cryptutil: add automatic certificate management (#644)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-07-30 06:51:30 +02:00 · 2020-05-05 12:50:19 -07:00 · 2020-05-05 12:50:19 -07:00 · bf9a6f5e97
commit bf9a6f5e97
parent 1dc1c870c3
29 changed files with 696 additions and 253 deletions
--- a/internal/grpc/server.go
+++ b/internal/grpc/server.go
@ -2,6 +2,7 @@ package grpc

 import (
 	"crypto/tls"
+	"errors"
 	"net"
 	"os"
 	"os/signal"
@ -33,17 +34,21 @@ func NewServer(opt *ServerOptions, registrationFn func(s *grpc.Server), wg *sync
 		grpc.KeepaliveParams(opt.KeepaliveParams),
 	}

-	if opt.TLSCertificate != nil {
-		log.Debug().Str("addr", opt.Addr).Msg("internal/grpc: serving over TLS")
-		cert := credentials.NewServerTLSFromCert(opt.TLSCertificate)
+	if len(opt.TLSCertificate) == 1 {
+		cert := credentials.NewServerTLSFromCert(&opt.TLSCertificate[0])
 		grpcOpts = append(grpcOpts, grpc.Creds(cert))
-	} else {
-		log.Warn().Str("addr", opt.Addr).Msg("internal/grpc: serving without TLS")
+	} else if !opt.InsecureServer {
+		return nil, errors.New("internal/grpc: unexpected number of certificates")
 	}

 	srv := grpc.NewServer(grpcOpts...)
 	registrationFn(srv)
-	log.Info().Interface("grpc-service-info", srv.GetServiceInfo()).Msg("internal/grpc: registered")
+	log.Info().
+		Str("addr", opt.Addr).
+		Bool("insecure", opt.InsecureServer).
+		Str("service", opt.ServiceName).
+		Interface("grpc-service-info", srv.GetServiceInfo()).
+		Msg("internal/grpc: registered")

 	wg.Add(1)
 	go func() {
@ -63,7 +68,7 @@ type ServerOptions struct {
 	Addr string

 	// TLS certificates to use, if any.
-	TLSCertificate *tls.Certificate
+	TLSCertificate []tls.Certificate

 	// InsecureServer when enabled disables all transport security.
 	// In this mode, Pomerium is susceptible to man-in-the-middle attacks.