mTLS: allow gRPC TLS for all in one (#3854)

* make grpc_insecure an optional bool * use internal addresses for all in one databroker and tls
pomerium · Jan 3, 2023 · e019885 · e019885
1 parent 618b821
commit e019885
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 15 deletions.
diff --git a/config/envoyconfig/clusters.go b/config/envoyconfig/clusters.go
@@ -25,10 +25,10 @@ import (
 
 // BuildClusters builds envoy clusters from the given config.
 func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*envoy_config_cluster_v3.Cluster, error) {
-	grpcURL := &url.URL{
+	grpcURLs := []*url.URL{{
 		Scheme: "http",
 		Host:   b.localGRPCAddress,
-	}
+	}}
 	httpURL := &url.URL{
 		Scheme: "http",
 		Host:   b.localHTTPAddress,
@@ -37,16 +37,21 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env
 		Scheme: "http",
 		Host:   b.localMetricsAddress,
 	}
-	authorizeURLs, err := cfg.Options.GetInternalAuthorizeURLs()
-	if err != nil {
-		return nil, err
-	}
-	databrokerURLs, err := cfg.Options.GetDataBrokerURLs()
-	if err != nil {
-		return nil, err
+
+	authorizeURLs, databrokerURLs := grpcURLs, grpcURLs
+	if !config.IsAll(cfg.Options.Services) {
+		var err error
+		authorizeURLs, err = cfg.Options.GetInternalAuthorizeURLs()
+		if err != nil {
+			return nil, err
+		}
+		databrokerURLs, err = cfg.Options.GetDataBrokerURLs()
+		if err != nil {
+			return nil, err
+		}
 	}
 
-	controlGRPC, err := b.buildInternalCluster(ctx, cfg.Options, "pomerium-control-plane-grpc", []*url.URL{grpcURL}, upstreamProtocolHTTP2)
+	controlGRPC, err := b.buildInternalCluster(ctx, cfg.Options, "pomerium-control-plane-grpc", grpcURLs, upstreamProtocolHTTP2)
 	if err != nil {
 		return nil, err
 	}

diff --git a/config/options.go b/config/options.go
@@ -18,6 +18,7 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/spf13/viper"
 	"github.com/volatiletech/null/v9"
+	"google.golang.org/protobuf/proto"
 
 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/hashutil"
@@ -217,7 +218,7 @@ type Options struct {
 
 	// GRPCInsecure disables transport security.
 	// If running in all-in-one mode, defaults to true.
-	GRPCInsecure bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`
+	GRPCInsecure *bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`
 
 	GRPCClientTimeout       time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`
 	GRPCClientDNSRoundRobin bool          `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"`
@@ -819,10 +820,13 @@ func (o *Options) GetGRPCAddr() string {
 
 // GetGRPCInsecure gets whether or not gRPC is insecure.
 func (o *Options) GetGRPCInsecure() bool {
+	if o.GRPCInsecure != nil {
+		return *o.GRPCInsecure
+	}
 	if IsAll(o.Services) {
 		return true
 	}
-	return o.GRPCInsecure
+	return false
 }
 
 // GetSignOutRedirectURL gets the SignOutRedirectURL.
@@ -1457,7 +1461,7 @@ func (o *Options) ApplySettings(ctx context.Context, settings *config.Settings)
 		o.GRPCAddr = settings.GetGrpcAddress()
 	}
 	if settings.GrpcInsecure != nil {
-		o.GRPCInsecure = settings.GetGrpcInsecure()
+		o.GRPCInsecure = proto.Bool(settings.GetGrpcInsecure())
 	}
 	if len(settings.DatabrokerServiceUrls) > 0 {
 		o.DataBrokerURLStrings = settings.GetDatabrokerServiceUrls()

diff --git a/internal/controlplane/events_test.go b/internal/controlplane/events_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
+	"google.golang.org/protobuf/proto"
 
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
@@ -80,7 +81,7 @@ func TestEvents(t *testing.T) {
 						Options: &config.Options{
 							SharedKey:           cryptutil.NewBase64Key(),
 							DataBrokerURLString: "http://" + li.Addr().String(),
-							GRPCInsecure:        true,
+							GRPCInsecure:        proto.Bool(true),
 						},
 					},
 				}),

diff --git a/internal/databroker/config_source_test.go b/internal/databroker/config_source_test.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc"
+	"google.golang.org/protobuf/proto"
 
 	"github.com/pomerium/pomerium/config"
 	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
@@ -38,7 +39,7 @@ func TestConfigSource(t *testing.T) {
 	base := config.NewDefaultOptions()
 	base.DataBrokerURLString = "http://" + li.Addr().String()
 	base.InsecureServer = true
-	base.GRPCInsecure = true
+	base.GRPCInsecure = proto.Bool(true)
 	base.Policies = append(base.Policies, config.Policy{
 		From: "https://pomerium.io", To: config.WeightedURLs{
 			{URL: *u},