Unify TLS configuration for all grpc services

All grpc service (whether they're based on reva) or go-micro use the
same set of config vars now.

TLS for the services can be configure by setting the OCIS_GRPC_TLS_ENABLED,
OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY enviroment variables.

TLS for the clients can configured by setting the OCIS_GRPC_CLIENT_TLS_MODE
and OCIS_MICRO_GRPC_CLIENT_TLS_CACERT variables.

There are no individual per service config vars currently. If really
needed, per service tls configurations can be specified via config file.

ocis-pkg/config/config.go

@@ -56,11 +56,11 @@ type Runtime struct {
 type Config struct {
 	*shared.Commons `yaml:"shared"`
 
-	Tracing          *shared.Tracing          `yaml:"tracing"`
-	Log              *shared.Log              `yaml:"log"`
-	CacheStore       *shared.CacheStore       `yaml:"cache_store"`
-	MicroGRPCClient  *shared.MicroGRPCClient  `yaml:"micro_grpc_client"`
-	MicroGRPCService *shared.MicroGRPCService `yaml:"micro_grpc_service"`
+	Tracing        *shared.Tracing        `yaml:"tracing"`
+	Log            *shared.Log            `yaml:"log"`
+	CacheStore     *shared.CacheStore     `yaml:"cache_store"`
+	GRPCClientTLS  *shared.GRPCClientTLS  `yaml:"grpc_client_tls"`
+	GRPCServiceTLS *shared.GRPCServiceTLS `yaml:"grpc_service_tls"`
 
 	Mode    Mode // DEPRECATED
 	File    string

ocis-pkg/config/parser/parse.go

@@ -51,11 +51,11 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.CacheStore == nil {
 		cfg.CacheStore = &shared.CacheStore{}
 	}
-	if cfg.MicroGRPCClient == nil {
-		cfg.MicroGRPCClient = &shared.MicroGRPCClient{}
+	if cfg.GRPCClientTLS == nil {
+		cfg.GRPCClientTLS = &shared.GRPCClientTLS{}
 	}
-	if cfg.MicroGRPCService == nil {
-		cfg.MicroGRPCService = &shared.MicroGRPCService{}
+	if cfg.GRPCServiceTLS == nil {
+		cfg.GRPCServiceTLS = &shared.GRPCServiceTLS{}
 	}
 
 }
@@ -101,12 +101,12 @@ func EnsureCommons(cfg *config.Config) {
 		cfg.Commons.CacheStore = &shared.CacheStore{}
 	}
 
-	if cfg.MicroGRPCClient != nil {
-		cfg.Commons.MicroGRPCClient = cfg.MicroGRPCClient
+	if cfg.GRPCClientTLS != nil {
+		cfg.Commons.GRPCClientTLS = cfg.GRPCClientTLS
 	}
 
-	if cfg.MicroGRPCService != nil {
-		cfg.Commons.MicroGRPCService = cfg.MicroGRPCService
+	if cfg.GRPCServiceTLS != nil {
+		cfg.Commons.GRPCServiceTLS = cfg.GRPCServiceTLS
 	}
 
 	// copy token manager to the commons part if set

ocis-pkg/service/grpc/client.go

@@ -92,10 +92,10 @@ func DefaultClient() client.Client {
 	return defaultClient
 }
 
-func GetClientOptions(mc *shared.MicroGRPCClient) []ClientOption {
+func GetClientOptions(t *shared.GRPCClientTLS) []ClientOption {
 	opts := []ClientOption{
-		WithTLSMode(mc.TLSMode),
-		WithTLSCACert(mc.TLSCACert),
+		WithTLSMode(t.Mode),
+		WithTLSCACert(t.CACert),
 	}
 	return opts
 }

ocis-pkg/shared/reva.go

@@ -13,7 +13,7 @@ func DefaultRevaConfig() *Reva {
 }
 
 func (r *Reva) GetRevaOptions() []pool.Option {
-	tm, _ := pool.StringToTLSMode(r.TLSMode)
+	tm, _ := pool.StringToTLSMode(r.TLS.Mode)
 	opts := []pool.Option{
 		pool.WithTLSMode(tm),
 	}
@@ -22,7 +22,7 @@ func (r *Reva) GetRevaOptions() []pool.Option {
 
 func (r *Reva) GetGRPCClientConfig() map[string]interface{} {
 	return map[string]interface{}{
-		"tls_mode":   r.TLSMode,
-		"tls_cacert": r.TLSCACert,
+		"tls_mode":   r.TLS.Mode,
+		"tls_cacert": r.TLS.CACert,
 	}
 }

ocis-pkg/shared/shared_types.go

@@ -31,20 +31,19 @@ type TokenManager struct {
 
 // Reva defines all available REVA client configuration.
 type Reva struct {
-	Address   string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
-	TLSMode   string `yaml:"tls_mode" env:"REVA_GATEWAY_TLS_MODE" desc:"TLS mode for grpc connection to the CS3 gateway endpoint. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification."`
-	TLSCACert string `yaml:"tls_cacert" env:"REVA_GATEWAY_TLS_CACERT" desc:"The root CA certificate used to validate the gateway's TLS certificate."`
+	Address string        `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
+	TLS     GRPCClientTLS `yaml:"tls"`
 }
 
-type MicroGRPCClient struct {
-	TLSMode   string `yaml:"tls_mode" env:"OCIS_MICRO_GRPC_CLIENT_TLS_MODE" desc:"TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification."`
-	TLSCACert string `yaml:"tls_cacert env:"OCIS_MICRO_GRPC_CLIENT_TLS_CACERT" desc:"The root CA certificate used to validate TLS server certificates of the go-micro based grpc services."`
+type GRPCClientTLS struct {
+	Mode   string `yaml:"mode" env:"OCIS_GRPC_CLIENT_TLS_MODE" desc:"TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification."`
+	CACert string `yaml:"cacert env:"OCIS_GRPC_CLIENT_TLS_CACERT" desc:"The root CA certificate used to validate TLS server certificates of the go-micro based grpc services."`
 }
 
-type MicroGRPCService struct {
-	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_MICRO_GRPC_TLS_ENABLED"`
-	TLSCert    string `yaml:"tls_cert" env:"OCIS_MICRO_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the go-micro based grpc services."`
-	TLSKey     string `yaml:"tls_key" env:"OCIS_MICRO_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the go-micro based grpc services."`
+type GRPCServiceTLS struct {
+	Enabled bool   `yaml:"enabled" env:"OCIS_GRPC_TLS_ENABLED" desc:"Activates TLS for the grpcs based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated (To be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure)."`
+	Cert    string `yaml:"cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the grpc services."`
+	Key     string `yaml:"key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services."`
 }
 
 type CacheStore struct {
@@ -56,17 +55,17 @@ type CacheStore struct {
 // Commons holds configuration that are common to all extensions. Each extension can then decide whether
 // to overwrite its values.
 type Commons struct {
-	Log               *Log              `yaml:"log"`
-	Tracing           *Tracing          `yaml:"tracing"`
-	CacheStore        *CacheStore       `yaml:"cache_store"`
-	MicroGRPCClient   *MicroGRPCClient  `yaml:"micro_grpc_client"`
-	MicroGRPCService  *MicroGRPCService `yaml:"micro_grpc_service"`
-	OcisURL           string            `yaml:"ocis_url" env:"OCIS_URL" desc:"URL, where oCIS is reachable for users."`
-	TokenManager      *TokenManager     `mask:"struct" yaml:"token_manager"`
-	Reva              *Reva             `yaml:"reva"`
-	MachineAuthAPIKey string            `mask:"password" yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services."`
-	TransferSecret    string            `mask:"password" yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET"`
-	SystemUserID      string            `yaml:"system_user_id" env:"OCIS_SYSTEM_USER_ID" desc:"ID of the oCIS storage-system system user. Admins need to set the ID for the storage-system system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format."`
-	SystemUserAPIKey  string            `mask:"password" yaml:"system_user_api_key" env:"SYSTEM_USER_API_KEY"`
-	AdminUserID       string            `yaml:"admin_user_id" env:"OCIS_ADMIN_USER_ID" desc:"ID of a user, that should receive admin privileges."`
+	Log               *Log            `yaml:"log"`
+	Tracing           *Tracing        `yaml:"tracing"`
+	CacheStore        *CacheStore     `yaml:"cache_store"`
+	GRPCClientTLS     *GRPCClientTLS  `yaml:"grpc_client_tls"`
+	GRPCServiceTLS    *GRPCServiceTLS `yaml:"grpc_service_tls"`
+	OcisURL           string          `yaml:"ocis_url" env:"OCIS_URL" desc:"URL, where oCIS is reachable for users."`
+	TokenManager      *TokenManager   `mask:"struct" yaml:"token_manager"`
+	Reva              *Reva           `yaml:"reva"`
+	MachineAuthAPIKey string          `mask:"password" yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services."`
+	TransferSecret    string          `mask:"password" yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET"`
+	SystemUserID      string          `yaml:"system_user_id" env:"OCIS_SYSTEM_USER_ID" desc:"ID of the oCIS storage-system system user. Admins need to set the ID for the storage-system system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format."`
+	SystemUserAPIKey  string          `mask:"password" yaml:"system_user_api_key" env:"SYSTEM_USER_API_KEY"`
+	AdminUserID       string          `yaml:"admin_user_id" env:"OCIS_ADMIN_USER_ID" desc:"ID of a user, that should receive admin privileges."`
 }

ocis/pkg/command/server.go

@@ -23,7 +23,7 @@ func Server(cfg *config.Config) *cli.Command {
 		Action: func(c *cli.Context) error {
 			// Prefer the in-memory registry as the default when running in single-binary mode
 			registry.Configure("memory")
-			err := grpc.Configure(grpc.GetClientOptions(cfg.MicroGRPCClient)...)
+			err := grpc.Configure(grpc.GetClientOptions(cfg.GRPCClientTLS)...)
 			if err != nil {
 				return err
 			}

services/app-provider/pkg/config/config.go

@@ -52,12 +52,10 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr       string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
-	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
-	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
-	Namespace  string `yaml:"-"`
-	Protocol   string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
+	Addr      string                 `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLS       *shared.GRPCServiceTLS `yaml:"tls"`
+	Namespace string                 `yaml:"-"`
+	Protocol  string                 `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
 }
 
 type Drivers struct {

services/app-provider/pkg/config/defaults/defaultconfig.go

@@ -65,9 +65,8 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address:   cfg.Commons.Reva.Address,
-			TLSMode:   cfg.Commons.Reva.TLSMode,
-			TLSCACert: cfg.Commons.Reva.TLSCACert,
+			Address: cfg.Commons.Reva.Address,
+			TLS:     cfg.Commons.Reva.TLS,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
@@ -80,6 +79,15 @@ func EnsureDefaults(cfg *config.Config) {
 	} else if cfg.TokenManager == nil {
 		cfg.TokenManager = &config.TokenManager{}
 	}
+
+	if cfg.GRPC.TLS == nil {
+		cfg.GRPC.TLS = &shared.GRPCServiceTLS{}
+		if cfg.Commons != nil && cfg.Commons.GRPCServiceTLS != nil {
+			cfg.GRPC.TLS.Enabled = cfg.Commons.GRPCServiceTLS.Enabled
+			cfg.GRPC.TLS.Cert = cfg.Commons.GRPCServiceTLS.Cert
+			cfg.GRPC.TLS.Key = cfg.Commons.GRPCServiceTLS.Key
+		}
+	}
 }
 
 func Sanitize(cfg *config.Config) {

services/app-provider/pkg/revaconfig/config.go

@@ -23,9 +23,9 @@ func AppProviderConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
 			"tls_settings": map[string]interface{}{
-				"enabled":     cfg.GRPC.TLSEnabled,
-				"certificate": cfg.GRPC.TLSCert,
-				"key":         cfg.GRPC.TLSKey,
+				"enabled":     cfg.GRPC.TLS.Enabled,
+				"certificate": cfg.GRPC.TLS.Cert,
+				"key":         cfg.GRPC.TLS.Key,
 			},
 			"services": map[string]interface{}{
 				"appprovider": map[string]interface{}{

services/app-registry/pkg/config/config.go

@@ -50,12 +50,10 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr       string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
-	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
-	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
-	Namespace  string `yaml:"-"`
-	Protocol   string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr      string                 `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLS       *shared.GRPCServiceTLS `yaml:"tls"`
+	Namespace string                 `yaml:"-"`
+	Protocol  string                 `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type AppRegistry struct {

services/app-registry/pkg/config/defaults/defaultconfig.go

@@ -130,9 +130,8 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address:   cfg.Commons.Reva.Address,
-			TLSMode:   cfg.Commons.Reva.TLSMode,
-			TLSCACert: cfg.Commons.Reva.TLSCACert,
+			Address: cfg.Commons.Reva.Address,
+			TLS:     cfg.Commons.Reva.TLS,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
@@ -146,6 +145,14 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.TokenManager = &config.TokenManager{}
 	}
 
+	if cfg.GRPC.TLS == nil {
+		cfg.GRPC.TLS = &shared.GRPCServiceTLS{}
+		if cfg.Commons != nil && cfg.Commons.GRPCServiceTLS != nil {
+			cfg.GRPC.TLS.Enabled = cfg.Commons.GRPCServiceTLS.Enabled
+			cfg.GRPC.TLS.Cert = cfg.Commons.GRPCServiceTLS.Cert
+			cfg.GRPC.TLS.Key = cfg.Commons.GRPCServiceTLS.Key
+		}
+	}
 }
 
 // Sanitize the config

services/app-registry/pkg/revaconfig/config.go

@@ -25,9 +25,9 @@ func AppRegistryConfigFromStruct(cfg *config.Config, logger log.Logger) map[stri
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
 			"tls_settings": map[string]interface{}{
-				"enabled":     cfg.GRPC.TLSEnabled,
-				"certificate": cfg.GRPC.TLSCert,
-				"key":         cfg.GRPC.TLSKey,
+				"enabled":     cfg.GRPC.TLS.Enabled,
+				"certificate": cfg.GRPC.TLS.Cert,
+				"key":         cfg.GRPC.TLS.Key,
 			},
 			"services": map[string]interface{}{
 				"appregistry": map[string]interface{}{

services/auth-basic/pkg/config/config.go

@@ -51,12 +51,10 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr       string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
-	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
-	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
-	Namespace  string `yaml:"-"`
-	Protocol   string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr      string                 `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLS       *shared.GRPCServiceTLS `yaml:"tls"`
+	Namespace string                 `yaml:"-"`
+	Protocol  string                 `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type AuthProviders struct {

services/auth-basic/pkg/config/defaults/defaultconfig.go

@@ -104,9 +104,8 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address:   cfg.Commons.Reva.Address,
-			TLSMode:   cfg.Commons.Reva.TLSMode,
-			TLSCACert: cfg.Commons.Reva.TLSCACert,
+			Address: cfg.Commons.Reva.Address,
+			TLS:     cfg.Commons.Reva.TLS,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
@@ -120,6 +119,14 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.TokenManager = &config.TokenManager{}
 	}
 
+	if cfg.GRPC.TLS == nil {
+		cfg.GRPC.TLS = &shared.GRPCServiceTLS{}
+		if cfg.Commons != nil && cfg.Commons.GRPCServiceTLS != nil {
+			cfg.GRPC.TLS.Enabled = cfg.Commons.GRPCServiceTLS.Enabled
+			cfg.GRPC.TLS.Cert = cfg.Commons.GRPCServiceTLS.Cert
+			cfg.GRPC.TLS.Key = cfg.Commons.GRPCServiceTLS.Key
+		}
+	}
 }
 
 func Sanitize(cfg *config.Config) {

services/auth-basic/pkg/revaconfig/config.go

@@ -21,9 +21,9 @@ func AuthBasicConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
 			"tls_settings": map[string]interface{}{
-				"enabled":     cfg.GRPC.TLSEnabled,
-				"certificate": cfg.GRPC.TLSCert,
-				"key":         cfg.GRPC.TLSKey,
+				"enabled":     cfg.GRPC.TLS.Enabled,
+				"certificate": cfg.GRPC.TLS.Cert,
+				"key":         cfg.GRPC.TLS.Key,
 			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{

services/auth-bearer/pkg/config/config.go

@@ -51,12 +51,10 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr       string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
-	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
-	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
-	Namespace  string `yaml:"-"`
-	Protocol   string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr      string                 `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLS       *shared.GRPCServiceTLS `yaml:"tls"`
+	Namespace string                 `yaml:"-"`
+	Protocol  string                 `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type OIDC struct {

services/auth-bearer/pkg/config/defaults/defaultconfig.go

@@ -63,9 +63,8 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address:   cfg.Commons.Reva.Address,
-			TLSMode:   cfg.Commons.Reva.TLSMode,
-			TLSCACert: cfg.Commons.Reva.TLSCACert,
+			Address: cfg.Commons.Reva.Address,
+			TLS:     cfg.Commons.Reva.TLS,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}
@@ -78,6 +77,15 @@ func EnsureDefaults(cfg *config.Config) {
 	} else if cfg.TokenManager == nil {
 		cfg.TokenManager = &config.TokenManager{}
 	}
+
+	if cfg.GRPC.TLS == nil {
+		cfg.GRPC.TLS = &shared.GRPCServiceTLS{}
+		if cfg.Commons != nil && cfg.Commons.GRPCServiceTLS != nil {
+			cfg.GRPC.TLS.Enabled = cfg.Commons.GRPCServiceTLS.Enabled
+			cfg.GRPC.TLS.Cert = cfg.Commons.GRPCServiceTLS.Cert
+			cfg.GRPC.TLS.Key = cfg.Commons.GRPCServiceTLS.Key
+		}
+	}
 }
 
 func Sanitize(cfg *config.Config) {

services/auth-bearer/pkg/revaconfig/config.go

@@ -21,9 +21,9 @@ func AuthBearerConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
 			"tls_settings": map[string]interface{}{
-				"enabled":     cfg.GRPC.TLSEnabled,
-				"certificate": cfg.GRPC.TLSCert,
-				"key":         cfg.GRPC.TLSKey,
+				"enabled":     cfg.GRPC.TLS.Enabled,
+				"certificate": cfg.GRPC.TLS.Cert,
+				"key":         cfg.GRPC.TLS.Key,
 			},
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{