diff --git a/changelog/unreleased/grpc-tls.md b/changelog/unreleased/grpc-tls.md new file mode 100644 index 00000000000..2db05011136 --- /dev/null +++ b/changelog/unreleased/grpc-tls.md @@ -0,0 +1,6 @@ +Enhancement: Allow to setup TLS for the reva grpc services + +We added config options to allow enabling TLS encrption for all reva backed +grpc services. + +https://github.com/owncloud/ocis/pull/4798 diff --git a/ocis-pkg/shared/reva.go b/ocis-pkg/shared/reva.go new file mode 100644 index 00000000000..4f43ca90875 --- /dev/null +++ b/ocis-pkg/shared/reva.go @@ -0,0 +1,28 @@ +package shared + +import "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool" + +var defaultRevaConfig = Reva{ + Address: "127.0.0.1:9142", +} + +func DefaultRevaConfig() *Reva { + // copy + ret := defaultRevaConfig + return &ret +} + +func (r *Reva) GetRevaOptions() []pool.Option { + tm, _ := pool.StringToTLSMode(r.TLSMode) + opts := []pool.Option{ + pool.WithTLSMode(tm), + } + return opts +} + +func (r *Reva) GetGRPCClientConfig() map[string]interface{} { + return map[string]interface{}{ + "tls_mode": r.TLSMode, + "tls_cacert": r.TLSCACert, + } +} diff --git a/ocis-pkg/shared/shared_types.go b/ocis-pkg/shared/shared_types.go index ec3997116a3..493d0304751 100644 --- a/ocis-pkg/shared/shared_types.go +++ b/ocis-pkg/shared/shared_types.go @@ -29,9 +29,11 @@ type TokenManager struct { JWTSecret string `mask:"password" yaml:"jwt_secret" env:"OCIS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` } -// Reva defines all available REVA configuration. +// Reva defines all available REVA client configuration. type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` + Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` + TLSMode string `yaml:"tls_mode" env:"REVA_GATEWAY_TLS_MODE" desc:"TLS mode for grpc connection to the CS3 gateway endpoint. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification."` + TLSCACert string `yaml:"tls_cacert" env:"REVA_GATEWAY_TLS_CACERT" desc:"The root CA certificate used to validate the gateway's TLS certificate."` } type CacheStore struct { diff --git a/services/app-provider/pkg/config/config.go b/services/app-provider/pkg/config/config.go index c6f84da93d8..2b62c23280e 100644 --- a/services/app-provider/pkg/config/config.go +++ b/services/app-provider/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` ExternalAddr string `yaml:"external_addr" env:"APP_PROVIDER_EXTERNAL_ADDR" desc:"Address of the app provider, where the GATEWAY service can reach it."` Driver string `yaml:"driver" env:"APP_PROVIDER_DRIVER" desc:"Driver, the APP PROVIDER services uses. Only \"wopi\" is supported as of now."` @@ -52,9 +52,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."` + Addr string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."` } type Drivers struct { diff --git a/services/app-provider/pkg/config/defaults/defaultconfig.go b/services/app-provider/pkg/config/defaults/defaultconfig.go index 2ba8a992e45..92e000dc176 100644 --- a/services/app-provider/pkg/config/defaults/defaultconfig.go +++ b/services/app-provider/pkg/config/defaults/defaultconfig.go @@ -28,9 +28,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "app-provider", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), Driver: "", Drivers: config.Drivers{ WOPI: config.WOPIDriver{ @@ -66,11 +64,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/app-provider/pkg/config/reva.go b/services/app-provider/pkg/config/reva.go index 135052cdcc9..9290c1ac4a5 100644 --- a/services/app-provider/pkg/config/reva.go +++ b/services/app-provider/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;APP_PROVIDER_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/app-provider/pkg/revaconfig/config.go b/services/app-provider/pkg/revaconfig/config.go index 8b33d14a29a..bf152659907 100644 --- a/services/app-provider/pkg/revaconfig/config.go +++ b/services/app-provider/pkg/revaconfig/config.go @@ -15,12 +15,18 @@ func AppProviderConfigFromStruct(cfg *config.Config) map[string]interface{} { "tracing_service_name": cfg.Service.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.TokenManager.JWTSecret, - "gatewaysvc": cfg.Reva.Address, + "jwt_secret": cfg.TokenManager.JWTSecret, + "gatewaysvc": cfg.Reva.Address, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, "services": map[string]interface{}{ "appprovider": map[string]interface{}{ "app_provider_url": cfg.ExternalAddr, diff --git a/services/app-registry/pkg/config/config.go b/services/app-registry/pkg/config/config.go index 817d0b91b79..b44287a19e5 100644 --- a/services/app-registry/pkg/config/config.go +++ b/services/app-registry/pkg/config/config.go @@ -17,7 +17,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` AppRegistry AppRegistry `yaml:"app_registry"` @@ -50,9 +50,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` + Addr string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` } type AppRegistry struct { diff --git a/services/app-registry/pkg/config/defaults/defaultconfig.go b/services/app-registry/pkg/config/defaults/defaultconfig.go index c754f4e5064..1efd04bcc9f 100644 --- a/services/app-registry/pkg/config/defaults/defaultconfig.go +++ b/services/app-registry/pkg/config/defaults/defaultconfig.go @@ -1,6 +1,7 @@ package defaults import ( + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/app-registry/pkg/config" ) @@ -27,9 +28,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "app-registry", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), } } @@ -130,11 +129,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/app-registry/pkg/config/reva.go b/services/app-registry/pkg/config/reva.go index 13e56d8da20..bc7eddf4fdd 100644 --- a/services/app-registry/pkg/config/reva.go +++ b/services/app-registry/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;APP_REGISTRY_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/app-registry/pkg/revaconfig/config.go b/services/app-registry/pkg/revaconfig/config.go index 20b75434843..f3e0d5ae93f 100644 --- a/services/app-registry/pkg/revaconfig/config.go +++ b/services/app-registry/pkg/revaconfig/config.go @@ -17,12 +17,18 @@ func AppRegistryConfigFromStruct(cfg *config.Config, logger log.Logger) map[stri "tracing_service_name": cfg.Service.Name, }, "shared": map[string]interface{}{ - "jwt_secret": cfg.TokenManager.JWTSecret, - "gatewaysvc": cfg.Reva.Address, + "jwt_secret": cfg.TokenManager.JWTSecret, + "gatewaysvc": cfg.Reva.Address, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, "services": map[string]interface{}{ "appregistry": map[string]interface{}{ "driver": "static", diff --git a/services/auth-basic/pkg/config/config.go b/services/auth-basic/pkg/config/config.go index 1458ca1078f..26aea8518c4 100644 --- a/services/auth-basic/pkg/config/config.go +++ b/services/auth-basic/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups."` AuthProvider string `yaml:"auth_provider" env:"AUTH_BASIC_AUTH_PROVIDER" desc:"The auth provider which should be used by the service like 'ldap'."` @@ -51,9 +51,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` + Addr string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` } type AuthProviders struct { diff --git a/services/auth-basic/pkg/config/defaults/defaultconfig.go b/services/auth-basic/pkg/config/defaults/defaultconfig.go index a84df115d49..a926b940822 100644 --- a/services/auth-basic/pkg/config/defaults/defaultconfig.go +++ b/services/auth-basic/pkg/config/defaults/defaultconfig.go @@ -4,6 +4,7 @@ import ( "path/filepath" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/auth-basic/pkg/config" ) @@ -30,9 +31,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "auth-basic", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), AuthProvider: "ldap", AuthProviders: config.AuthProviders{ LDAP: config.LDAPProvider{ @@ -104,11 +103,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/auth-basic/pkg/config/reva.go b/services/auth-basic/pkg/config/reva.go index 57793f4bcdd..6242d1caa59 100644 --- a/services/auth-basic/pkg/config/reva.go +++ b/services/auth-basic/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;AUTH_BASIC_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/auth-basic/pkg/revaconfig/config.go b/services/auth-basic/pkg/revaconfig/config.go index 57cf6a80a7f..f47f04bf494 100644 --- a/services/auth-basic/pkg/revaconfig/config.go +++ b/services/auth-basic/pkg/revaconfig/config.go @@ -15,10 +15,16 @@ func AuthBasicConfigFromStruct(cfg *config.Config) map[string]interface{} { "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, // TODO build services dynamically "services": map[string]interface{}{ "authprovider": map[string]interface{}{ diff --git a/services/auth-bearer/pkg/config/config.go b/services/auth-bearer/pkg/config/config.go index 5503a2cefc1..d3bc9abe878 100644 --- a/services/auth-bearer/pkg/config/config.go +++ b/services/auth-bearer/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups."` @@ -51,9 +51,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` + Addr string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` } type OIDC struct { diff --git a/services/auth-bearer/pkg/config/defaults/defaultconfig.go b/services/auth-bearer/pkg/config/defaults/defaultconfig.go index 5b5aabdbd89..42117bc104b 100644 --- a/services/auth-bearer/pkg/config/defaults/defaultconfig.go +++ b/services/auth-bearer/pkg/config/defaults/defaultconfig.go @@ -1,6 +1,7 @@ package defaults import ( + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/auth-bearer/pkg/config" ) @@ -27,9 +28,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "auth-bearer", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), OIDC: config.OIDC{ Issuer: "https://localhost:9200", Insecure: false, @@ -63,11 +62,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/auth-bearer/pkg/config/reva.go b/services/auth-bearer/pkg/config/reva.go index 5335b8a7286..d556a052310 100644 --- a/services/auth-bearer/pkg/config/reva.go +++ b/services/auth-bearer/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;AUTH_BEARER_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/auth-bearer/pkg/revaconfig/config.go b/services/auth-bearer/pkg/revaconfig/config.go index b24f11e8228..1445fbab4d1 100644 --- a/services/auth-bearer/pkg/revaconfig/config.go +++ b/services/auth-bearer/pkg/revaconfig/config.go @@ -15,10 +15,16 @@ func AuthBearerConfigFromStruct(cfg *config.Config) map[string]interface{} { "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, "services": map[string]interface{}{ "authprovider": map[string]interface{}{ "auth_manager": "oidc", diff --git a/services/auth-machine/pkg/config/config.go b/services/auth-machine/pkg/config/config.go index d0b2c0b545f..9989c7c35f0 100644 --- a/services/auth-machine/pkg/config/config.go +++ b/services/auth-machine/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups."` @@ -51,7 +51,10 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"AUTH_MACHINE_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"AUTH_MACHINE_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` + Addr string `yaml:"addr" env:"AUTH_MACHINE_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"AUTH_MACHINE_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` } diff --git a/services/auth-machine/pkg/config/defaults/defaultconfig.go b/services/auth-machine/pkg/config/defaults/defaultconfig.go index c861f8b3858..679e61a1fc1 100644 --- a/services/auth-machine/pkg/config/defaults/defaultconfig.go +++ b/services/auth-machine/pkg/config/defaults/defaultconfig.go @@ -1,6 +1,7 @@ package defaults import ( + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/auth-machine/pkg/config" ) @@ -27,9 +28,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "auth-machine", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), } } @@ -58,11 +57,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/auth-machine/pkg/config/reva.go b/services/auth-machine/pkg/config/reva.go index 099a5b3fe32..14cb00d0892 100644 --- a/services/auth-machine/pkg/config/reva.go +++ b/services/auth-machine/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;AUTH_MACHINE_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/auth-machine/pkg/revaconfig/config.go b/services/auth-machine/pkg/revaconfig/config.go index bc2422156bd..a72300e47bf 100644 --- a/services/auth-machine/pkg/revaconfig/config.go +++ b/services/auth-machine/pkg/revaconfig/config.go @@ -17,10 +17,16 @@ func AuthMachineConfigFromStruct(cfg *config.Config) map[string]interface{} { "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, "services": map[string]interface{}{ "authprovider": map[string]interface{}{ "auth_manager": "machine", diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go index a3b92de916c..2af685f4a11 100644 --- a/services/frontend/pkg/config/config.go +++ b/services/frontend/pkg/config/config.go @@ -20,7 +20,7 @@ type Config struct { TransferSecret string `yaml:"transfer_secret" env:"STORAGE_TRANSFER_SECRET" desc:"Transfer secret for signing file up- and download requests."` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;FRONTEND_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary to access resources from other services."` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"FRONTEND_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` diff --git a/services/frontend/pkg/config/defaults/defaultconfig.go b/services/frontend/pkg/config/defaults/defaultconfig.go index b70f8095c77..49b8a58dc52 100644 --- a/services/frontend/pkg/config/defaults/defaultconfig.go +++ b/services/frontend/pkg/config/defaults/defaultconfig.go @@ -1,6 +1,7 @@ package defaults import ( + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/frontend/pkg/config" ) @@ -28,9 +29,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "frontend", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), PublicURL: "https://localhost:9200", EnableFavorites: false, EnableProjectSpaces: true, @@ -97,11 +96,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/frontend/pkg/config/reva.go b/services/frontend/pkg/config/reva.go index 8f0f7d14e75..c24d8b808e2 100644 --- a/services/frontend/pkg/config/reva.go +++ b/services/frontend/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;FRONTEND_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go index 7d98a1b6d19..60070e7bde3 100644 --- a/services/frontend/pkg/revaconfig/config.go +++ b/services/frontend/pkg/revaconfig/config.go @@ -73,6 +73,7 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, // Todo or address? "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "http": map[string]interface{}{ "network": cfg.HTTP.Protocol, diff --git a/services/gateway/pkg/config/config.go b/services/gateway/pkg/config/config.go index 0114bb8c665..46d37ecbcbe 100644 --- a/services/gateway/pkg/config/config.go +++ b/services/gateway/pkg/config/config.go @@ -17,7 +17,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"GATEWAY_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` @@ -73,9 +73,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"GATEWAY_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"GATEWAY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` + Addr string `yaml:"addr" env:"GATEWAY_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"GATEWAY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` } type StorageRegistry struct { diff --git a/services/gateway/pkg/config/defaults/defaultconfig.go b/services/gateway/pkg/config/defaults/defaultconfig.go index 94b9b32ace2..a35b54dfefb 100644 --- a/services/gateway/pkg/config/defaults/defaultconfig.go +++ b/services/gateway/pkg/config/defaults/defaultconfig.go @@ -1,6 +1,7 @@ package defaults import ( + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/gateway/pkg/config" ) @@ -27,10 +28,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "gateway", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, - + Reva: shared.DefaultRevaConfig(), CommitShareToStorageGrant: true, ShareFolder: "Shares", DisableHomeCreationOnLogin: true, @@ -88,11 +86,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/gateway/pkg/config/reva.go b/services/gateway/pkg/config/reva.go index b781f8c32b8..957e54590d6 100644 --- a/services/gateway/pkg/config/reva.go +++ b/services/gateway/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;GATEWAY_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/gateway/pkg/revaconfig/config.go b/services/gateway/pkg/revaconfig/config.go index d8deec31d99..25ae057ca87 100644 --- a/services/gateway/pkg/revaconfig/config.go +++ b/services/gateway/pkg/revaconfig/config.go @@ -24,10 +24,16 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]i "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, // TODO build services dynamically "services": map[string]interface{}{ "gateway": map[string]interface{}{ diff --git a/services/graph/pkg/config/config.go b/services/graph/pkg/config/config.go index 7caa0b643c6..a4f19e11505 100644 --- a/services/graph/pkg/config/config.go +++ b/services/graph/pkg/config/config.go @@ -19,7 +19,7 @@ type Config struct { HTTP HTTP `yaml:"http"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` TokenManager *TokenManager `yaml:"token_manager"` Spaces Spaces `yaml:"spaces"` diff --git a/services/graph/pkg/config/defaults/defaultconfig.go b/services/graph/pkg/config/defaults/defaultconfig.go index 34d05c2b09c..3c7d7202218 100644 --- a/services/graph/pkg/config/defaults/defaultconfig.go +++ b/services/graph/pkg/config/defaults/defaultconfig.go @@ -5,6 +5,7 @@ import ( "strings" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/graph/pkg/config" ) @@ -29,9 +30,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "graph", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), Spaces: config.Spaces{ WebDavBase: "https://localhost:9200", WebDavPath: "/dav/spaces/", diff --git a/services/graph/pkg/config/reva.go b/services/graph/pkg/config/reva.go index 4bacfc57629..e9314b7fc85 100644 --- a/services/graph/pkg/config/reva.go +++ b/services/graph/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;GRAPH_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/graph/pkg/identity/cs3.go b/services/graph/pkg/identity/cs3.go index 015de11917f..6aa8043792c 100644 --- a/services/graph/pkg/identity/cs3.go +++ b/services/graph/pkg/identity/cs3.go @@ -11,7 +11,7 @@ import ( libregraph "github.com/owncloud/libre-graph-api-go" "github.com/owncloud/ocis/v2/ocis-pkg/log" - "github.com/owncloud/ocis/v2/services/graph/pkg/config" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/graph/pkg/service/v0/errorcode" ) @@ -20,7 +20,7 @@ var ( ) type CS3 struct { - Config *config.Reva + Config *shared.Reva Logger *log.Logger } @@ -42,7 +42,7 @@ func (i *CS3) UpdateUser(ctx context.Context, nameOrID string, user libregraph.U func (i *CS3) GetUser(ctx context.Context, userID string, queryParam url.Values) (*libregraph.User, error) { logger := i.Logger.SubloggerWithRequestID(ctx) logger.Debug().Str("backend", "cs3").Msg("GetUser") - client, err := pool.GetGatewayServiceClient(i.Config.Address) + client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...) if err != nil { logger.Error().Str("backend", "cs3").Err(err).Msg("could not get client") return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error()) @@ -70,7 +70,7 @@ func (i *CS3) GetUser(ctx context.Context, userID string, queryParam url.Values) func (i *CS3) GetUsers(ctx context.Context, queryParam url.Values) ([]*libregraph.User, error) { logger := i.Logger.SubloggerWithRequestID(ctx) logger.Debug().Str("backend", "cs3").Msg("GetUsers") - client, err := pool.GetGatewayServiceClient(i.Config.Address) + client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...) if err != nil { logger.Error().Str("backend", "cs3").Err(err).Msg("could not get client") return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error()) @@ -110,7 +110,7 @@ func (i *CS3) GetUsers(ctx context.Context, queryParam url.Values) ([]*libregrap func (i *CS3) GetGroups(ctx context.Context, queryParam url.Values) ([]*libregraph.Group, error) { logger := i.Logger.SubloggerWithRequestID(ctx) logger.Debug().Str("backend", "cs3").Msg("GetGroups") - client, err := pool.GetGatewayServiceClient(i.Config.Address) + client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...) if err != nil { logger.Error().Str("backend", "cs3").Err(err).Msg("could not get client") return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error()) @@ -156,7 +156,7 @@ func (i *CS3) CreateGroup(ctx context.Context, group libregraph.Group) (*libregr func (i *CS3) GetGroup(ctx context.Context, groupID string, queryParam url.Values) (*libregraph.Group, error) { logger := i.Logger.SubloggerWithRequestID(ctx) logger.Debug().Str("backend", "cs3").Msg("GetGroup") - client, err := pool.GetGatewayServiceClient(i.Config.Address) + client, err := pool.GetGatewayServiceClient(i.Config.Address, i.Config.GetRevaOptions()...) if err != nil { logger.Error().Str("backend", "cs3").Err(err).Msg("could not get client") return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error()) diff --git a/services/graph/pkg/service/v0/service.go b/services/graph/pkg/service/v0/service.go index de0e89fea35..cb7030494c5 100644 --- a/services/graph/pkg/service/v0/service.go +++ b/services/graph/pkg/service/v0/service.go @@ -66,7 +66,7 @@ func NewService(opts ...Option) Service { } if options.GatewayClient == nil { var err error - svc.gatewayClient, err = pool.GetGatewayServiceClient(options.Config.Reva.Address) + svc.gatewayClient, err = pool.GetGatewayServiceClient(options.Config.Reva.Address, options.Config.Reva.GetRevaOptions()...) if err != nil { options.Logger.Error().Err(err).Msg("Could not get gateway client") return nil diff --git a/services/groups/pkg/config/config.go b/services/groups/pkg/config/config.go index fb8e9ed13bc..8d9d962a661 100644 --- a/services/groups/pkg/config/config.go +++ b/services/groups/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"GROUPS_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` @@ -52,9 +52,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"GROUPS_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"GROUPS_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` + Addr string `yaml:"addr" env:"GROUPS_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"GROUPS_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` } type Drivers struct { diff --git a/services/groups/pkg/config/defaults/defaultconfig.go b/services/groups/pkg/config/defaults/defaultconfig.go index 822efa66dd4..594f88518d8 100644 --- a/services/groups/pkg/config/defaults/defaultconfig.go +++ b/services/groups/pkg/config/defaults/defaultconfig.go @@ -4,6 +4,7 @@ import ( "path/filepath" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/groups/pkg/config" ) @@ -30,9 +31,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "groups", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), Driver: "ldap", Drivers: config.Drivers{ LDAP: config.LDAPDriver{ @@ -105,11 +104,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/groups/pkg/config/reva.go b/services/groups/pkg/config/reva.go index 82239b44c4e..ff28fdecf59 100644 --- a/services/groups/pkg/config/reva.go +++ b/services/groups/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;GROUPS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/groups/pkg/revaconfig/config.go b/services/groups/pkg/revaconfig/config.go index 6e899c1a752..2209e784b9f 100644 --- a/services/groups/pkg/revaconfig/config.go +++ b/services/groups/pkg/revaconfig/config.go @@ -17,10 +17,16 @@ func GroupsConfigFromStruct(cfg *config.Config) map[string]interface{} { "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, // TODO build services dynamically "services": map[string]interface{}{ "groupprovider": map[string]interface{}{ diff --git a/services/idp/pkg/config/config.go b/services/idp/pkg/config/config.go index 385ff180d33..515b6970c3e 100644 --- a/services/idp/pkg/config/config.go +++ b/services/idp/pkg/config/config.go @@ -18,7 +18,7 @@ type Config struct { HTTP HTTP `yaml:"http"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;IDP_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services."` diff --git a/services/idp/pkg/config/defaults/defaultconfig.go b/services/idp/pkg/config/defaults/defaultconfig.go index 5076544959d..71ef857f55a 100644 --- a/services/idp/pkg/config/defaults/defaultconfig.go +++ b/services/idp/pkg/config/defaults/defaultconfig.go @@ -5,6 +5,7 @@ import ( "strings" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/idp/pkg/config" ) @@ -28,9 +29,7 @@ func DefaultConfig() *config.Config { TLSKey: filepath.Join(defaults.BaseDataPath(), "idp", "server.key"), TLS: false, }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), Service: config.Service{ Name: "idp", }, @@ -153,11 +152,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" { diff --git a/services/idp/pkg/config/reva.go b/services/idp/pkg/config/reva.go deleted file mode 100644 index 5b4222251d7..00000000000 --- a/services/idp/pkg/config/reva.go +++ /dev/null @@ -1,6 +0,0 @@ -package config - -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"CS3 gateway used to authenticate and look up users"` -} diff --git a/services/notifications/pkg/channels/channels.go b/services/notifications/pkg/channels/channels.go index 59928fbc267..0a27b1f14d5 100644 --- a/services/notifications/pkg/channels/channels.go +++ b/services/notifications/pkg/channels/channels.go @@ -27,7 +27,15 @@ type Channel interface { // NewMailChannel instantiates a new mail communication channel. func NewMailChannel(cfg config.Config, logger log.Logger) (Channel, error) { - gc, err := pool.GetGatewayServiceClient(cfg.Notifications.RevaGateway) + tm, err := pool.StringToTLSMode(cfg.Notifications.RevaGatewayTLSMode) + if err != nil { + logger.Error().Err(err).Msg("could not get gateway client tls mode") + return nil, err + } + gc, err := pool.GetGatewayServiceClient(cfg.Notifications.RevaGateway, + pool.WithTLSCACert(cfg.Notifications.RevaGatewayTLSCACert), + pool.WithTLSMode(tm), + ) if err != nil { logger.Error().Err(err).Msg("could not get gateway client") return nil, err diff --git a/services/notifications/pkg/command/server.go b/services/notifications/pkg/command/server.go index c27787ac337..b1902689933 100644 --- a/services/notifications/pkg/command/server.go +++ b/services/notifications/pkg/command/server.go @@ -77,7 +77,15 @@ func Server(cfg *config.Config) *cli.Command { if err != nil { return err } - gwclient, err := pool.GetGatewayServiceClient(cfg.Notifications.RevaGateway) + tm, err := pool.StringToTLSMode(cfg.Notifications.RevaGatewayTLSMode) + if err != nil { + return err + } + gwclient, err := pool.GetGatewayServiceClient( + cfg.Notifications.RevaGateway, + pool.WithTLSCACert(cfg.Notifications.RevaGatewayTLSCACert), + pool.WithTLSMode(tm), + ) if err != nil { logger.Fatal().Err(err).Str("addr", cfg.Notifications.RevaGateway).Msg("could not get reva client") } diff --git a/services/notifications/pkg/config/config.go b/services/notifications/pkg/config/config.go index fae9ec89e83..7d5fb3be0b2 100644 --- a/services/notifications/pkg/config/config.go +++ b/services/notifications/pkg/config/config.go @@ -22,11 +22,13 @@ type Config struct { // Notifications defines the config options for the notifications service. type Notifications struct { - SMTP SMTP `yaml:"SMTP"` - Events Events `yaml:"events"` - RevaGateway string `yaml:"reva_gateway" env:"REVA_GATEWAY;NOTIFICATIONS_REVA_GATEWAY" desc:"CS3 gateway used to look up user metadata"` - MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;NOTIFICATIONS_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary to access resources from other services."` - EmailTemplatePath string `yaml:"email_template_path" env:"OCIS_EMAIL_TEMPLATE_PATH;NOTIFICATIONS_EMAIL_TEMPLATE_PATH" desc:"Path to Email notification templates overriding embedded ones."` + SMTP SMTP `yaml:"SMTP"` + Events Events `yaml:"events"` + MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;NOTIFICATIONS_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary to access resources from other services."` + EmailTemplatePath string `yaml:"email_template_path" env:"OCIS_EMAIL_TEMPLATE_PATH;NOTIFICATIONS_EMAIL_TEMPLATE_PATH" desc:"Path to Email notification templates overriding embedded ones."` + RevaGateway string `yaml:"reva_gateway" env:"REVA_GATEWAY" desc:"CS3 gateway used to look up user metadata"` + RevaGatewayTLSMode string `yaml:"reva_gateway_tls_mode" env:"REVA_GATEWAY_TLS_MODE"` + RevaGatewayTLSCACert string `yaml:"reva_gateway_tls_cacert" env:"REVA_GATEWAY_TLS_CACERT"` } // SMTP combines the smtp configuration options. diff --git a/services/notifications/pkg/config/defaults/defaultconfig.go b/services/notifications/pkg/config/defaults/defaultconfig.go index 53f8faa1d6b..552d9f560f8 100644 --- a/services/notifications/pkg/config/defaults/defaultconfig.go +++ b/services/notifications/pkg/config/defaults/defaultconfig.go @@ -1,6 +1,7 @@ package defaults import ( + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/notifications/pkg/config" ) @@ -36,7 +37,9 @@ func DefaultConfig() *config.Config { ConsumerGroup: "notifications", EnableTLS: false, }, - RevaGateway: "127.0.0.1:9142", + RevaGateway: shared.DefaultRevaConfig().Address, + RevaGatewayTLSMode: shared.DefaultRevaConfig().TLSMode, + RevaGatewayTLSCACert: shared.DefaultRevaConfig().TLSCACert, }, } } diff --git a/services/ocdav/pkg/command/server.go b/services/ocdav/pkg/command/server.go index afd3a06c12e..0dabcbbfb41 100644 --- a/services/ocdav/pkg/command/server.go +++ b/services/ocdav/pkg/command/server.go @@ -5,6 +5,7 @@ import ( "fmt" "github.com/cs3org/reva/v2/pkg/micro/ocdav" + "github.com/cs3org/reva/v2/pkg/sharedconf" "github.com/oklog/run" "github.com/owncloud/ocis/v2/ocis-pkg/broker" "github.com/owncloud/ocis/v2/ocis-pkg/config/configlog" @@ -38,7 +39,17 @@ func Server(cfg *config.Config) *cli.Command { defer cancel() gr.Add(func() error { - + // init reva shared config explicitly as the go-micro based ocdav does not use + // the reva runtime. But we need e.g. the shared client settings to be initialized + sc := map[string]interface{}{ + "jwt_secret": cfg.TokenManager.JWTSecret, + "gatewaysvc": cfg.Reva.Address, + "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), + } + if err := sharedconf.Decode(sc); err != nil { + logger.Error().Err(err).Msg("error decoding shared config for ocdav") + } opts := []ocdav.Option{ ocdav.Name(cfg.HTTP.Namespace + "." + cfg.Service.Name), ocdav.Version(version.GetString()), diff --git a/services/ocdav/pkg/config/config.go b/services/ocdav/pkg/config/config.go index 3ed98bf3e76..9f2d3f12f63 100644 --- a/services/ocdav/pkg/config/config.go +++ b/services/ocdav/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { HTTP HTTPConfig `yaml:"http"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"OCDAV_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` diff --git a/services/ocdav/pkg/config/defaults/defaultconfig.go b/services/ocdav/pkg/config/defaults/defaultconfig.go index 23d2c9561e6..8739f0cc975 100644 --- a/services/ocdav/pkg/config/defaults/defaultconfig.go +++ b/services/ocdav/pkg/config/defaults/defaultconfig.go @@ -1,6 +1,7 @@ package defaults import ( + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/ocis-pkg/version" "github.com/owncloud/ocis/v2/services/ocdav/pkg/config" ) @@ -29,9 +30,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "ocdav", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), WebdavNamespace: "/users/{{.Id.OpaqueId}}", FilesNamespace: "/users/{{.Id.OpaqueId}}", SharesNamespace: "/Shares", @@ -80,11 +79,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/ocdav/pkg/config/reva.go b/services/ocdav/pkg/config/reva.go index 60374747e56..6c772dafa7b 100644 --- a/services/ocdav/pkg/config/reva.go +++ b/services/ocdav/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;OCDAV_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/ocs/pkg/config/config.go b/services/ocs/pkg/config/config.go index 9729fa19d73..4653d516864 100644 --- a/services/ocs/pkg/config/config.go +++ b/services/ocs/pkg/config/config.go @@ -20,7 +20,7 @@ type Config struct { HTTP HTTP `yaml:"http"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` IdentityManagement IdentityManagement `yaml:"identity_management"` diff --git a/services/ocs/pkg/config/defaults/defaultconfig.go b/services/ocs/pkg/config/defaults/defaultconfig.go index 7e9c03ea94b..dd5b389cd81 100644 --- a/services/ocs/pkg/config/defaults/defaultconfig.go +++ b/services/ocs/pkg/config/defaults/defaultconfig.go @@ -3,6 +3,7 @@ package defaults import ( "strings" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/ocs/pkg/config" ) @@ -36,9 +37,7 @@ func DefaultConfig() *config.Config { Name: "ocs", }, AccountBackend: "cs3", - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), IdentityManagement: config.IdentityManagement{ Address: "https://localhost:9200", }, @@ -80,11 +79,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/ocs/pkg/config/reva.go b/services/ocs/pkg/config/reva.go index d4f77cdc551..149233e36a9 100644 --- a/services/ocs/pkg/config/reva.go +++ b/services/ocs/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;OCS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/ocs/pkg/service/v0/service.go b/services/ocs/pkg/service/v0/service.go index cf476d63ebb..60b7e2b08b3 100644 --- a/services/ocs/pkg/service/v0/service.go +++ b/services/ocs/pkg/service/v0/service.go @@ -118,7 +118,7 @@ func (o Ocs) NotFound(w http.ResponseWriter, r *http.Request) { } func (o Ocs) getCS3Backend() backend.UserBackend { - revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address) + revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address, o.config.Reva.GetRevaOptions()...) if err != nil { o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address) } diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go index 7cd82c96a66..21075a1a4d7 100644 --- a/services/proxy/pkg/command/server.go +++ b/services/proxy/pkg/command/server.go @@ -128,7 +128,7 @@ func Server(cfg *config.Config) *cli.Command { func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config) alice.Chain { rolesClient := settingssvc.NewRoleService("com.owncloud.api.settings", grpc.DefaultClient()) - revaClient, err := pool.GetGatewayServiceClient(cfg.Reva.Address) + revaClient, err := pool.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.GetRevaOptions()...) var userProvider backend.UserBackend switch cfg.AccountBackend { case "cs3": diff --git a/services/proxy/pkg/config/config.go b/services/proxy/pkg/config/config.go index 886351589fa..c2b2236afda 100644 --- a/services/proxy/pkg/config/config.go +++ b/services/proxy/pkg/config/config.go @@ -18,7 +18,7 @@ type Config struct { HTTP HTTP `yaml:"http"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` Policies []Policy `yaml:"policies"` OIDC OIDC `yaml:"oidc"` diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go index 06b5878c171..414d742270a 100644 --- a/services/proxy/pkg/config/defaults/defaultconfig.go +++ b/services/proxy/pkg/config/defaults/defaultconfig.go @@ -5,6 +5,7 @@ import ( "strings" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/proxy/pkg/config" ) @@ -48,9 +49,7 @@ func DefaultConfig() *config.Config { }, }, PolicySelector: nil, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), PreSignedURL: config.PreSignedURL{ AllowedHTTPMethods: []string{"GET"}, Enabled: true, @@ -242,11 +241,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } } diff --git a/services/proxy/pkg/config/reva.go b/services/proxy/pkg/config/reva.go deleted file mode 100644 index c84988f53cb..00000000000 --- a/services/proxy/pkg/config/reva.go +++ /dev/null @@ -1,6 +0,0 @@ -package config - -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} diff --git a/services/search/pkg/config/config.go b/services/search/pkg/config/config.go index 5e4eed93442..b69832cd35f 100644 --- a/services/search/pkg/config/config.go +++ b/services/search/pkg/config/config.go @@ -18,9 +18,9 @@ type Config struct { GRPC GRPC `yaml:"grpc"` - Datapath string `yaml:"data_path" env:"SEARCH_DATA_PATH" desc:"The directory where the filesystem storage will store search data. If not definied, the root directory derives from $OCIS_BASE_DATA_PATH:/search."` - Reva *Reva `yaml:"reva"` - Events Events `yaml:"events"` + Datapath string `yaml:"data_path" env:"SEARCH_DATA_PATH" desc:"The directory where the filesystem storage will store search data. If not definied, the root directory derives from $OCIS_BASE_DATA_PATH:/search."` + Reva *shared.Reva `yaml:"reva"` + Events Events `yaml:"events"` MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;SEARCH_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services."` diff --git a/services/search/pkg/config/defaults/defaultconfig.go b/services/search/pkg/config/defaults/defaultconfig.go index e3b2a5535a5..3670bb3b41d 100644 --- a/services/search/pkg/config/defaults/defaultconfig.go +++ b/services/search/pkg/config/defaults/defaultconfig.go @@ -4,6 +4,7 @@ import ( "path" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/search/pkg/config" ) @@ -29,9 +30,7 @@ func DefaultConfig() *config.Config { Name: "search", }, Datapath: path.Join(defaults.BaseDataPath(), "search"), - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), Events: config.Events{ Endpoint: "127.0.0.1:9233", Cluster: "ocis-cluster", @@ -72,11 +71,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } } diff --git a/services/search/pkg/config/reva.go b/services/search/pkg/config/reva.go deleted file mode 100644 index f0c218ad806..00000000000 --- a/services/search/pkg/config/reva.go +++ /dev/null @@ -1,6 +0,0 @@ -package config - -// Reva defines all available REVA configuration. -type Reva struct { - Address string `ocisConfig:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} diff --git a/services/search/pkg/service/v0/service.go b/services/search/pkg/service/v0/service.go index cd6a3baaeef..8dd12ba7135 100644 --- a/services/search/pkg/service/v0/service.go +++ b/services/search/pkg/service/v0/service.go @@ -88,7 +88,7 @@ func NewHandler(opts ...Option) (searchsvc.SearchProviderHandler, error) { return nil, err } - gwclient, err := pool.GetGatewayServiceClient(cfg.Reva.Address) + gwclient, err := pool.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.GetRevaOptions()...) if err != nil { logger.Fatal().Err(err).Str("addr", cfg.Reva.Address).Msg("could not get reva client") } diff --git a/services/sharing/pkg/config/config.go b/services/sharing/pkg/config/config.go index b9b2714f5cd..83e11bb048e 100644 --- a/services/sharing/pkg/config/config.go +++ b/services/sharing/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` Events Events `yaml:"events"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"SHARING_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` @@ -55,9 +55,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"SHARING_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"SHARING_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` + Addr string `yaml:"addr" env:"SHARING_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"SHARING_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` } type UserSharingDrivers struct { diff --git a/services/sharing/pkg/config/defaults/defaultconfig.go b/services/sharing/pkg/config/defaults/defaultconfig.go index d404b874d11..cbf0cd12201 100644 --- a/services/sharing/pkg/config/defaults/defaultconfig.go +++ b/services/sharing/pkg/config/defaults/defaultconfig.go @@ -4,6 +4,7 @@ import ( "path/filepath" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/sharing/pkg/config" ) @@ -30,9 +31,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "sharing", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), UserSharingDriver: "jsoncs3", UserSharingDrivers: config.UserSharingDrivers{ JSON: config.UserSharingJSONDriver{ @@ -101,11 +100,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/sharing/pkg/config/reva.go b/services/sharing/pkg/config/reva.go index 85b7124dd84..2f0576e0570 100644 --- a/services/sharing/pkg/config/reva.go +++ b/services/sharing/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;SHARING_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/sharing/pkg/revaconfig/config.go b/services/sharing/pkg/revaconfig/config.go index a054d85ad3d..cfef6b52040 100644 --- a/services/sharing/pkg/revaconfig/config.go +++ b/services/sharing/pkg/revaconfig/config.go @@ -17,10 +17,16 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} { "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, // TODO build services dynamically "services": map[string]interface{}{ "usershareprovider": map[string]interface{}{ diff --git a/services/storage-publiclink/pkg/config/config.go b/services/storage-publiclink/pkg/config/config.go index c2569e51965..34d9620c56d 100644 --- a/services/storage-publiclink/pkg/config/config.go +++ b/services/storage-publiclink/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"STORAGE_PUBLICLINK_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` @@ -51,9 +51,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"STORAGE_PUBLICLINK_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"STORAGE_PUBLICLINK_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` + Addr string `yaml:"addr" env:"STORAGE_PUBLICLINK_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"STORAGE_PUBLICLINK_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` } type StorageProvider struct { diff --git a/services/storage-publiclink/pkg/config/defaults/defaultconfig.go b/services/storage-publiclink/pkg/config/defaults/defaultconfig.go index 9d8670ebaf3..cdd955b3945 100644 --- a/services/storage-publiclink/pkg/config/defaults/defaultconfig.go +++ b/services/storage-publiclink/pkg/config/defaults/defaultconfig.go @@ -1,6 +1,7 @@ package defaults import ( + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/storage-publiclink/pkg/config" ) @@ -27,9 +28,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "storage-publiclink", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), StorageProvider: config.StorageProvider{ MountID: "7993447f-687f-490d-875c-ac95e89a62a4", }, @@ -61,11 +60,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/storage-publiclink/pkg/config/reva.go b/services/storage-publiclink/pkg/config/reva.go index 06102c99d19..bc92edbfa88 100644 --- a/services/storage-publiclink/pkg/config/reva.go +++ b/services/storage-publiclink/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;STORAGE_PUBLICLINK_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/storage-publiclink/pkg/revaconfig/config.go b/services/storage-publiclink/pkg/revaconfig/config.go index ab335219d50..af366d76301 100644 --- a/services/storage-publiclink/pkg/revaconfig/config.go +++ b/services/storage-publiclink/pkg/revaconfig/config.go @@ -17,10 +17,16 @@ func StoragePublicLinkConfigFromStruct(cfg *config.Config) map[string]interface{ "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, "interceptors": map[string]interface{}{ "log": map[string]interface{}{}, "prometheus": map[string]interface{}{ diff --git a/services/storage-shares/pkg/config/config.go b/services/storage-shares/pkg/config/config.go index 33a46d2ecb3..5e5c7d23e6c 100644 --- a/services/storage-shares/pkg/config/config.go +++ b/services/storage-shares/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"STORAGE_SHARES_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` @@ -53,7 +53,10 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"STORAGE_SHARES_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"STORAGE_SHARES_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` + Addr string `yaml:"addr" env:"STORAGE_SHARES_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"STORAGE_SHARES_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."` } diff --git a/services/storage-shares/pkg/config/defaults/defaultconfig.go b/services/storage-shares/pkg/config/defaults/defaultconfig.go index 13047125a9b..0b8836200d1 100644 --- a/services/storage-shares/pkg/config/defaults/defaultconfig.go +++ b/services/storage-shares/pkg/config/defaults/defaultconfig.go @@ -1,6 +1,7 @@ package defaults import ( + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/storage-shares/pkg/config" ) @@ -27,9 +28,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "storage-shares", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), MountID: "7639e57c-4433-4a12-8201-722fd0009154", ReadOnly: false, SharesProviderEndpoint: "localhost:9150", @@ -61,11 +60,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/storage-shares/pkg/config/reva.go b/services/storage-shares/pkg/config/reva.go index 1905f490a30..dc5dd4dde15 100644 --- a/services/storage-shares/pkg/config/reva.go +++ b/services/storage-shares/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;STORAGE_SHARES_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/storage-shares/pkg/revaconfig/config.go b/services/storage-shares/pkg/revaconfig/config.go index 320681317fc..cb9f9dd5c72 100644 --- a/services/storage-shares/pkg/revaconfig/config.go +++ b/services/storage-shares/pkg/revaconfig/config.go @@ -17,10 +17,16 @@ func StorageSharesConfigFromStruct(cfg *config.Config) map[string]interface{} { "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, "services": map[string]interface{}{ "sharesstorageprovider": map[string]interface{}{ "usershareprovidersvc": cfg.SharesProviderEndpoint, diff --git a/services/storage-system/pkg/config/config.go b/services/storage-system/pkg/config/config.go index 5a87745fc90..eae54daec5f 100644 --- a/services/storage-system/pkg/config/config.go +++ b/services/storage-system/pkg/config/config.go @@ -17,7 +17,7 @@ type Config struct { HTTP HTTPConfig `yaml:"http"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SystemUserID string `yaml:"system_user_id" env:"OCIS_SYSTEM_USER_ID" desc:"ID of the oCIS storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format."` SystemUserAPIKey string `yaml:"system_user_api_key" env:"OCIS_SYSTEM_USER_API_KEY" desc:"API key for the STORAGE-SYSTEM system user."` @@ -56,9 +56,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"STORAGE_SYSTEM_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"STORAGE_SYSTEM_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."` + Addr string `yaml:"addr" env:"STORAGE_SYSTEM_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"STORAGE_SYSTEM_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."` } type HTTPConfig struct { diff --git a/services/storage-system/pkg/config/defaults/defaultconfig.go b/services/storage-system/pkg/config/defaults/defaultconfig.go index 99188634a89..c8738826160 100644 --- a/services/storage-system/pkg/config/defaults/defaultconfig.go +++ b/services/storage-system/pkg/config/defaults/defaultconfig.go @@ -4,6 +4,7 @@ import ( "path/filepath" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/storage-system/pkg/config" ) @@ -35,9 +36,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "storage-system", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), DataServerURL: "http://localhost:9216/data", Driver: "ocis", Drivers: config.Drivers{ @@ -73,11 +72,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/storage-system/pkg/config/reva.go b/services/storage-system/pkg/config/reva.go index f401016959e..5c8ff6d4c2b 100644 --- a/services/storage-system/pkg/config/reva.go +++ b/services/storage-system/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;STORAGE_SYSTEM_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/storage-system/pkg/revaconfig/config.go b/services/storage-system/pkg/revaconfig/config.go index aa7e64cfefa..56534c54263 100644 --- a/services/storage-system/pkg/revaconfig/config.go +++ b/services/storage-system/pkg/revaconfig/config.go @@ -18,10 +18,16 @@ func StorageSystemFromStruct(cfg *config.Config) map[string]interface{} { "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, "services": map[string]interface{}{ "gateway": map[string]interface{}{ // registries are located on the gateway diff --git a/services/storage-users/pkg/config/config.go b/services/storage-users/pkg/config/config.go index 3081c42e027..e348a76351e 100644 --- a/services/storage-users/pkg/config/config.go +++ b/services/storage-users/pkg/config/config.go @@ -17,7 +17,7 @@ type Config struct { HTTP HTTPConfig `yaml:"http"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"STORAGE_USERS_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` @@ -60,9 +60,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"STORAGE_USERS_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"STORAGE_USERS_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."` + Addr string `yaml:"addr" env:"STORAGE_USERS_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"STORAGE_USERS_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."` } type HTTPConfig struct { diff --git a/services/storage-users/pkg/config/defaults/defaultconfig.go b/services/storage-users/pkg/config/defaults/defaultconfig.go index e1f98cb0002..fa0796d288f 100644 --- a/services/storage-users/pkg/config/defaults/defaultconfig.go +++ b/services/storage-users/pkg/config/defaults/defaultconfig.go @@ -4,6 +4,7 @@ import ( "path/filepath" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/storage-users/pkg/config" ) @@ -36,9 +37,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "storage-users", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), DataServerURL: "http://localhost:9158/data", MountID: "1284d238-aa92-42ce-bdc4-0b0000009157", UploadExpiration: 24 * 60 * 60, @@ -111,11 +110,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/storage-users/pkg/config/reva.go b/services/storage-users/pkg/config/reva.go index 3eed4000653..de111cde31a 100644 --- a/services/storage-users/pkg/config/reva.go +++ b/services/storage-users/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;STORAGE_USERS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/storage-users/pkg/revaconfig/config.go b/services/storage-users/pkg/revaconfig/config.go index 4bc0ce98804..81d542fd180 100644 --- a/services/storage-users/pkg/revaconfig/config.go +++ b/services/storage-users/pkg/revaconfig/config.go @@ -17,10 +17,16 @@ func StorageUsersConfigFromStruct(cfg *config.Config) map[string]interface{} { "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, // TODO build services dynamically "services": map[string]interface{}{ "storageprovider": map[string]interface{}{ diff --git a/services/storage-users/pkg/revaconfig/user.go b/services/storage-users/pkg/revaconfig/user.go index ca06607772f..f3dd247f35d 100644 --- a/services/storage-users/pkg/revaconfig/user.go +++ b/services/storage-users/pkg/revaconfig/user.go @@ -95,6 +95,7 @@ func UserDrivers(cfg *config.Config) map[string]interface{} { "treetime_accounting": true, "treesize_accounting": true, "permissionssvc": cfg.Drivers.OCIS.PermissionsEndpoint, + "permissionssvc_tls_mode": "off", }, "s3": map[string]interface{}{ "enable_home": false, @@ -114,6 +115,7 @@ func UserDrivers(cfg *config.Config) map[string]interface{} { "treetime_accounting": true, "treesize_accounting": true, "permissionssvc": cfg.Drivers.S3NG.PermissionsEndpoint, + "permissionssvc_tls_mode": "off", "s3.region": cfg.Drivers.S3NG.Region, "s3.access_key": cfg.Drivers.S3NG.AccessKey, "s3.secret_key": cfg.Drivers.S3NG.SecretKey, diff --git a/services/thumbnails/pkg/config/config.go b/services/thumbnails/pkg/config/config.go index 781a613f780..24b6440b55b 100644 --- a/services/thumbnails/pkg/config/config.go +++ b/services/thumbnails/pkg/config/config.go @@ -31,12 +31,14 @@ type FileSystemStorage struct { // Thumbnail defines the available thumbnail related configuration. type Thumbnail struct { - Resolutions []string `yaml:"resolutions" env:"THUMBNAILS_RESOLUTIONS" desc:"The supported target resolutions in the format WidthxHeight e.g. 32x32. You can define any resolution as required and separate multiple resolutions by blank or comma."` - FileSystemStorage FileSystemStorage `yaml:"filesystem_storage"` - WebdavAllowInsecure bool `yaml:"webdav_allow_insecure" env:"OCIS_INSECURE;THUMBNAILS_WEBDAVSOURCE_INSECURE" desc:"Ignore untrusted SSL certificates when connecting to the webdav source."` - CS3AllowInsecure bool `yaml:"cs3_allow_insecure" env:"OCIS_INSECURE;THUMBNAILS_CS3SOURCE_INSECURE" desc:"Ignore untrusted SSL certificates when connecting to the CS3 source."` - RevaGateway string `yaml:"reva_gateway" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` //TODO: use REVA config - FontMapFile string `yaml:"font_map_file" env:"THUMBNAILS_TXT_FONTMAP_FILE" desc:"The path to a font file for txt thumbnails."` - TransferSecret string `yaml:"transfer_secret" env:"THUMBNAILS_TRANSFER_TOKEN" desc:"The secret to sign JWT to download the actual thumbnail file."` - DataEndpoint string `yaml:"data_endpoint" env:"THUMBNAILS_DATA_ENDPOINT" desc:"The HTTP endpoint where the actual thumbnail file can be downloaded."` + Resolutions []string `yaml:"resolutions" env:"THUMBNAILS_RESOLUTIONS" desc:"The supported target resolutions in the format WidthxHeight e.g. 32x32. You can define any resolution as required and separate multiple resolutions by blank or comma."` + FileSystemStorage FileSystemStorage `yaml:"filesystem_storage"` + WebdavAllowInsecure bool `yaml:"webdav_allow_insecure" env:"OCIS_INSECURE;THUMBNAILS_WEBDAVSOURCE_INSECURE" desc:"Ignore untrusted SSL certificates when connecting to the webdav source."` + CS3AllowInsecure bool `yaml:"cs3_allow_insecure" env:"OCIS_INSECURE;THUMBNAILS_CS3SOURCE_INSECURE" desc:"Ignore untrusted SSL certificates when connecting to the CS3 source."` + RevaGateway string `yaml:"reva_gateway" env:"REVA_GATEWAY" desc:"CS3 gateway used to look up user metadata"` + RevaGatewayTLSMode string `yaml:"reva_gateway_tls_mode" env:"REVA_GATEWAY_TLS_MODE"` + RevaGatewayTLSCACert string `yaml:"reva_gateway_tls_cacert" env:"REVA_GATEWAY_TLS_CACERT"` + FontMapFile string `yaml:"font_map_file" env:"THUMBNAILS_TXT_FONTMAP_FILE" desc:"The path to a font file for txt thumbnails."` + TransferSecret string `yaml:"transfer_secret" env:"THUMBNAILS_TRANSFER_TOKEN" desc:"The secret to sign JWT to download the actual thumbnail file."` + DataEndpoint string `yaml:"data_endpoint" env:"THUMBNAILS_DATA_ENDPOINT" desc:"The HTTP endpoint where the actual thumbnail file can be downloaded."` } diff --git a/services/thumbnails/pkg/config/defaults/defaultconfig.go b/services/thumbnails/pkg/config/defaults/defaultconfig.go index b6d3f8b7cdb..d0b2c341ef6 100644 --- a/services/thumbnails/pkg/config/defaults/defaultconfig.go +++ b/services/thumbnails/pkg/config/defaults/defaultconfig.go @@ -5,6 +5,7 @@ import ( "strings" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/thumbnails/pkg/config" ) @@ -40,10 +41,12 @@ func DefaultConfig() *config.Config { FileSystemStorage: config.FileSystemStorage{ RootDirectory: path.Join(defaults.BaseDataPath(), "thumbnails"), }, - WebdavAllowInsecure: false, - RevaGateway: "127.0.0.1:9142", - CS3AllowInsecure: false, - DataEndpoint: "http://127.0.0.1:9186/thumbnails/data", + WebdavAllowInsecure: false, + RevaGateway: shared.DefaultRevaConfig().Address, + RevaGatewayTLSMode: shared.DefaultRevaConfig().TLSMode, + RevaGatewayTLSCACert: shared.DefaultRevaConfig().TLSCACert, + CS3AllowInsecure: false, + DataEndpoint: "http://127.0.0.1:9186/thumbnails/data", }, } } diff --git a/services/thumbnails/pkg/server/grpc/server.go b/services/thumbnails/pkg/server/grpc/server.go index 9f78524f0fc..0ad60848a12 100644 --- a/services/thumbnails/pkg/server/grpc/server.go +++ b/services/thumbnails/pkg/server/grpc/server.go @@ -26,7 +26,15 @@ func NewService(opts ...Option) grpc.Service { grpc.Version(version.GetString()), ) tconf := options.Config.Thumbnail - gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway) + tm, err := pool.StringToTLSMode(tconf.RevaGatewayTLSMode) + if err != nil { + options.Logger.Error().Err(err).Msg("could not get gateway client tls mode") + return grpc.Service{} + } + gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway, + pool.WithTLSCACert(tconf.RevaGatewayTLSCACert), + pool.WithTLSMode(tm), + ) if err != nil { options.Logger.Error().Err(err).Msg("could not get gateway client") return grpc.Service{} diff --git a/services/users/pkg/config/config.go b/services/users/pkg/config/config.go index 269151597ba..829b82c39e8 100644 --- a/services/users/pkg/config/config.go +++ b/services/users/pkg/config/config.go @@ -16,7 +16,7 @@ type Config struct { GRPC GRPCConfig `yaml:"grpc"` TokenManager *TokenManager `yaml:"token_manager"` - Reva *Reva `yaml:"reva"` + Reva *shared.Reva `yaml:"reva"` SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"USERS_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the loading of user's group memberships from the reva access token."` @@ -52,9 +52,12 @@ type Debug struct { } type GRPCConfig struct { - Addr string `yaml:"addr" env:"USERS_GRPC_ADDR" desc:"The bind address of the GRPC service."` - Namespace string `yaml:"-"` - Protocol string `yaml:"protocol" env:"USERS_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."` + Addr string `yaml:"addr" env:"USERS_GRPC_ADDR" desc:"The bind address of the GRPC service."` + TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"` + TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."` + TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."` + Namespace string `yaml:"-"` + Protocol string `yaml:"protocol" env:"USERS_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."` } type Drivers struct { diff --git a/services/users/pkg/config/defaults/defaultconfig.go b/services/users/pkg/config/defaults/defaultconfig.go index 2f7e8717038..615e3091312 100644 --- a/services/users/pkg/config/defaults/defaultconfig.go +++ b/services/users/pkg/config/defaults/defaultconfig.go @@ -4,6 +4,7 @@ import ( "path/filepath" "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/users/pkg/config" ) @@ -30,9 +31,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "users", }, - Reva: &config.Reva{ - Address: "127.0.0.1:9142", - }, + Reva: shared.DefaultRevaConfig(), Driver: "ldap", Drivers: config.Drivers{ LDAP: config.LDAPDriver{ @@ -106,11 +105,13 @@ func EnsureDefaults(cfg *config.Config) { } if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil { - cfg.Reva = &config.Reva{ - Address: cfg.Commons.Reva.Address, + cfg.Reva = &shared.Reva{ + Address: cfg.Commons.Reva.Address, + TLSMode: cfg.Commons.Reva.TLSMode, + TLSCACert: cfg.Commons.Reva.TLSCACert, } } else if cfg.Reva == nil { - cfg.Reva = &config.Reva{} + cfg.Reva = &shared.Reva{} } if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil { diff --git a/services/users/pkg/config/reva.go b/services/users/pkg/config/reva.go index 110f374c45e..5ae00050890 100644 --- a/services/users/pkg/config/reva.go +++ b/services/users/pkg/config/reva.go @@ -1,10 +1,5 @@ package config -// Reva defines all available REVA configuration. -type Reva struct { - Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` -} - // TokenManager is the config for using the reva token manager type TokenManager struct { JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;USERS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."` diff --git a/services/users/pkg/revaconfig/config.go b/services/users/pkg/revaconfig/config.go index c00b31506f0..27c7af7bd0c 100644 --- a/services/users/pkg/revaconfig/config.go +++ b/services/users/pkg/revaconfig/config.go @@ -17,10 +17,16 @@ func UsersConfigFromStruct(cfg *config.Config) map[string]interface{} { "jwt_secret": cfg.TokenManager.JWTSecret, "gatewaysvc": cfg.Reva.Address, "skip_user_groups_in_token": cfg.SkipUserGroupsInToken, + "grpc_client_options": cfg.Reva.GetGRPCClientConfig(), }, "grpc": map[string]interface{}{ "network": cfg.GRPC.Protocol, "address": cfg.GRPC.Addr, + "tls_settings": map[string]interface{}{ + "enabled": cfg.GRPC.TLSEnabled, + "certificate": cfg.GRPC.TLSCert, + "key": cfg.GRPC.TLSKey, + }, // TODO build services dynamically "services": map[string]interface{}{ "userprovider": map[string]interface{}{ diff --git a/services/webdav/pkg/config/config.go b/services/webdav/pkg/config/config.go index 2e609335a0e..6f28afbc995 100644 --- a/services/webdav/pkg/config/config.go +++ b/services/webdav/pkg/config/config.go @@ -18,9 +18,10 @@ type Config struct { HTTP HTTP `yaml:"http"` - OcisPublicURL string `yaml:"ocis_public_url" env:"OCIS_URL;OCIS_PUBLIC_URL" desc:"URL, where oCIS is reachable for users."` - WebdavNamespace string `yaml:"webdav_namespace" env:"WEBDAV_WEBDAV_NAMESPACE" desc:"CS3 path layout to use when forwarding /webdav requests"` - RevaGateway string `yaml:"reva_gateway" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."` - - Context context.Context `yaml:"-"` + OcisPublicURL string `yaml:"ocis_public_url" env:"OCIS_URL;OCIS_PUBLIC_URL" desc:"URL, where oCIS is reachable for users."` + WebdavNamespace string `yaml:"webdav_namespace" env:"WEBDAV_WEBDAV_NAMESPACE" desc:"CS3 path layout to use when forwarding /webdav requests"` + RevaGateway string `yaml:"reva_gateway" env:"REVA_GATEWAY" desc:"CS3 gateway used to look up user metadata"` + RevaGatewayTLSMode string `yaml:"reva_gateway_tls_mode" env:"REVA_GATEWAY_TLS_MODE"` + RevaGatewayTLSCACert string `yaml:"reva_gateway_tls_cacert" env:"REVA_GATEWAY_TLS_CACERT"` + Context context.Context `yaml:"-"` } diff --git a/services/webdav/pkg/config/defaults/defaultconfig.go b/services/webdav/pkg/config/defaults/defaultconfig.go index 12ded296c78..ae6adb85a5d 100644 --- a/services/webdav/pkg/config/defaults/defaultconfig.go +++ b/services/webdav/pkg/config/defaults/defaultconfig.go @@ -3,6 +3,7 @@ package defaults import ( "strings" + "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/services/webdav/pkg/config" ) @@ -35,9 +36,11 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "webdav", }, - OcisPublicURL: "https://127.0.0.1:9200", - WebdavNamespace: "/users/{{.Id.OpaqueId}}", - RevaGateway: "127.0.0.1:9142", + OcisPublicURL: "https://127.0.0.1:9200", + WebdavNamespace: "/users/{{.Id.OpaqueId}}", + RevaGateway: shared.DefaultRevaConfig().Address, + RevaGatewayTLSMode: shared.DefaultRevaConfig().TLSMode, + RevaGatewayTLSCACert: shared.DefaultRevaConfig().TLSCACert, } } diff --git a/services/webdav/pkg/service/v0/service.go b/services/webdav/pkg/service/v0/service.go index 1daa30deb86..ccd5bfe960d 100644 --- a/services/webdav/pkg/service/v0/service.go +++ b/services/webdav/pkg/service/v0/service.go @@ -60,7 +60,14 @@ func NewService(opts ...Option) (Service, error) { // chi.RegisterMethod("REPORT") m.Use(options.Middleware...) - gwc, err := pool.GetGatewayServiceClient(conf.RevaGateway) + tm, err := pool.StringToTLSMode(conf.RevaGatewayTLSMode) + if err != nil { + return nil, err + } + gwc, err := pool.GetGatewayServiceClient(conf.RevaGateway, + pool.WithTLSCACert(conf.RevaGatewayTLSCACert), + pool.WithTLSMode(tm), + ) if err != nil { return nil, err }