From 2bb7e19e8b26f6a110d6f0901a49afa3f4453a34 Mon Sep 17 00:00:00 2001 From: "R.B. Boyer" Date: Wed, 13 Feb 2019 11:49:54 -0600 Subject: [PATCH] agent: only enable TLS on gRPC if the HTTPS API port is enabled (#5287) Currently the gRPC server assumes that if you have configured TLS certs on the agent (for RPC) that you want gRPC to be encrypted. If gRPC is bound to localhost this can be overkill. For the API we let the user choose to offer HTTP or HTTPS API endpoints independently of the TLS cert configuration for a similar reason. This setting will let someone encrypt RPC traffic with TLS but avoid encrypting local gRPC traffic if that is what they want to do by only enabling TLS on gRPC if the HTTPS API port is enabled. --- agent/agent.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/agent/agent.go b/agent/agent.go index 8d21db7c2..35403a145 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -525,7 +525,13 @@ func (a *Agent) listenAndServeGRPC() error { a.xdsServer.Initialize() var err error - a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile) + if a.config.HTTPSPort > 0 { + // gRPC uses the same TLS settings as the HTTPS API. If HTTPS is + // enabled then gRPC will require HTTPS as well. + a.grpcServer, err = a.xdsServer.GRPCServer(a.config.CertFile, a.config.KeyFile) + } else { + a.grpcServer, err = a.xdsServer.GRPCServer("", "") + } if err != nil { return err }