agent: add new config flag to force insecure gRPC when TLS is enabled

Currently the gRPC server assumes that if you have configured TLS certs on the agent (for RPC) that you want gRPC to be encrypted. If gRPC is bound to localhost this can be overkill. For the API we let the user choose to offer HTTP or HTTPS API endpoints independently of the TLS cert configuration for a similar reason. This setting will let someone encrypt RPC traffic with TLS but avoid encrypting local gRPC traffic if that is what they want to do.
hashicorp · Jan 29, 2019 · 8a14299 · 8a14299
1 parent 7302285
commit 8a14299
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 1 deletion.
diff --git a/agent/agent.go b/agent/agent.go
@@ -523,7 +523,11 @@ func (a *Agent) listenAndServeGRPC() error {
 		ResolveToken: a.resolveToken,
 	}
 	var err error
-	a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile)
+	if a.config.InsecureGRPC {
+		a.grpcServer, err = a.xdsServer.GRPCServer("", "")
+	} else {
+		a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile)
+	}
 	if err != nil {
 		return err
 	}

diff --git a/agent/config/builder.go b/agent/config/builder.go
@@ -801,6 +801,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
 		EncryptVerifyOutgoing:                   b.boolVal(c.EncryptVerifyOutgoing),
 		GRPCPort:                                grpcPort,
 		GRPCAddrs:                               grpcAddrs,
+		InsecureGRPC:                            b.boolVal(c.InsecureGRPC),
 		KeyFile:                                 b.stringVal(c.KeyFile),
 		LeaveDrainTime:                          b.durationVal("performance.leave_drain_time", c.Performance.LeaveDrainTime),
 		LeaveOnTerm:                             leaveOnTerm,

diff --git a/agent/config/config.go b/agent/config/config.go
@@ -211,6 +211,7 @@ type Config struct {
 	GossipLAN                        GossipLANConfig          `json:"gossip_lan,omitempty" hcl:"gossip_lan" mapstructure:"gossip_lan"`
 	GossipWAN                        GossipWANConfig          `json:"gossip_wan,omitempty" hcl:"gossip_wan" mapstructure:"gossip_wan"`
 	HTTPConfig                       HTTPConfig               `json:"http_config,omitempty" hcl:"http_config" mapstructure:"http_config"`
+	InsecureGRPC                     *bool                    `json:"insecure_grpc,omitempty" hcl:"insecure_grpc" mapstructure:"insecure_grpc"`
 	KeyFile                          *string                  `json:"key_file,omitempty" hcl:"key_file" mapstructure:"key_file"`
 	LeaveOnTerm                      *bool                    `json:"leave_on_terminate,omitempty" hcl:"leave_on_terminate" mapstructure:"leave_on_terminate"`
 	Limits                           Limits                   `json:"limits,omitempty" hcl:"limits" mapstructure:"limits"`

diff --git a/agent/config/runtime.go b/agent/config/runtime.go
@@ -775,6 +775,12 @@ type RuntimeConfig struct {
 	// hcl: ports { https = int }
 	HTTPSPort int
 
+	// InsecureGRPC is used to disable TLS for localhost gRPC even if TLS
+	// certs are present for other reasons.
+	//
+	// hcl: insecure_grpc = (true|false)
+	InsecureGRPC bool
+
 	// KeyFile is used to provide a TLS key that is used for serving TLS
 	// connections. Must be provided to serve TLS connections.
 	//

diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go
@@ -3085,6 +3085,7 @@ func TestFullConfig(t *testing.T) {
 					"JRCrHZed": "rl0mTx81"
 				}
 			},
+			"insecure_grpc": true,
 			"key_file": "IEkkwgIA",
 			"leave_on_terminate": true,
 			"limits": {
@@ -3638,6 +3639,7 @@ func TestFullConfig(t *testing.T) {
 					"JRCrHZed" = "rl0mTx81"
 				}
 			}
+			insecure_grpc = true
 			key_file = "IEkkwgIA"
 			leave_on_terminate = true
 			limits {
@@ -4274,6 +4276,7 @@ func TestFullConfig(t *testing.T) {
 		GRPCAddrs:                        []net.Addr{tcpAddr("32.31.61.91:4881")},
 		HTTPAddrs:                        []net.Addr{tcpAddr("83.39.91.39:7999")},
 		HTTPBlockEndpoints:               []string{"RBvAFcGD", "fWOWFznh"},
+		InsecureGRPC:                     true,
 		AllowWriteHTTPFrom:               []*net.IPNet{cidr("127.0.0.0/8"), cidr("22.33.44.55/32"), cidr("0.0.0.0/0")},
 		HTTPPort:                         7999,
 		HTTPResponseHeaders:              map[string]string{"M6TKa9NP": "xjuxjOzQ", "JRCrHZed": "rl0mTx81"},
@@ -5075,6 +5078,7 @@ func TestSanitize(t *testing.T) {
 		"HTTPResponseHeaders": {},
 		"HTTPSAddrs": [],
 		"HTTPSPort": 0,
+		"InsecureGRPC": false,
 		"KeyFile": "hidden",
 		"LeaveDrainTime": "0s",
 		"LeaveOnTerm": false,

diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md
@@ -1193,6 +1193,13 @@ default will automatically work with some tooling.
     cluster before declaring it dead, giving that suspect node more time to refute if it is indeed still alive. The
     default is 4.
 
+* <a name="insecure_grpc"></a><a href="#insecure_grpc">`insecure_grpc`</a> If
+  set to `true` this setting will ensure the gRPC server does not use the
+  [`key_file`](#key_file) and [`cert_file`](#cert_file) settings to encrypt
+  communications with TLS. This should only be used if the gRPC server is bound
+  to a local address such as "127.0.0.1" where traffic interception is
+  unlikely.
+
 * <a name="key_file"></a><a href="#key_file">`key_file`</a> This provides a the file path to a
   PEM-encoded private key. The key is used with the certificate to verify the agent's authenticity.
   This must be provided along with [`cert_file`](#cert_file).