Merge pull request #23 from go-coldbrew/feat/grpc-tls

Adding support for TLS in grpc server

README.md

@@ -159,7 +159,7 @@ type CB interface {
 ```
 
 <a name="New"></a>
-### func [New](<https://github.com/go-coldbrew/core/blob/main/core.go#L369>)
+### func [New](<https://github.com/go-coldbrew/core/blob/main/core.go#L414>)
 
 ```go
 func New(c config.Config) CB

config/README.md

@@ -16,7 +16,7 @@ import "github.com/go-coldbrew/core/config"
 
 
 <a name="Config"></a>
-## type [Config](<https://github.com/go-coldbrew/core/blob/main/config/config.go#L6-L84>)
+## type [Config](<https://github.com/go-coldbrew/core/blob/main/config/config.go#L6-L95>)
 
 Config is the configuration for the Coldbrew server It is populated from environment variables and has sensible defaults for all fields so that you can just use it as is without any configuration The following environment variables are supported and can be used to override the defaults for the fields
 
@@ -64,8 +64,12 @@ type Config struct {
     DisableGRPCReflection bool `envconfig:"DISABLE_GRPC_REFLECTION" default:"false"`
     // Trace header, when this HTTP header is present CB will add the value to log/trace contexts
     TraceHeaderName string `envconfig:"TRACE_HEADER_NAME" default:"x-trace-id"`
-    // When we match this HTTP header prefix, we forward append the values to grpc metadata
+    // [Deprecated] - please use HTTPHeaderPrefixes instead
     HTTPHeaderPrefix string `envconfig:"HTTP_HEADER_PREFIX" default:""`
+    // When we match one of the HTTP header prefix configured in this list,
+    // we forward append the values to grpc metadata. If the deprecated HTTPHeaderPrefix
+    // is set, it will only be used if this field is not configured
+    HTTPHeaderPrefixes []string `envconfig:"HTTP_HEADER_PREFIXES" default:""`
     // Should we log calls to GRPC reflection API, defaults to true
     DoNotLogGRPCReflection bool `envconfig:"DO_NOT_LOG_GRPC_REFLECTION" default:"true"`
     // Should we disable signal handler, defaults to false and CB handles all SIG_INT/SIG_TERM
@@ -99,6 +103,13 @@ type Config struct {
     // DisableAutoMaxProcs disables the automatic setting of GOMAXPROCS
     // This is useful when running in a container where the container runtime sets GOMAXPROCS for you already
     DisableAutoMaxProcs bool `envconfig:"DISABLE_AUTO_MAX_PROCS" default:"false"`
+
+    // GRPCTLSKeyFile and GRPCTLSCertFile are the paths to the key and cert files for the GRPC server
+    // If these are set, the server will be started with TLS enabled
+    GRPCTLSKeyFile string `envconfig:"GRPC_TLS_KEY_FILE"`
+    // GRPCTLSCertFile an GRPCTLSKeyFile are the paths to the key and cert files for the GRPC server
+    // If these are set, the server will be started with TLS enabled
+    GRPCTLSCertFile string `envconfig:"GRPC_TLS_CERT_FILE"`
 }
 ```
 

config/config.go

@@ -85,4 +85,11 @@ type Config struct {
 	// DisableAutoMaxProcs disables the automatic setting of GOMAXPROCS
 	// This is useful when running in a container where the container runtime sets GOMAXPROCS for you already
 	DisableAutoMaxProcs bool `envconfig:"DISABLE_AUTO_MAX_PROCS" default:"false"`
+
+	// GRPCTLSKeyFile and GRPCTLSCertFile are the paths to the key and cert files for the GRPC server
+	// If these are set, the server will be started with TLS enabled
+	GRPCTLSKeyFile string `envconfig:"GRPC_TLS_KEY_FILE"`
+	// GRPCTLSCertFile an GRPCTLSKeyFile are the paths to the key and cert files for the GRPC server
+	// If these are set, the server will be started with TLS enabled
+	GRPCTLSCertFile string `envconfig:"GRPC_TLS_CERT_FILE"`
 }

core.go

@@ -2,6 +2,7 @@ package core
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io"
@@ -25,6 +26,7 @@ import (
 	"github.com/opentracing/opentracing-go/ext"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/reflection"
@@ -39,6 +41,7 @@ type cb struct {
 	httpServer     *http.Server
 	cancelFunc     context.CancelFunc
 	gracefulWait   sync.WaitGroup
+	creds          credentials.TransportCredentials
 }
 
 func (c *cb) SetService(svc CBService) error {
@@ -170,8 +173,13 @@ func (c *cb) initHTTP(ctx context.Context) (*http.Server, error) {
 
 	mux := runtime.NewServeMux(muxOpts...)
 
+	creds := c.creds
+	if creds == nil {
+		creds = insecure.NewCredentials()
+	}
+
 	opts := []grpc.DialOption{
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithTransportCredentials(creds),
 		grpc.WithUnaryInterceptor(
 			interceptors.DefaultClientInterceptor(
 				grpc_opentracing.WithTraceHeaderName(c.config.TraceHeaderName),
@@ -220,7 +228,7 @@ func (c *cb) initHTTP(ctx context.Context) (*http.Server, error) {
 	return gwServer, nil
 }
 
-func (c *cb) runHTTP(ctx context.Context, svr *http.Server) error {
+func (c *cb) runHTTP(_ context.Context, svr *http.Server) error {
 	return svr.ListenAndServe()
 }
 
@@ -248,8 +256,33 @@ func (c *cb) getGRPCServerOptions() []grpc.ServerOption {
 	return so
 }
 
+func loadTLSCredentials(certFile, keyFile string) (credentials.TransportCredentials, error) {
+	// Load server's certificate and private key
+	serverCert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create the credentials and return it
+	config := &tls.Config{
+		Certificates: []tls.Certificate{serverCert},
+		ClientAuth:   tls.NoClientCert,
+	}
+
+	return credentials.NewTLS(config), nil
+}
+
 func (c *cb) initGRPC(ctx context.Context) (*grpc.Server, error) {
-	grpcServer := grpc.NewServer(c.getGRPCServerOptions()...)
+	so := c.getGRPCServerOptions()
+	if c.config.GRPCTLSCertFile != "" && c.config.GRPCTLSKeyFile != "" {
+		creds, err := loadTLSCredentials(c.config.GRPCTLSCertFile, c.config.GRPCTLSKeyFile)
+		if err != nil {
+			return nil, err
+		}
+		c.creds = creds
+		so = append(so, grpc.Creds(creds))
+	}
+	grpcServer := grpc.NewServer(so...)
 	for _, s := range c.svc {
 		if err := s.InitGRPC(ctx, grpcServer); err != nil {
 			return nil, err