From de0f585583963edfadbd4d3dacbf7ca98aa6c000 Mon Sep 17 00:00:00 2001 From: "R.B. Boyer" Date: Wed, 13 Feb 2019 11:49:54 -0600 Subject: [PATCH] agent: only enable TLS on gRPC if the HTTPS API port is enabled (#5287) Currently the gRPC server assumes that if you have configured TLS certs on the agent (for RPC) that you want gRPC to be encrypted. If gRPC is bound to localhost this can be overkill. For the API we let the user choose to offer HTTP or HTTPS API endpoints independently of the TLS cert configuration for a similar reason. This setting will let someone encrypt RPC traffic with TLS but avoid encrypting local gRPC traffic if that is what they want to do by only enabling TLS on gRPC if the HTTPS API port is enabled. --- agent/agent.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/agent/agent.go b/agent/agent.go index 8d21db7c22..35403a1453 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -525,7 +525,13 @@ func (a *Agent) listenAndServeGRPC() error { a.xdsServer.Initialize() var err error - a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile) + if a.config.HTTPSPort > 0 { + // gRPC uses the same TLS settings as the HTTPS API. If HTTPS is + // enabled then gRPC will require HTTPS as well. + a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile) + } else { + a.grpcServer, err = a.xdsServer.GRPCServer("", "") + } if err != nil { return err }