-java#9002.