Unify TLS configuration for all grpc services

All grpc service (whether they're based on reva) or go-micro use the
same set of config vars now.

TLS for the services can be configure by setting the OCIS_GRPC_TLS_ENABLED,
OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY enviroment variables.

TLS for the clients can configured by setting the OCIS_GRPC_CLIENT_TLS_MODE
and OCIS_MICRO_GRPC_CLIENT_TLS_CACERT variables.

There are no individual per service config vars currently. If really
needed, per service tls configurations can be specified via config file.

ocis-pkg/config/config.go

@@ -56,11 +56,11 @@ type Runtime struct {
 type Config struct {
  *shared.Commons `yaml:"shared"`
 
- Tracing  *shared.Tracing  `yaml:"tracing"`
- Log  *shared.Log  `yaml:"log"`
- CacheStore  *shared.CacheStore  `yaml:"cache_store"`
- MicroGRPCClient *shared.MicroGRPCClient `yaml:"micro_grpc_client"`
- MicroGRPCService *shared.MicroGRPCService `yaml:"micro_grpc_service"`
+ Tracing *shared.Tracing `yaml:"tracing"`
+ Log *shared.Log `yaml:"log"`
+ CacheStore *shared.CacheStore `yaml:"cache_store"`
+ GRPCClientTLS *shared.GRPCClientTLS `yaml:"grpc_client_tls"`
+ GRPCServiceTLS *shared.GRPCServiceTLS `yaml:"grpc_service_tls"`
 
  Mode Mode // DEPRECATED
  File string

ocis-pkg/config/parser/parse.go

@@ -51,11 +51,11 @@ func EnsureDefaults(cfg *config.Config) {
  if cfg.CacheStore == nil {
  cfg.CacheStore = &shared.CacheStore{}
  }
- if cfg.MicroGRPCClient == nil {
- cfg.MicroGRPCClient = &shared.MicroGRPCClient{}
+ if cfg.GRPCClientTLS == nil {
+ cfg.GRPCClientTLS = &shared.GRPCClientTLS{}
  }
- if cfg.MicroGRPCService == nil {
- cfg.MicroGRPCService = &shared.MicroGRPCService{}
+ if cfg.GRPCServiceTLS == nil {
+ cfg.GRPCServiceTLS = &shared.GRPCServiceTLS{}
  }
 
 }
@@ -101,12 +101,12 @@ func EnsureCommons(cfg *config.Config) {
  cfg.Commons.CacheStore = &shared.CacheStore{}
  }
 
- if cfg.MicroGRPCClient != nil {
- cfg.Commons.MicroGRPCClient = cfg.MicroGRPCClient
+ if cfg.GRPCClientTLS != nil {
+ cfg.Commons.GRPCClientTLS = cfg.GRPCClientTLS
  }
 
- if cfg.MicroGRPCService != nil {
- cfg.Commons.MicroGRPCService = cfg.MicroGRPCService
+ if cfg.GRPCServiceTLS != nil {
+ cfg.Commons.GRPCServiceTLS = cfg.GRPCServiceTLS
  }
 
  // copy token manager to the commons part if set

ocis-pkg/service/grpc/client.go

@@ -92,10 +92,10 @@ func DefaultClient() client.Client {
  return defaultClient
 }
 
-func GetClientOptions(mc *shared.MicroGRPCClient) []ClientOption {
+func GetClientOptions(t *shared.GRPCClientTLS) []ClientOption {
  opts := []ClientOption{
- WithTLSMode(mc.TLSMode),
- WithTLSCACert(mc.TLSCACert),
+ WithTLSMode(t.Mode),
+ WithTLSCACert(t.CACert),
  }
  return opts
 }

ocis-pkg/shared/reva.go

@@ -13,7 +13,7 @@ func DefaultRevaConfig() *Reva {
 }
 
 func (r *Reva) GetRevaOptions() []pool.Option {
- tm, _ := pool.StringToTLSMode(r.TLSMode)
+ tm, _ := pool.StringToTLSMode(r.TLS.Mode)
  opts := []pool.Option{
  pool.WithTLSMode(tm),
  }
@@ -22,7 +22,7 @@ func (r *Reva) GetRevaOptions() []pool.Option {
 
 func (r *Reva) GetGRPCClientConfig() map[string]interface{} {
  return map[string]interface{}{
- "tls_mode": r.TLSMode,
- "tls_cacert": r.TLSCACert,
+ "tls_mode": r.TLS.Mode,
+ "tls_cacert": r.TLS.CACert,
  }
 }

ocis-pkg/shared/shared_types.go

@@ -31,20 +31,19 @@ type TokenManager struct {
 
 // Reva defines all available REVA client configuration.
 type Reva struct {
- Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
- TLSMode string `yaml:"tls_mode" env:"REVA_GATEWAY_TLS_MODE" desc:"TLS mode for grpc connection to the CS3 gateway endpoint. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification."`
- TLSCACert string `yaml:"tls_cacert" env:"REVA_GATEWAY_TLS_CACERT" desc:"The root CA certificate used to validate the gateway's TLS certificate."`
+ Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
+ TLS GRPCClientTLS `yaml:"tls"`
 }
 
-type MicroGRPCClient struct {
- TLSMode string `yaml:"tls_mode" env:"OCIS_MICRO_GRPC_CLIENT_TLS_MODE" desc:"TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification."`
- TLSCACert string `yaml:"tls_cacert env:"OCIS_MICRO_GRPC_CLIENT_TLS_CACERT" desc:"The root CA certificate used to validate TLS server certificates of the go-micro based grpc services."`
+type GRPCClientTLS struct {
+ Mode string `yaml:"mode" env:"OCIS_GRPC_CLIENT_TLS_MODE" desc:"TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification."`
+ CACert string `yaml:"cacert env:"OCIS_GRPC_CLIENT_TLS_CACERT" desc:"The root CA certificate used to validate TLS server certificates of the go-micro based grpc services."`
 }
 
-type MicroGRPCService struct {
- TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_MICRO_GRPC_TLS_ENABLED"`
- TLSCert string `yaml:"tls_cert" env:"OCIS_MICRO_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the go-micro based grpc services."`
- TLSKey string `yaml:"tls_key" env:"OCIS_MICRO_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the go-micro based grpc services."`
+type GRPCServiceTLS struct {
+ Enabled bool `yaml:"enabled" env:"OCIS_GRPC_TLS_ENABLED" desc:"Activates TLS for the grpcs based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure."`
+ Cert string `yaml:"cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the grpc services."`
+ Key string `yaml:"key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services."`
 }
 
 type CacheStore struct {
@@ -56,17 +55,17 @@ type CacheStore struct {
 // Commons holds configuration that are common to all extensions. Each extension can then decide whether
 // to overwrite its values.
 type Commons struct {
- Log *Log  `yaml:"log"`
- Tracing *Tracing  `yaml:"tracing"`
- CacheStore *CacheStore  `yaml:"cache_store"`
- MicroGRPCClient *MicroGRPCClient `yaml:"micro_grpc_client"`
- MicroGRPCService *MicroGRPCService `yaml:"micro_grpc_service"`
- OcisURL string  `yaml:"ocis_url" env:"OCIS_URL" desc:"URL, where oCIS is reachable for users."`
- TokenManager *TokenManager  `mask:"struct" yaml:"token_manager"`
- Reva *Reva  `yaml:"reva"`
- MachineAuthAPIKey string  `mask:"password" yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services."`
- TransferSecret string  `mask:"password" yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET"`
- SystemUserID string  `yaml:"system_user_id" env:"OCIS_SYSTEM_USER_ID" desc:"ID of the oCIS storage-system system user. Admins need to set the ID for the storage-system system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format."`
- SystemUserAPIKey string  `mask:"password" yaml:"system_user_api_key" env:"SYSTEM_USER_API_KEY"`
- AdminUserID string  `yaml:"admin_user_id" env:"OCIS_ADMIN_USER_ID" desc:"ID of a user, that should receive admin privileges."`
+ Log *Log `yaml:"log"`
+ Tracing *Tracing `yaml:"tracing"`
+ CacheStore *CacheStore `yaml:"cache_store"`
+ GRPCClientTLS  *GRPCClientTLS `yaml:"grpc_client_tls"`
+ GRPCServiceTLS *GRPCServiceTLS `yaml:"grpc_service_tls"`
+ OcisURL string `yaml:"ocis_url" env:"OCIS_URL" desc:"URL, where oCIS is reachable for users."`
+ TokenManager *TokenManager `mask:"struct" yaml:"token_manager"`
+ Reva *Reva `yaml:"reva"`
+ MachineAuthAPIKey string `mask:"password" yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services."`
+ TransferSecret string `mask:"password" yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET"`
+ SystemUserID string `yaml:"system_user_id" env:"OCIS_SYSTEM_USER_ID" desc:"ID of the oCIS storage-system system user. Admins need to set the ID for the storage-system system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format."`
+ SystemUserAPIKey string `mask:"password" yaml:"system_user_api_key" env:"SYSTEM_USER_API_KEY"`
+ AdminUserID string `yaml:"admin_user_id" env:"OCIS_ADMIN_USER_ID" desc:"ID of a user, that should receive admin privileges."`
 }

ocis/pkg/command/server.go

@@ -23,7 +23,7 @@ func Server(cfg *config.Config) *cli.Command {
  Action: func(c *cli.Context) error {
  // Prefer the in-memory registry as the default when running in single-binary mode
  registry.Configure("memory")
- err := grpc.Configure(grpc.GetClientOptions(cfg.MicroGRPCClient)...)
+ err := grpc.Configure(grpc.GetClientOptions(cfg.GRPCClientTLS)...)
  if err != nil {
  return err
  }

services/app-provider/pkg/config/config.go

@@ -52,12 +52,10 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
- Addr string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
- TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
- TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
- TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
- Namespace string `yaml:"-"`
- Protocol string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
+ Addr string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+ TLS *shared.GRPCServiceTLS `yaml:"tls"`
+ Namespace string `yaml:"-"`
+ Protocol string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
 }
 
 type Drivers struct {

services/app-provider/pkg/config/defaults/defaultconfig.go

@@ -65,9 +65,8 @@ func EnsureDefaults(cfg *config.Config) {
 
  if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
  cfg.Reva = &shared.Reva{
- Address: cfg.Commons.Reva.Address,
- TLSMode: cfg.Commons.Reva.TLSMode,
- TLSCACert: cfg.Commons.Reva.TLSCACert,
+ Address: cfg.Commons.Reva.Address,
+ TLS: cfg.Commons.Reva.TLS,
  }
  } else if cfg.Reva == nil {
  cfg.Reva = &shared.Reva{}
@@ -80,6 +79,15 @@ func EnsureDefaults(cfg *config.Config) {
  } else if cfg.TokenManager == nil {
  cfg.TokenManager = &config.TokenManager{}
  }
+
+ if cfg.GRPC.TLS == nil {
+ cfg.GRPC.TLS = &shared.GRPCServiceTLS{}
+ if cfg.Commons != nil && cfg.Commons.GRPCServiceTLS != nil {
+ cfg.GRPC.TLS.Enabled = cfg.Commons.GRPCServiceTLS.Enabled
+ cfg.GRPC.TLS.Cert = cfg.Commons.GRPCServiceTLS.Cert
+ cfg.GRPC.TLS.Key = cfg.Commons.GRPCServiceTLS.Key
+ }
+ }
 }
 
 func Sanitize(cfg *config.Config) {

services/app-provider/pkg/revaconfig/config.go

@@ -23,9 +23,9 @@ func AppProviderConfigFromStruct(cfg *config.Config) map[string]interface{} {
  "network": cfg.GRPC.Protocol,
  "address": cfg.GRPC.Addr,
  "tls_settings": map[string]interface{}{
- "enabled": cfg.GRPC.TLSEnabled,
- "certificate": cfg.GRPC.TLSCert,
- "key": cfg.GRPC.TLSKey,
+ "enabled": cfg.GRPC.TLS.Enabled,
+ "certificate": cfg.GRPC.TLS.Cert,
+ "key": cfg.GRPC.TLS.Key,
  },
  "services": map[string]interface{}{
  "appprovider": map[string]interface{}{

services/app-registry/pkg/config/config.go

@@ -50,12 +50,10 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
- Addr string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
- TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
- TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
- TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
- Namespace string `yaml:"-"`
- Protocol string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+ Addr string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+ TLS *shared.GRPCServiceTLS `yaml:"tls"`
+ Namespace string `yaml:"-"`
+ Protocol string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type AppRegistry struct {

services/app-registry/pkg/config/defaults/defaultconfig.go

@@ -130,9 +130,8 @@ func EnsureDefaults(cfg *config.Config) {
 
  if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
  cfg.Reva = &shared.Reva{
- Address: cfg.Commons.Reva.Address,
- TLSMode: cfg.Commons.Reva.TLSMode,
- TLSCACert: cfg.Commons.Reva.TLSCACert,
+ Address: cfg.Commons.Reva.Address,
+ TLS: cfg.Commons.Reva.TLS,
  }
  } else if cfg.Reva == nil {
  cfg.Reva = &shared.Reva{}
@@ -146,6 +145,14 @@ func EnsureDefaults(cfg *config.Config) {
  cfg.TokenManager = &config.TokenManager{}
  }
 
+ if cfg.GRPC.TLS == nil {
+ cfg.GRPC.TLS = &shared.GRPCServiceTLS{}
+ if cfg.Commons != nil && cfg.Commons.GRPCServiceTLS != nil {
+ cfg.GRPC.TLS.Enabled = cfg.Commons.GRPCServiceTLS.Enabled
+ cfg.GRPC.TLS.Cert = cfg.Commons.GRPCServiceTLS.Cert
+ cfg.GRPC.TLS.Key = cfg.Commons.GRPCServiceTLS.Key
+ }
+ }
 }
 
 // Sanitize the config

services/app-registry/pkg/revaconfig/config.go

@@ -25,9 +25,9 @@ func AppRegistryConfigFromStruct(cfg *config.Config, logger log.Logger) map[stri
  "network": cfg.GRPC.Protocol,
  "address": cfg.GRPC.Addr,
  "tls_settings": map[string]interface{}{
- "enabled": cfg.GRPC.TLSEnabled,
- "certificate": cfg.GRPC.TLSCert,
- "key": cfg.GRPC.TLSKey,
+ "enabled": cfg.GRPC.TLS.Enabled,
+ "certificate": cfg.GRPC.TLS.Cert,
+ "key": cfg.GRPC.TLS.Key,
  },
  "services": map[string]interface{}{
  "appregistry": map[string]interface{}{

services/auth-basic/pkg/config/config.go

@@ -51,12 +51,10 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
- Addr string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
- TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
- TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
- TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
- Namespace string `yaml:"-"`
- Protocol string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+ Addr string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+ TLS *shared.GRPCServiceTLS `yaml:"tls"`
+ Namespace string `yaml:"-"`
+ Protocol string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type AuthProviders struct {

services/auth-basic/pkg/config/defaults/defaultconfig.go

@@ -104,9 +104,8 @@ func EnsureDefaults(cfg *config.Config) {
 
  if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
  cfg.Reva = &shared.Reva{
- Address: cfg.Commons.Reva.Address,
- TLSMode: cfg.Commons.Reva.TLSMode,
- TLSCACert: cfg.Commons.Reva.TLSCACert,
+ Address: cfg.Commons.Reva.Address,
+ TLS: cfg.Commons.Reva.TLS,
  }
  } else if cfg.Reva == nil {
  cfg.Reva = &shared.Reva{}
@@ -120,6 +119,14 @@ func EnsureDefaults(cfg *config.Config) {
  cfg.TokenManager = &config.TokenManager{}
  }
 
+ if cfg.GRPC.TLS == nil {
+ cfg.GRPC.TLS = &shared.GRPCServiceTLS{}
+ if cfg.Commons != nil && cfg.Commons.GRPCServiceTLS != nil {
+ cfg.GRPC.TLS.Enabled = cfg.Commons.GRPCServiceTLS.Enabled
+ cfg.GRPC.TLS.Cert = cfg.Commons.GRPCServiceTLS.Cert
+ cfg.GRPC.TLS.Key = cfg.Commons.GRPCServiceTLS.Key
+ }
+ }
 }
 
 func Sanitize(cfg *config.Config) {

services/auth-basic/pkg/revaconfig/config.go

@@ -21,9 +21,9 @@ func AuthBasicConfigFromStruct(cfg *config.Config) map[string]interface{} {
  "network": cfg.GRPC.Protocol,
  "address": cfg.GRPC.Addr,
  "tls_settings": map[string]interface{}{
- "enabled": cfg.GRPC.TLSEnabled,
- "certificate": cfg.GRPC.TLSCert,
- "key": cfg.GRPC.TLSKey,
+ "enabled": cfg.GRPC.TLS.Enabled,
+ "certificate": cfg.GRPC.TLS.Cert,
+ "key": cfg.GRPC.TLS.Key,
  },
  // TODO build services dynamically
  "services": map[string]interface{}{

services/auth-bearer/pkg/config/config.go

@@ -51,12 +51,10 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
- Addr string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
- TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
- TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
- TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
- Namespace string `yaml:"-"`
- Protocol string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+ Addr string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+ TLS *shared.GRPCServiceTLS `yaml:"tls"`
+ Namespace string `yaml:"-"`
+ Protocol string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type OIDC struct {

services/auth-bearer/pkg/config/defaults/defaultconfig.go

@@ -63,9 +63,8 @@ func EnsureDefaults(cfg *config.Config) {
 
  if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
  cfg.Reva = &shared.Reva{
- Address: cfg.Commons.Reva.Address,
- TLSMode: cfg.Commons.Reva.TLSMode,
- TLSCACert: cfg.Commons.Reva.TLSCACert,
+ Address: cfg.Commons.Reva.Address,
+ TLS: cfg.Commons.Reva.TLS,
  }
  } else if cfg.Reva == nil {
  cfg.Reva = &shared.Reva{}
@@ -78,6 +77,15 @@ func EnsureDefaults(cfg *config.Config) {
  } else if cfg.TokenManager == nil {
  cfg.TokenManager = &config.TokenManager{}
  }
+
+ if cfg.GRPC.TLS == nil {
+ cfg.GRPC.TLS = &shared.GRPCServiceTLS{}
+ if cfg.Commons != nil && cfg.Commons.GRPCServiceTLS != nil {
+ cfg.GRPC.TLS.Enabled = cfg.Commons.GRPCServiceTLS.Enabled
+ cfg.GRPC.TLS.Cert = cfg.Commons.GRPCServiceTLS.Cert
+ cfg.GRPC.TLS.Key = cfg.Commons.GRPCServiceTLS.Key
+ }
+ }
 }
 
 func Sanitize(cfg *config.Config) {

services/auth-bearer/pkg/revaconfig/config.go

@@ -21,9 +21,9 @@ func AuthBearerConfigFromStruct(cfg *config.Config) map[string]interface{} {
  "network": cfg.GRPC.Protocol,
  "address": cfg.GRPC.Addr,
  "tls_settings": map[string]interface{}{
- "enabled": cfg.GRPC.TLSEnabled,
- "certificate": cfg.GRPC.TLSCert,
- "key": cfg.GRPC.TLSKey,
+ "enabled": cfg.GRPC.TLS.Enabled,
+ "certificate": cfg.GRPC.TLS.Cert,
+ "key": cfg.GRPC.TLS.Key,
  },
  "services": map[string]interface{}{
  "authprovider": map[string]interface{}{