mirror of https://github.com/hashicorp/consul
agent: only enable TLS on gRPC if the HTTPS API port is enabled (#5287)
Currently the gRPC server assumes that if you have configured TLS certs on the agent (for RPC) that you want gRPC to be encrypted. If gRPC is bound to localhost this can be overkill. For the API we let the user choose to offer HTTP or HTTPS API endpoints independently of the TLS cert configuration for a similar reason. This setting will let someone encrypt RPC traffic with TLS but avoid encrypting local gRPC traffic if that is what they want to do by only enabling TLS on gRPC if the HTTPS API port is enabled.pull/5344/head
parent
f2ed3a3777
commit
de0f585583
|
@ -525,7 +525,13 @@ func (a *Agent) listenAndServeGRPC() error {
|
||||||
a.xdsServer.Initialize()
|
a.xdsServer.Initialize()
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
|
if a.config.HTTPSPort > 0 {
|
||||||
|
// gRPC uses the same TLS settings as the HTTPS API. If HTTPS is
|
||||||
|
// enabled then gRPC will require HTTPS as well.
|
||||||
a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile)
|
a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile)
|
||||||
|
} else {
|
||||||
|
a.grpcServer, err = a.xdsServer.GRPCServer("", "")
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue