core/config: disable gRPC ingress when address is the empty string (#5058)

* core/config: disable gRPC ingress when address is the empty string

* add test

* typo

config/envoyconfig/listeners.go

@@ -54,7 +54,7 @@ func (b *Builder) BuildListeners(
 
 	var listeners []*envoy_config_listener_v3.Listener
 
-	if config.IsAuthenticate(cfg.Options.Services) || config.IsProxy(cfg.Options.Services) {
+	if shouldStartMainListener(cfg.Options) {
 		li, err := b.buildMainListener(ctx, cfg, fullyStatic)
 		if err != nil {
 			return nil, err
@@ -62,7 +62,7 @@ func (b *Builder) BuildListeners(
 		listeners = append(listeners, li)
 	}
 
-	if config.IsAuthorize(cfg.Options.Services) || config.IsDataBroker(cfg.Options.Services) {
+	if shouldStartGRPCListener(cfg.Options) {
 		li, err := b.buildGRPCListener(ctx, cfg)
 		if err != nil {
 			return nil, err
@@ -678,3 +678,15 @@ func newEnvoyListener(name string) *envoy_config_listener_v3.Listener {
 		PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit),
 	}
 }
+
+func shouldStartMainListener(options *config.Options) bool {
+	return config.IsAuthenticate(options.Services) || config.IsProxy(options.Services)
+}
+
+func shouldStartGRPCListener(options *config.Options) bool {
+	if options.GetGRPCAddr() == "" {
+		return false
+	}
+
+	return config.IsAuthorize(options.Services) || config.IsDataBroker(options.Services)
+}

config/envoyconfig/listeners_test.go

@@ -39,6 +39,42 @@ func testData(t *testing.T, name string, data interface{}) string {
 	return buf.String()
 }
 
+func TestBuildListeners(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	cfg := &config.Config{
+		Options: config.NewDefaultOptions(),
+
+		GRPCPort:     "10001",
+		HTTPPort:     "10002",
+		OutboundPort: "10003",
+		MetricsPort:  "10004",
+	}
+	b := New("local-grpc", "local-http", "local-metrics", filemgr.NewManager(), nil)
+	t.Run("enable grpc by default", func(t *testing.T) {
+		cfg := cfg.Clone()
+		lis, err := b.BuildListeners(ctx, cfg, false)
+		assert.NoError(t, err)
+		var hasGRPC bool
+		for _, li := range lis {
+			hasGRPC = hasGRPC || li.Name == "grpc-ingress"
+		}
+		assert.True(t, hasGRPC, "expected grpc-ingress to be enabled by default")
+	})
+	t.Run("disable grpc for empty string", func(t *testing.T) {
+		cfg := cfg.Clone()
+		cfg.Options.GRPCAddr = ""
+		lis, err := b.BuildListeners(ctx, cfg, false)
+		assert.NoError(t, err)
+		var hasGRPC bool
+		for _, li := range lis {
+			hasGRPC = hasGRPC || li.Name == "grpc-ingress"
+		}
+		assert.False(t, hasGRPC, "expected grpc-ingress to be disabled when grpc address is set to the empty string")
+	})
+}
+
 func Test_buildMetricsHTTPConnectionManagerFilter(t *testing.T) {
 	cacheDir, _ := os.UserCacheDir()
 	certFileName := filepath.Join(cacheDir, "pomerium", "envoy", "files", "tls-crt-32375a484d4f49594c4d374830.pem")

internal/databroker/config_source.go

@@ -272,15 +272,8 @@ func (src *ConfigSource) runUpdater(cfg *config.Config) {
 	}, databroker.WithTypeURL(grpcutil.GetTypeURL(new(configpb.Config))),
 		databroker.WithFastForward())
 	go func() {
-		var databrokerURLs []string
-		urls, _ := cfg.Options.GetDataBrokerURLs()
-		for _, url := range urls {
-			databrokerURLs = append(databrokerURLs, url.String())
-		}
-
 		log.Debug(ctx).
 			Str("outbound_port", cfg.OutboundPort).
-			Strs("databroker_urls", databrokerURLs).
 			Msg("config: starting databroker config source syncer")
 		_ = grpc.WaitForReady(ctx, cc, time.Second*10)
 		_ = syncer.Run(ctx)