yarpc / yarpc-go

A message passing platform for Go

MIT License

404 stars 102 forks source link

Add TLS support for gRPC outbounds #1468

Closed marpetr closed 4 years ago

marpetr commented 6 years ago

gRPC outbounds should accept tls parameter alongside destination address.

yarpc:
  outbounds:
    my-outbound:
      grpc:
        address: ipv4:///1.2.3.4:8443
        tls: true

tls flag determines whether TLS should be used. If tls is false (the default), the connection should use grpc.WithInsecure() option. If tls is true, the connection should be opened with grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")) option (nil = use system certificate pool).

marpetr commented 6 years ago

1461 is an attempt to add TLS support to the outbound API, but it faces a couple problems:

It is impossible to use the system certificate store when YARPC dispatcher is initialized through yarpcconfig.
It is not useful to specify a path to a PEM certificate. It implies that a copy of the certificate should be stored and maintained along the binary.
grpc.ClientCertPool should support the system certificate store.

jacobsevart commented 6 years ago

Please (also? instead?) provide something connected to credentials.NewTLS() as there may be significant nuance to an organizational PKI within a service mesh.

peats-bond commented 4 years ago

closed by #1496 and #1489