Add settings to allow enabling TLS for grpc services #3332
Conversation
|
The cs3api-validator tests are still failing with TLS enabled, because the validator doesn't know the new TLS related flags yet. It's a bit of a hen and egg issue. I guess it's easiest to keep TLS disabled for the tests and enable it after this change got merged (and the validator is updated to use the options). |
rhafer
force-pushed
the
grpc-tls
branch
7 times, most recently
from
0e5cf03
to
4e33db1
Compare
|
This pull request introduces 1 alert when merging 8c24f35 into d908525 - view on LGTM.com new alerts:
|
|
|
||
| ```toml | ||
| [shared.grpc_client_options] | ||
| tls_mode = "on" |
There was a problem hiding this comment.
@micbar @C0rby Different to my initial approach, where I just had a tls_insecure boolean this is introducing a third state for the client's tls setting which allows to completely turn off TLS (e.g. for debugging, or for isolated deployments where TLS is not really needed).
This is somewhat different to the way we configure TLS clients in other places, but I think we need this kind of switch. Are you ok with this, or I go back to the tls_insecure=true/false setting without allowing to turn TLS off.
There was a problem hiding this comment.
Yeah, I think it could make sense to turn TLS off in certain situations.
This means we need to adjust those other places but we can do that in separate PRs.
rhafer
requested review from
a team,
labkode,
ishank011 and
glpatcern
as code owners
|
This pull request introduces 1 alert when merging 1f72786 into 11cc78a - view on LGTM.com new alerts:
|
|
This pull request introduces 1 alert when merging b8944a3 into 11cc78a - view on LGTM.com new alerts:
|
For grpc services TLS can be enabled per revad instance in the new `[grpc.tls_settings]` section: ``` [grpc.tls_settings]` enabled = true certificate = "<path/to/cert.pem>" key = "<path/to/key.pem>" ``` If `certificate` or `key` are empty a temporary self-signed certificate is generated upon startup. The default for `enabled` is currently `"false"`, i.e. transport security is disabled. The configuration of grpc clients is currently only possible in the `[shared.grpc_client_options]` section (not on a per client level): ``` [shared.grpc_client_options] tls_mode = "on" tls_cacert = "</path/to/cafile.pem>" ``` `tls_mode` has 3 possible values. `off` (the default) disables transport security for the clients. `insecure` allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). `on` enables transport security. `tls_cacert` is only relevant when `tls_mode` is set to `on` and allows specifying a ca file/bundle to be used for verifying server certificates.
This is a (temporary) workaround for allowing to separately configure the tls mode for the permissions client used by the decomposedfs storage. This is needed for being able to use the ocis settings service as the permission service untils ocis' go-micro based services are adapted for providing TLS as well.
|
This pull request introduces 1 alert when merging e3ee706 into 203cc6b - view on LGTM.com new alerts:
|
For grpc services TLS can be enabled per revad instance in the new
[grpc.tls_settings]section:If
certificateorkeyare empty a temporary self-signed certificateis generated upon startup. The default for
enabledis currently"false", i.e. transport security is disabled.The configuration of grpc clients is currently only possible in the
[shared.grpc_client_options]section (not on a per client level):tls_modehas 3 possible values.off(the default) disables transportsecurity for the clients.
insecureallows to use transport security,but disables certificate verification (to be used with the autogenerated
self-signed certificates).
onenables transport security.tls_cacertis only relevant whentls_modeis set toonand allowsspecifying a ca file/bundle to be used for verifying server
certificates.
For config examples see the toml files in tests/oc-integration-tests/local