mTLS: allow gRPC TLS for all in one (#3854)

* make grpc_insecure an optional bool * use internal addresses for all in one databroker and tls
2025-08-06 10:21:05 +02:00 · 2023-01-03 12:45:04 -05:00 · 2023-01-03 12:45:04 -05:00 · e019885218
commit e019885218
parent 618b821783
4 changed files with 26 additions and 15 deletions
--- a/config/envoyconfig/clusters.go
+++ b/config/envoyconfig/clusters.go
@ -25,10 +25,10 @@ import (

 // BuildClusters builds envoy clusters from the given config.
 func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*envoy_config_cluster_v3.Cluster, error) {
-	grpcURL := &url.URL{
+	grpcURLs := []*url.URL{{
 		Scheme: "http",
 		Host:   b.localGRPCAddress,
-	}
+	}}
 	httpURL := &url.URL{
 		Scheme: "http",
 		Host:   b.localHTTPAddress,
@ -37,16 +37,21 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env
 		Scheme: "http",
 		Host:   b.localMetricsAddress,
 	}
-	authorizeURLs, err := cfg.Options.GetInternalAuthorizeURLs()
+
+	authorizeURLs, databrokerURLs := grpcURLs, grpcURLs
+	if !config.IsAll(cfg.Options.Services) {
+		var err error
+		authorizeURLs, err = cfg.Options.GetInternalAuthorizeURLs()
 		if err != nil {
 			return nil, err
 		}
-	databrokerURLs, err := cfg.Options.GetDataBrokerURLs()
+		databrokerURLs, err = cfg.Options.GetDataBrokerURLs()
 		if err != nil {
 			return nil, err
 		}
+	}

-	controlGRPC, err := b.buildInternalCluster(ctx, cfg.Options, "pomerium-control-plane-grpc", []*url.URL{grpcURL}, upstreamProtocolHTTP2)
+	controlGRPC, err := b.buildInternalCluster(ctx, cfg.Options, "pomerium-control-plane-grpc", grpcURLs, upstreamProtocolHTTP2)
 	if err != nil {
 		return nil, err
 	}
--- a/config/options.go
+++ b/config/options.go
@ -18,6 +18,7 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/spf13/viper"
 	"github.com/volatiletech/null/v9"
+	"google.golang.org/protobuf/proto"

 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/hashutil"
@ -217,7 +218,7 @@ type Options struct {

 	// GRPCInsecure disables transport security.
 	// If running in all-in-one mode, defaults to true.
-	GRPCInsecure bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`
+	GRPCInsecure *bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`

 	GRPCClientTimeout       time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`
 	GRPCClientDNSRoundRobin bool          `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"`
@ -819,10 +820,13 @@ func (o *Options) GetGRPCAddr() string {

 // GetGRPCInsecure gets whether or not gRPC is insecure.
 func (o *Options) GetGRPCInsecure() bool {
+	if o.GRPCInsecure != nil {
+		return *o.GRPCInsecure
+	}
 	if IsAll(o.Services) {
 		return true
 	}
-	return o.GRPCInsecure
+	return false
 }

 // GetSignOutRedirectURL gets the SignOutRedirectURL.
@ -1457,7 +1461,7 @@ func (o *Options) ApplySettings(ctx context.Context, settings *config.Settings)
 		o.GRPCAddr = settings.GetGrpcAddress()
 	}
 	if settings.GrpcInsecure != nil {
-		o.GRPCInsecure = settings.GetGrpcInsecure()
+		o.GRPCInsecure = proto.Bool(settings.GetGrpcInsecure())
 	}
 	if len(settings.DatabrokerServiceUrls) > 0 {
 		o.DataBrokerURLStrings = settings.GetDatabrokerServiceUrls()
--- a/internal/controlplane/events_test.go
+++ b/internal/controlplane/events_test.go
@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
+	"google.golang.org/protobuf/proto"

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
@ -80,7 +81,7 @@ func TestEvents(t *testing.T) {
 						Options: &config.Options{
 							SharedKey:           cryptutil.NewBase64Key(),
 							DataBrokerURLString: "http://" + li.Addr().String(),
-							GRPCInsecure:        true,
+							GRPCInsecure:        proto.Bool(true),
 						},
 					},
 				}),
--- a/internal/databroker/config_source_test.go
+++ b/internal/databroker/config_source_test.go
@ -9,6 +9,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc"
+	"google.golang.org/protobuf/proto"

 	"github.com/pomerium/pomerium/config"
 	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
@ -38,7 +39,7 @@ func TestConfigSource(t *testing.T) {
 	base := config.NewDefaultOptions()
 	base.DataBrokerURLString = "http://" + li.Addr().String()
 	base.InsecureServer = true
-	base.GRPCInsecure = true
+	base.GRPCInsecure = proto.Bool(true)
 	base.Policies = append(base.Policies, config.Policy{
 		From: "https://pomerium.io", To: config.WeightedURLs{
 			{URL: *u},