Introduce TLS Settings for all reva grpc services and clients

ocis-pkg/shared/reva.go

@@ -0,0 +1,21 @@
+package shared
+
+import "github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+
+var defaultRevaConfig = Reva{
+	Address: "127.0.0.1:9142",
+}
+
+func DefaultRevaConfig() *Reva {
+	// copy
+	ret := defaultRevaConfig
+	return &ret
+}
+
+func (r *Reva) GetRevaOptions() []pool.Option {
+	tm, _ := pool.StringToTLSMode(r.TLSMode)
+	opts := []pool.Option{
+		pool.WithTLSMode(tm),
+	}
+	return opts
+}

ocis-pkg/shared/shared_types.go

@@ -29,9 +29,11 @@ type TokenManager struct {
 	JWTSecret string `mask:"password" yaml:"jwt_secret" env:"OCIS_JWT_SECRET" desc:"The secret to mint and validate jwt tokens."`
 }
 
-// Reva defines all available REVA configuration.
+// Reva defines all available REVA client configuration.
 type Reva struct {
-	Address string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
+	Address   string `yaml:"address" env:"REVA_GATEWAY" desc:"The CS3 gateway endpoint."`
+	TLSMode   string `yaml:"tls_mode" env:"REVA_GATEWAY_TLS_MODE" desc:"TLS mode for grpc connection to the CS3 gateway endpoint. Possible values are 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security."`
+	TLSCACert string `yaml:"tls_cacert" env:"REVA_GATEWAY_TLS_CACERT" desc:"The root CA certificate used to validate the gateway's TLS certificate."`
 }
 
 type CacheStore struct {

services/app-provider/pkg/config/config.go

@@ -52,9 +52,12 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
+	Addr       string `yaml:"addr" env:"APP_PROVIDER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"APP_PROVIDER_GRPC_PROTOCOL" desc:"The transport protocol of the GPRC service."`
 }
 
 type Drivers struct {

services/app-provider/pkg/config/defaults/defaultconfig.go

@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "app-provider",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:   shared.DefaultRevaConfig(),
 		Driver: "",
 		Drivers: config.Drivers{
 			WOPI: config.WOPIDriver{
@@ -67,7 +65,9 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}

services/app-provider/pkg/revaconfig/config.go

@@ -17,10 +17,19 @@ func AppProviderConfigFromStruct(cfg *config.Config) map[string]interface{} {
 		"shared": map[string]interface{}{
 			"jwt_secret": cfg.TokenManager.JWTSecret,
 			"gatewaysvc": cfg.Reva.Address,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode":   cfg.Reva.TLSMode,
+				"tls_cacert": cfg.Reva.TLSCACert,
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"appprovider": map[string]interface{}{
 					"app_provider_url": cfg.ExternalAddr,

services/app-registry/pkg/config/config.go

@@ -50,9 +50,12 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"APP_REGISTRY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"APP_REGISTRY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type AppRegistry struct {

services/app-registry/pkg/config/defaults/defaultconfig.go

@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "app-registry",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva: shared.DefaultRevaConfig(),
 	}
 }
 
@@ -132,7 +130,9 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}

services/app-registry/pkg/revaconfig/config.go

@@ -19,10 +19,19 @@ func AppRegistryConfigFromStruct(cfg *config.Config, logger log.Logger) map[stri
 		"shared": map[string]interface{}{
 			"jwt_secret": cfg.TokenManager.JWTSecret,
 			"gatewaysvc": cfg.Reva.Address,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode":   cfg.Reva.TLSMode,
+				"tls_cacert": cfg.Reva.TLSCACert,
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"appregistry": map[string]interface{}{
 					"driver": "static",

services/auth-basic/pkg/config/config.go

@@ -51,9 +51,12 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"AUTH_BASIC_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"AUTH_BASIC_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type AuthProviders struct {

services/auth-basic/pkg/config/defaults/defaultconfig.go

@@ -31,9 +31,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "auth-basic",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:         shared.DefaultRevaConfig(),
 		AuthProvider: "ldap",
 		AuthProviders: config.AuthProviders{
 			LDAP: config.LDAPProvider{
@@ -106,7 +104,9 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}

services/auth-basic/pkg/revaconfig/config.go

@@ -15,10 +15,19 @@ func AuthBasicConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode":   cfg.Reva.TLSMode,
+				"tls_cacert": cfg.Reva.TLSCACert,
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			// TODO build services dynamically
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{

services/auth-bearer/pkg/config/config.go

@@ -51,9 +51,12 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"AUTH_BEARER_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"AUTH_BEARER_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type OIDC struct {

services/auth-bearer/pkg/config/defaults/defaultconfig.go

@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "auth-bearer",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva: shared.DefaultRevaConfig(),
 		OIDC: config.OIDC{
 			Issuer:   "https://localhost:9200",
 			Insecure: false,
@@ -65,7 +63,9 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}

services/auth-bearer/pkg/revaconfig/config.go

@@ -15,10 +15,19 @@ func AuthBearerConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode":   cfg.Reva.TLSMode,
+				"tls_cacert": cfg.Reva.TLSCACert,
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{
 					"auth_manager": "oidc",

services/auth-machine/pkg/config/config.go

@@ -51,7 +51,10 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"AUTH_MACHINE_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"AUTH_MACHINE_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"AUTH_MACHINE_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"AUTH_MACHINE_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }

services/auth-machine/pkg/config/defaults/defaultconfig.go

@@ -28,9 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "auth-machine",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva: shared.DefaultRevaConfig(),
 	}
 }
 
@@ -60,7 +58,9 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}

services/auth-machine/pkg/revaconfig/config.go

@@ -17,10 +17,19 @@ func AuthMachineConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address,
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode":   cfg.Reva.TLSMode,
+				"tls_cacert": cfg.Reva.TLSCACert,
+			},
 		},
 		"grpc": map[string]interface{}{
 			"network": cfg.GRPC.Protocol,
 			"address": cfg.GRPC.Addr,
+			"tls_settings": map[string]interface{}{
+				"enabled":     cfg.GRPC.TLSEnabled,
+				"certificate": cfg.GRPC.TLSCert,
+				"key":         cfg.GRPC.TLSKey,
+			},
 			"services": map[string]interface{}{
 				"authprovider": map[string]interface{}{
 					"auth_manager": "machine",

services/frontend/pkg/config/defaults/defaultconfig.go

@@ -29,9 +29,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "frontend",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
+		Reva:                     shared.DefaultRevaConfig(),
 		PublicURL:                "https://localhost:9200",
 		EnableFavorites:          false,
 		EnableProjectSpaces:      true,
@@ -99,7 +97,9 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}

services/frontend/pkg/revaconfig/config.go

@@ -73,6 +73,10 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
 			"gatewaysvc":                cfg.Reva.Address, // Todo or address?
 			"skip_user_groups_in_token": cfg.SkipUserGroupsInToken,
+			"grpc_client_options": map[string]interface{}{
+				"tls_mode":   cfg.Reva.TLSMode,
+				"tls_cacert": cfg.Reva.TLSCACert,
+			},
 		},
 		"http": map[string]interface{}{
 			"network": cfg.HTTP.Protocol,

services/gateway/pkg/config/config.go

@@ -73,9 +73,12 @@ type Debug struct {
 }
 
 type GRPCConfig struct {
-	Addr      string `yaml:"addr" env:"GATEWAY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
-	Namespace string `yaml:"-"`
-	Protocol  string `yaml:"protocol" env:"GATEWAY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
+	Addr       string `yaml:"addr" env:"GATEWAY_GRPC_ADDR" desc:"The bind address of the GRPC service."`
+	TLSEnabled bool   `yaml:"tls_enabled" env:"OCIS_GRPC_TLS_ENABLED"`
+	TLSCert    string `yaml:"tls_cert" env:"OCIS_GRPC_TLS_CERTIFICATE"`
+	TLSKey     string `yaml:"tls_key" env:"OCIS_GRPC_TLS_KEY"`
+	Namespace  string `yaml:"-"`
+	Protocol   string `yaml:"protocol" env:"GATEWAY_GRPC_PROTOCOL" desc:"The transport protocol of the GRPC service."`
 }
 
 type StorageRegistry struct {

services/gateway/pkg/config/defaults/defaultconfig.go

@@ -28,10 +28,7 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "gateway",
 		},
-		Reva: &shared.Reva{
-			Address: "127.0.0.1:9142",
-		},
-
+		Reva:                       shared.DefaultRevaConfig(),
 		CommitShareToStorageGrant:  true,
 		ShareFolder:                "Shares",
 		DisableHomeCreationOnLogin: true,
@@ -90,7 +87,9 @@ func EnsureDefaults(cfg *config.Config) {
 
 	if cfg.Reva == nil && cfg.Commons != nil && cfg.Commons.Reva != nil {
 		cfg.Reva = &shared.Reva{
-			Address: cfg.Commons.Reva.Address,
+			Address:   cfg.Commons.Reva.Address,
+			TLSMode:   cfg.Commons.Reva.TLSMode,
+			TLSCACert: cfg.Commons.Reva.TLSCACert,
 		}
 	} else if cfg.Reva == nil {
 		cfg.Reva = &shared.Reva{}