mTLS: allow gRPC TLS for all in one (#3854)

* make grpc_insecure an optional bool * use internal addresses for all in one databroker and tls
2025-08-04 01:09:36 +02:00 · 2023-01-03 12:45:04 -05:00 · 2023-01-03 12:45:04 -05:00 · e019885218
commit e019885218
parent 618b821783
4 changed files with 26 additions and 15 deletions
--- a/config/envoyconfig/clusters.go
+++ b/config/envoyconfig/clusters.go
@ -25,10 +25,10 @@ import (

 // BuildClusters builds envoy clusters from the given config.
 func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*envoy_config_cluster_v3.Cluster, error) {
-	grpcURL := &url.URL{
+	grpcURLs := []*url.URL{{
 		Scheme: "http",
 		Host:   b.localGRPCAddress,
-	}
+	}}
 	httpURL := &url.URL{
 		Scheme: "http",
 		Host:   b.localHTTPAddress,
@ -37,16 +37,21 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env
 		Scheme: "http",
 		Host:   b.localMetricsAddress,
 	}
-	authorizeURLs, err := cfg.Options.GetInternalAuthorizeURLs()
-	if err != nil {
-		return nil, err
-	}
-	databrokerURLs, err := cfg.Options.GetDataBrokerURLs()
-	if err != nil {
-		return nil, err
+
+	authorizeURLs, databrokerURLs := grpcURLs, grpcURLs
+	if !config.IsAll(cfg.Options.Services) {
+		var err error
+		authorizeURLs, err = cfg.Options.GetInternalAuthorizeURLs()
+		if err != nil {
+			return nil, err
+		}
+		databrokerURLs, err = cfg.Options.GetDataBrokerURLs()
+		if err != nil {
+			return nil, err
+		}
 	}

-	controlGRPC, err := b.buildInternalCluster(ctx, cfg.Options, "pomerium-control-plane-grpc", []*url.URL{grpcURL}, upstreamProtocolHTTP2)
+	controlGRPC, err := b.buildInternalCluster(ctx, cfg.Options, "pomerium-control-plane-grpc", grpcURLs, upstreamProtocolHTTP2)
 	if err != nil {
 		return nil, err
 	}