feat: allow to configure TLS for gRPC servers (#303)

Allow to add path to files containing TLS server certificate and private key for gRPC servers. The files must contain PEM encoded data. fixes #302 Signed-off-by: Christophe de Carvalho <christophe@archipelo.co>
chainloop-dev · Aug 31, 2023 · e455c31 · e455c31
1 parent 0293a89
commit e455c31
Show file tree

Hide file tree

Showing 11 changed files with 479 additions and 120 deletions.
diff --git a/app/artifact-cas/configs/samples/config.yaml b/app/artifact-cas/configs/samples/config.yaml
@@ -9,6 +9,9 @@ server:
   grpc:
     addr: 0.0.0.0:9001
     timeout: 1s
+    tls_config:
+      certificate: "./configs/tls/server.crt"
+      private_key: "./configs/tls/server.key"
   http_metrics:
     addr: 0.0.0.0:5001
 

diff --git a/app/artifact-cas/internal/conf/conf.pb.go b/app/artifact-cas/internal/conf/conf.pb.go
diff --git a/app/artifact-cas/internal/conf/conf.proto b/app/artifact-cas/internal/conf/conf.proto
@@ -43,10 +43,16 @@ message Server {
     string addr = 2;
     google.protobuf.Duration timeout = 3;
   }
+  message TLS {
+    // path to certificate and private key
+    string certificate = 1;
+    string private_key = 2;
+  }
   message GRPC {
     string network = 1;
     string addr = 2;
     google.protobuf.Duration timeout = 3;
+    TLS tls_config = 4;
   }
   // Regular HTTP endpoint
   HTTP http = 1;

diff --git a/app/artifact-cas/internal/server/grpc.go b/app/artifact-cas/internal/server/grpc.go
@@ -17,6 +17,7 @@ package server
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"os"
 	"regexp"
@@ -99,6 +100,21 @@ func NewGRPCServer(c *conf.Server, authConf *conf.Auth, byteService *service.Byt
 	if c.Grpc.Timeout != nil {
 		opts = append(opts, grpc.Timeout(c.Grpc.Timeout.AsDuration()))
 	}
+	if tlsConf := c.Grpc.GetTlsConfig(); tlsConf != nil {
+		cert := tlsConf.GetCertificate()
+		privKey := tlsConf.GetPrivateKey()
+		if cert != "" && privKey != "" {
+			cert, err := tls.LoadX509KeyPair(cert, privKey)
+			if err != nil {
+				return nil, fmt.Errorf("loading gRPC server TLS certificate: %w", err)
+			}
+			opts = append(opts, grpc.TLSConfig(&tls.Config{
+				Certificates: []tls.Certificate{cert},
+				MinVersion:   tls.VersionTLS12, // gosec complains about insecure minimum version we use default value
+			}))
+		}
+	}
+
 	srv := grpc.NewServer(opts...)
 
 	bytestream.RegisterByteStreamServer(srv.Server, byteService)

diff --git a/app/cli/api/attestation/v1/crafting_state.pb.go b/app/cli/api/attestation/v1/crafting_state.pb.go
diff --git a/app/controlplane/cmd/wire_gen.go b/app/controlplane/cmd/wire_gen.go
diff --git a/app/controlplane/configs/samples/config.yaml b/app/controlplane/configs/samples/config.yaml
@@ -1,3 +1,9 @@
+server:
+  grpc:
+    tls_config:
+      certificate: "./configs/tls/server.crt"
+      private_key: "./configs/tls/server.key"
+
 auth:
   # Development credentials for the SSO authentication roundtrip
   oauth: