[full-ci] Add TLS options for all reva grpc services

changelog/unreleased/grpc-tls.md

@@ -0,0 +1,6 @@
+Enhancement: Allow to setup TLS for the reva grpc services
+
+We added config options to allow enabling TLS encrption for all reva backed
+grpc services.
+
+https://github.com/owncloud/ocis/pull/4798

ocis-pkg/shared/reva.go

@@ -0,0 +1,28 @@
+package shared
+
+import "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+
+var defaultRevaConfig = Reva{
+ Address: "127.0.0.1:9142",
+}
+
+func DefaultRevaConfig() *Reva {
+ // copy
+ ret := defaultRevaConfig
+ return &ret
+}
+
+func (r *Reva) GetRevaOptions() []pool.Option {
+ tm, _ := pool.StringToTLSMode(r.TLSMode)
+ opts := []pool.Option{
+ pool.WithTLSMode(tm),
+ }
+ return opts
+}
+
+func (r *Reva) GetGRPCClientConfig() map[string]interface{} {
+ return map[string]interface{}{
+ "tls_mode": r.TLSMode,
+ "tls_cacert": r.TLSCACert,
+ }
+}

ocis-pkg/shared/shared_types.go

@@ -29,9 +29,11 @@ type TokenManager struct {
  JWTSecret string `mask:"password" yaml:"jwt_secret" env:"OCIS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."`
 }
 
-// Reva defines all available REVA configuration.
+// Reva defines all available REVA client configuration.
 type Reva struct {
- Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
+ Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
+ TLSMode string `yaml:"tls_mode" env:"REVA_GATEWAY_TLS_MODE" desc:"TLS mode for grpc connection to the CS3 gateway endpoint. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification."`
+ TLSCACert string `yaml:"tls_cacert" env:"REVA_GATEWAY_TLS_CACERT" desc:"The root CA certificate used to validate the gateway's TLS certificate."`
 }
 
 type CacheStore struct {

services/app-provider/pkg/config/config.go

@@ -16,7 +16,7 @@ type Config struct {
  GRPC GRPCConfig `yaml:"grpc"`
 
  TokenManager *TokenManager `yaml:"token_manager"`
- Reva *Reva  `yaml:"reva"`
+ Reva *shared.Reva `yaml:"reva"`
 
  ExternalAddr string `yaml:"external_addr" env:"APP_PROVIDER_EXTERNAL_ADDR" desc:"Address of the app provider, where the GATEWAY service can reach it."`
  Driver string `yaml:"driver" env:"APP_PROVIDER_DRIVER" desc:"Driver, the APP PROVIDER services uses. Only \"wopi\" is supported as of now."`
@@ -52,9 +52,12 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
- Addr string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
- Namespace string `yaml:"-"`
- Protocol string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
+ Addr string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+ TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+ TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
+ TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
+ Namespace string `yaml:"-"`
+ Protocol string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
 }
 
 type Drivers struct {

services/app-provider/pkg/config/defaults/defaultconfig.go

@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
  Service: config.Service{
  Name: "app-provider",
  },
- Reva: &config.Reva{
- Address: "127.0.0.1:9142",
- },
+ Reva: shared.DefaultRevaConfig(),
  Driver: "",
  Drivers: config.Drivers{
  WOPI: config.WOPIDriver{
@@ -66,11 +64,13 @@ func EnsureDefaults(cfg *config.Config) {
  }
 
  if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
- cfg.Reva = &config.Reva{
- Address: cfg.Commons.Reva.Address,
+ cfg.Reva = &shared.Reva{
+ Address: cfg.Commons.Reva.Address,
+ TLSMode: cfg.Commons.Reva.TLSMode,
+ TLSCACert: cfg.Commons.Reva.TLSCACert,
  }
  } else if cfg.Reva == nil {
- cfg.Reva = &config.Reva{}
+ cfg.Reva = &shared.Reva{}
  }
 
  if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil {

services/app-provider/pkg/config/reva.go

@@ -1,10 +1,5 @@
 package config
 
-// Reva defines all available REVA configuration.
-type Reva struct {
- Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
-}
-
 // TokenManager is the config for using the reva token manager
 type TokenManager struct {
  JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;APP_PROVIDER_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."`

services/app-provider/pkg/revaconfig/config.go

@@ -15,12 +15,18 @@ func AppProviderConfigFromStruct(cfg *config.Config) map[string]interface{} {
  "tracing_service_name": cfg.Service.Name,
  },
  "shared": map[string]interface{}{
- "jwt_secret": cfg.TokenManager.JWTSecret,
- "gatewaysvc": cfg.Reva.Address,
+ "jwt_secret": cfg.TokenManager.JWTSecret,
+ "gatewaysvc": cfg.Reva.Address,
+ "grpc_client_options": cfg.Reva.GetGRPCClientConfig(),
  },
  "grpc": map[string]interface{}{
  "network": cfg.GRPC.Protocol,
  "address": cfg.GRPC.Addr,
+ "tls_settings": map[string]interface{}{
+ "enabled": cfg.GRPC.TLSEnabled,
+ "certificate": cfg.GRPC.TLSCert,
+ "key": cfg.GRPC.TLSKey,
+ },
  "services": map[string]interface{}{
  "appprovider": map[string]interface{}{
  "app_provider_url": cfg.ExternalAddr,

services/app-registry/pkg/config/config.go

@@ -17,7 +17,7 @@ type Config struct {
  GRPC GRPCConfig `yaml:"grpc"`
 
  TokenManager *TokenManager `yaml:"token_manager"`
- Reva *Reva  `yaml:"reva"`
+ Reva *shared.Reva `yaml:"reva"`
 
  AppRegistry AppRegistry `yaml:"app_registry"`
 
@@ -50,9 +50,12 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
- Addr string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
- Namespace string `yaml:"-"`
- Protocol string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+ Addr string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+ TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+ TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
+ TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
+ Namespace string `yaml:"-"`
+ Protocol string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type AppRegistry struct {

services/app-registry/pkg/config/defaults/defaultconfig.go

@@ -1,6 +1,7 @@
 package defaults
 
 import (
+ "github.com/owncloud/ocis/v2/ocis-pkg/shared"
  "github.com/owncloud/ocis/v2/services/app-registry/pkg/config"
 )
 
@@ -27,9 +28,7 @@ func DefaultConfig() *config.Config {
  Service: config.Service{
  Name: "app-registry",
  },
- Reva: &config.Reva{
- Address: "127.0.0.1:9142",
- },
+ Reva: shared.DefaultRevaConfig(),
  }
 }
 
@@ -130,11 +129,13 @@ func EnsureDefaults(cfg *config.Config) {
  }
 
  if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
- cfg.Reva = &config.Reva{
- Address: cfg.Commons.Reva.Address,
+ cfg.Reva = &shared.Reva{
+ Address: cfg.Commons.Reva.Address,
+ TLSMode: cfg.Commons.Reva.TLSMode,
+ TLSCACert: cfg.Commons.Reva.TLSCACert,
  }
  } else if cfg.Reva == nil {
- cfg.Reva = &config.Reva{}
+ cfg.Reva = &shared.Reva{}
  }
 
  if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil {

services/app-registry/pkg/config/reva.go

@@ -1,10 +1,5 @@
 package config
 
-// Reva defines all available REVA configuration.
-type Reva struct {
- Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
-}
-
 // TokenManager is the config for using the reva token manager
 type TokenManager struct {
  JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;APP_REGISTRY_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."`

services/app-registry/pkg/revaconfig/config.go

@@ -17,12 +17,18 @@ func AppRegistryConfigFromStruct(cfg *config.Config, logger log.Logger) map[stri
  "tracing_service_name": cfg.Service.Name,
  },
  "shared": map[string]interface{}{
- "jwt_secret": cfg.TokenManager.JWTSecret,
- "gatewaysvc": cfg.Reva.Address,
+ "jwt_secret": cfg.TokenManager.JWTSecret,
+ "gatewaysvc": cfg.Reva.Address,
+ "grpc_client_options": cfg.Reva.GetGRPCClientConfig(),
  },
  "grpc": map[string]interface{}{
  "network": cfg.GRPC.Protocol,
  "address": cfg.GRPC.Addr,
+ "tls_settings": map[string]interface{}{
+ "enabled": cfg.GRPC.TLSEnabled,
+ "certificate": cfg.GRPC.TLSCert,
+ "key": cfg.GRPC.TLSKey,
+ },
  "services": map[string]interface{}{
  "appregistry": map[string]interface{}{
  "driver": "static",

services/auth-basic/pkg/config/config.go

@@ -16,7 +16,7 @@ type Config struct {
  GRPC GRPCConfig `yaml:"grpc"`
 
  TokenManager *TokenManager `yaml:"token_manager"`
- Reva *Reva  `yaml:"reva"`
+ Reva *shared.Reva `yaml:"reva"`
 
  SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups."`
  AuthProvider string `yaml:"auth_provider" env:"AUTH_BASIC_AUTH_PROVIDER" desc:"The auth provider which should be used by the service like 'ldap'."`
@@ -51,9 +51,12 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
- Addr string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
- Namespace string `yaml:"-"`
- Protocol string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+ Addr string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+ TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+ TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
+ TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
+ Namespace string `yaml:"-"`
+ Protocol string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type AuthProviders struct {

services/auth-basic/pkg/config/defaults/defaultconfig.go

@@ -4,6 +4,7 @@ import (
  "path/filepath"
 
  "github.com/owncloud/ocis/v2/ocis-pkg/config/defaults"
+ "github.com/owncloud/ocis/v2/ocis-pkg/shared"
  "github.com/owncloud/ocis/v2/services/auth-basic/pkg/config"
 )
 
@@ -30,9 +31,7 @@ func DefaultConfig() *config.Config {
  Service: config.Service{
  Name: "auth-basic",
  },
- Reva: &config.Reva{
- Address: "127.0.0.1:9142",
- },
+ Reva: shared.DefaultRevaConfig(),
  AuthProvider: "ldap",
  AuthProviders: config.AuthProviders{
  LDAP: config.LDAPProvider{
@@ -104,11 +103,13 @@ func EnsureDefaults(cfg *config.Config) {
  }
 
  if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
- cfg.Reva = &config.Reva{
- Address: cfg.Commons.Reva.Address,
+ cfg.Reva = &shared.Reva{
+ Address: cfg.Commons.Reva.Address,
+ TLSMode: cfg.Commons.Reva.TLSMode,
+ TLSCACert: cfg.Commons.Reva.TLSCACert,
  }
  } else if cfg.Reva == nil {
- cfg.Reva = &config.Reva{}
+ cfg.Reva = &shared.Reva{}
  }
 
  if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil {

services/auth-basic/pkg/config/reva.go

@@ -1,10 +1,5 @@
 package config
 
-// Reva defines all available REVA configuration.
-type Reva struct {
- Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
-}
-
 // TokenManager is the config for using the reva token manager
 type TokenManager struct {
  JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;AUTH_BASIC_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."`

services/auth-basic/pkg/revaconfig/config.go

@@ -15,10 +15,16 @@ func AuthBasicConfigFromStruct(cfg *config.Config) map[string]interface{} {
  "jwt_secret": cfg.TokenManager.JWTSecret,
  "gatewaysvc": cfg.Reva.Address,
  "skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+ "grpc_client_options": cfg.Reva.GetGRPCClientConfig(),
  },
  "grpc": map[string]interface{}{
  "network": cfg.GRPC.Protocol,
  "address": cfg.GRPC.Addr,
+ "tls_settings": map[string]interface{}{
+ "enabled": cfg.GRPC.TLSEnabled,
+ "certificate": cfg.GRPC.TLSCert,
+ "key": cfg.GRPC.TLSKey,
+ },
  // TODO build services dynamically
  "services": map[string]interface{}{
  "authprovider": map[string]interface{}{

services/auth-bearer/pkg/config/config.go

@@ -16,7 +16,7 @@ type Config struct {
  GRPC GRPCConfig `yaml:"grpc"`
 
  TokenManager *TokenManager `yaml:"token_manager"`
- Reva *Reva  `yaml:"reva"`
+ Reva *shared.Reva `yaml:"reva"`
 
  SkipUserGroupsInToken bool `yaml:"skip_user_groups_in_token" env:"AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN" desc:"Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups."`
 
@@ -51,9 +51,12 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
- Addr string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
- Namespace string `yaml:"-"`
- Protocol string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+ Addr string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+ TLSEnabled bool `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+ TLSCert string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE" desc:"Path/File name of the TLS server certificate (in PEM format) for the reva grpc services."`
+ TLSKey string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY" desc:"Path/File name for the TLS certificate key (in PEM format) for the server certificate."`
+ Namespace string `yaml:"-"`
+ Protocol string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type OIDC struct {

services/auth-bearer/pkg/config/defaults/defaultconfig.go

@@ -1,6 +1,7 @@
 package defaults
 
 import (
+ "github.com/owncloud/ocis/v2/ocis-pkg/shared"
  "github.com/owncloud/ocis/v2/services/auth-bearer/pkg/config"
 )
 
@@ -27,9 +28,7 @@ func DefaultConfig() *config.Config {
  Service: config.Service{
  Name: "auth-bearer",
  },
- Reva: &config.Reva{
- Address: "127.0.0.1:9142",
- },
+ Reva: shared.DefaultRevaConfig(),
  OIDC: config.OIDC{
  Issuer: "https://localhost:9200",
  Insecure: false,
@@ -63,11 +62,13 @@ func EnsureDefaults(cfg *config.Config) {
  }
 
  if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
- cfg.Reva = &config.Reva{
- Address: cfg.Commons.Reva.Address,
+ cfg.Reva = &shared.Reva{
+ Address: cfg.Commons.Reva.Address,
+ TLSMode: cfg.Commons.Reva.TLSMode,
+ TLSCACert: cfg.Commons.Reva.TLSCACert,
  }
  } else if cfg.Reva == nil {
- cfg.Reva = &config.Reva{}
+ cfg.Reva = &shared.Reva{}
  }
 
  if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil {

services/auth-bearer/pkg/config/reva.go

@@ -1,10 +1,5 @@
 package config
 
-// Reva defines all available REVA configuration.
-type Reva struct {
- Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
-}
-
 // TokenManager is the config for using the reva token manager
 type TokenManager struct {
  JWTSecret string `yaml:"jwt_secret" env:"OCIS_JWT_SECRET;AUTH_BEARER_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."`