agent: only enable TLS on gRPC if the HTTPS API port is enabled (#5287)

Currently the gRPC server assumes that if you have configured TLS certs on the agent (for RPC) that you want gRPC to be encrypted. If gRPC is bound to localhost this can be overkill. For the API we let the user choose to offer HTTP or HTTPS API endpoints independently of the TLS cert configuration for a similar reason. This setting will let someone encrypt RPC traffic with TLS but avoid encrypting local gRPC traffic if that is what they want to do by only enabling TLS on gRPC if the HTTPS API port is enabled.
2019-02-13 11:49:54 -06:00 · 2019-02-13 11:49:54 -06:00 · 2bb7e19e8b
parent 77d28fe9ce
commit 2bb7e19e8b
1 changed files with 7 additions and 1 deletions
--- a/agent/agent.go
+++ b/agent/agent.go
@ -525,7 +525,13 @@ func (a *Agent) listenAndServeGRPC() error {
 	a.xdsServer.Initialize()

 	var err error
-	a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile)
+	if a.config.HTTPSPort > 0 {
+		// gRPC uses the same TLS settings as the HTTPS API. If HTTPS is
+		// enabled then gRPC will require HTTPS as well.
+		a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile)
+	} else {
+		a.grpcServer, err = a.xdsServer.GRPCServer("", "")
+	}
 	if err != nil {
 		return err
 	}