mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-06 10:21:05 +02:00
mTLS: allow gRPC TLS for all in one (#3854)
* make grpc_insecure an optional bool * use internal addresses for all in one databroker and tls
This commit is contained in:
Denis Mishin
GitHub
parent
618b821783
commit
e019885218
4 changed files with 26 additions and 15 deletions
|
|
@ -25,10 +25,10 @@ import (
|
||||||
|
|
||||||
// BuildClusters builds envoy clusters from the given config.
|
// BuildClusters builds envoy clusters from the given config.
|
||||||
func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*envoy_config_cluster_v3.Cluster, error) {
|
func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*envoy_config_cluster_v3.Cluster, error) {
|
||||||
grpcURL := &url.URL{
|
grpcURLs := []*url.URL{{
|
||||||
Scheme: "http",
|
Scheme: "http",
|
||||||
Host: b.localGRPCAddress,
|
Host: b.localGRPCAddress,
|
||||||
}
|
}}
|
||||||
httpURL := &url.URL{
|
httpURL := &url.URL{
|
||||||
Scheme: "http",
|
Scheme: "http",
|
||||||
Host: b.localHTTPAddress,
|
Host: b.localHTTPAddress,
|
||||||
|
|
@ -37,16 +37,21 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env
|
||||||
Scheme: "http",
|
Scheme: "http",
|
||||||
Host: b.localMetricsAddress,
|
Host: b.localMetricsAddress,
|
||||||
}
|
}
|
||||||
authorizeURLs, err := cfg.Options.GetInternalAuthorizeURLs()
|
|
||||||
|
authorizeURLs, databrokerURLs := grpcURLs, grpcURLs
|
||||||
|
if !config.IsAll(cfg.Options.Services) {
|
||||||
|
var err error
|
||||||
|
authorizeURLs, err = cfg.Options.GetInternalAuthorizeURLs()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
databrokerURLs, err := cfg.Options.GetDataBrokerURLs()
|
databrokerURLs, err = cfg.Options.GetDataBrokerURLs()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
controlGRPC, err := b.buildInternalCluster(ctx, cfg.Options, "pomerium-control-plane-grpc", []*url.URL{grpcURL}, upstreamProtocolHTTP2)
|
controlGRPC, err := b.buildInternalCluster(ctx, cfg.Options, "pomerium-control-plane-grpc", grpcURLs, upstreamProtocolHTTP2)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@ import (
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
"github.com/spf13/viper"
|
"github.com/spf13/viper"
|
||||||
"github.com/volatiletech/null/v9"
|
"github.com/volatiletech/null/v9"
|
||||||
|
"google.golang.org/protobuf/proto"
|
||||||
|
|
||||||
"github.com/pomerium/pomerium/internal/atomicutil"
|
"github.com/pomerium/pomerium/internal/atomicutil"
|
||||||
"github.com/pomerium/pomerium/internal/hashutil"
|
"github.com/pomerium/pomerium/internal/hashutil"
|
||||||
|
|
@ -217,7 +218,7 @@ type Options struct {
|
||||||
|
|
||||||
// GRPCInsecure disables transport security.
|
// GRPCInsecure disables transport security.
|
||||||
// If running in all-in-one mode, defaults to true.
|
// If running in all-in-one mode, defaults to true.
|
||||||
GRPCInsecure bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`
|
GRPCInsecure *bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`
|
||||||
|
|
||||||
GRPCClientTimeout time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`
|
GRPCClientTimeout time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`
|
||||||
GRPCClientDNSRoundRobin bool `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"`
|
GRPCClientDNSRoundRobin bool `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"`
|
||||||
|
|
@ -819,10 +820,13 @@ func (o *Options) GetGRPCAddr() string {
|
||||||
|
|
||||||
// GetGRPCInsecure gets whether or not gRPC is insecure.
|
// GetGRPCInsecure gets whether or not gRPC is insecure.
|
||||||
func (o *Options) GetGRPCInsecure() bool {
|
func (o *Options) GetGRPCInsecure() bool {
|
||||||
|
if o.GRPCInsecure != nil {
|
||||||
|
return *o.GRPCInsecure
|
||||||
|
}
|
||||||
if IsAll(o.Services) {
|
if IsAll(o.Services) {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
return o.GRPCInsecure
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetSignOutRedirectURL gets the SignOutRedirectURL.
|
// GetSignOutRedirectURL gets the SignOutRedirectURL.
|
||||||
|
|
@ -1457,7 +1461,7 @@ func (o *Options) ApplySettings(ctx context.Context, settings *config.Settings)
|
||||||
o.GRPCAddr = settings.GetGrpcAddress()
|
o.GRPCAddr = settings.GetGrpcAddress()
|
||||||
}
|
}
|
||||||
if settings.GrpcInsecure != nil {
|
if settings.GrpcInsecure != nil {
|
||||||
o.GRPCInsecure = settings.GetGrpcInsecure()
|
o.GRPCInsecure = proto.Bool(settings.GetGrpcInsecure())
|
||||||
}
|
}
|
||||||
if len(settings.DatabrokerServiceUrls) > 0 {
|
if len(settings.DatabrokerServiceUrls) > 0 {
|
||||||
o.DataBrokerURLStrings = settings.GetDatabrokerServiceUrls()
|
o.DataBrokerURLStrings = settings.GetDatabrokerServiceUrls()
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ import (
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"golang.org/x/sync/errgroup"
|
"golang.org/x/sync/errgroup"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
|
"google.golang.org/protobuf/proto"
|
||||||
|
|
||||||
"github.com/pomerium/pomerium/config"
|
"github.com/pomerium/pomerium/config"
|
||||||
"github.com/pomerium/pomerium/internal/atomicutil"
|
"github.com/pomerium/pomerium/internal/atomicutil"
|
||||||
|
|
@ -80,7 +81,7 @@ func TestEvents(t *testing.T) {
|
||||||
Options: &config.Options{
|
Options: &config.Options{
|
||||||
SharedKey: cryptutil.NewBase64Key(),
|
SharedKey: cryptutil.NewBase64Key(),
|
||||||
DataBrokerURLString: "http://" + li.Addr().String(),
|
DataBrokerURLString: "http://" + li.Addr().String(),
|
||||||
GRPCInsecure: true,
|
GRPCInsecure: proto.Bool(true),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}),
|
}),
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ import (
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
|
"google.golang.org/protobuf/proto"
|
||||||
|
|
||||||
"github.com/pomerium/pomerium/config"
|
"github.com/pomerium/pomerium/config"
|
||||||
configpb "github.com/pomerium/pomerium/pkg/grpc/config"
|
configpb "github.com/pomerium/pomerium/pkg/grpc/config"
|
||||||
|
|
@ -38,7 +39,7 @@ func TestConfigSource(t *testing.T) {
|
||||||
base := config.NewDefaultOptions()
|
base := config.NewDefaultOptions()
|
||||||
base.DataBrokerURLString = "http://" + li.Addr().String()
|
base.DataBrokerURLString = "http://" + li.Addr().String()
|
||||||
base.InsecureServer = true
|
base.InsecureServer = true
|
||||||
base.GRPCInsecure = true
|
base.GRPCInsecure = proto.Bool(true)
|
||||||
base.Policies = append(base.Policies, config.Policy{
|
base.Policies = append(base.Policies, config.Policy{
|
||||||
From: "https://pomerium.io", To: config.WeightedURLs{
|
From: "https://pomerium.io", To: config.WeightedURLs{
|
||||||
{URL: *u},
|
{URL: *u},
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue