agent: only enable TLS on gRPC if the HTTPS API port is enabled (#5287)

Currently the gRPC server assumes that if you have configured TLS
certs on the agent (for RPC) that you want gRPC to be encrypted.
If gRPC is bound to localhost this can be overkill. For the API we
let the user choose to offer HTTP or HTTPS API endpoints
independently of the TLS cert configuration for a similar reason.

This setting will let someone encrypt RPC traffic with TLS but avoid
encrypting local gRPC traffic if that is what they want to do by only
enabling TLS on gRPC if the HTTPS API port is enabled.
This commit is contained in:
R.B. Boyer 2019-02-13 11:49:54 -06:00 committed by GitHub
parent f2ed3a3777
commit de0f585583
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions

View File

@ -525,7 +525,13 @@ func (a *Agent) listenAndServeGRPC() error {
a.xdsServer.Initialize()
var err error
a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile)
if a.config.HTTPSPort > 0 {
// gRPC uses the same TLS settings as the HTTPS API. If HTTPS is
// enabled then gRPC will require HTTPS as well.
a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile)
} else {
a.grpcServer, err = a.xdsServer.GRPCServer("", "")
}
if err != nil {
return err
}