Add TLS for gPRC server

- Added new config values for enabling TLS and set cert path - Certs will be auto-generated during the deployment of DE via helm-charts (https://github.com/accuknox/agents-chart/pull/30) Signed-off-by: aloksharma20 <[email protected]>
accuknox · Sep 4, 2023 · 46868e3 · 46868e3
1 parent bd4edf2
commit 46868e3
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 4 deletions.
diff --git a/src/conf/local-file.yaml b/src/conf/local-file.yaml
@@ -131,3 +131,10 @@ pprof: false
 # Discovered Policies Configuration  
 dsp:
   auto-deploy-dsp: false
+
+server:
+  port: 9089
+  tls:
+    enable: false
+    cert: /tls/cert.pem
+    key: /tls/key.pem
diff --git a/src/conf/local.yaml b/src/conf/local.yaml
@@ -96,3 +96,10 @@ pprof: false
 # Discovered Policies Configuration
 dsp:
   auto-deploy-dsp: false  
+
+server:
+  port: 9089
+  tls:
+    enable: false
+    cert: /tls/cert.pem
+    key: /tls/key.pem
diff --git a/src/libs/common.go b/src/libs/common.go
@@ -166,6 +166,9 @@ func SetDefaultConfig() {
 	// discoveredPolicy config
 	viper.SetDefault("dsp.auto-deploy-dsp", true)
 
+	// Server TLS Config
+	viper.SetDefault("server.tls.enable", false)
+
 }
 
 type cfgArray []string

diff --git a/src/main.go b/src/main.go
@@ -63,6 +63,7 @@ func init() {
 	log.Info().Msgf("SYSTEM-POLICY: %+v", config.GetCfgSys())
 	log.Info().Msgf("KUBEARMOR: %+v", config.GetCfgKubeArmor())
 	log.Info().Msgf("AUTO-DEPLOY-DSP: %+v", config.GetCfgDsp())
+	log.Info().Msgf("TLS enabled: %t", viper.GetBool("server.tls.enable"))
 
 	// 3. setup the tables in db
 	libs.CreateTablesIfNotExist(config.GetCfgDB())
@@ -107,7 +108,7 @@ func main() {
 // CreateListenerAndGrpcServer - Creates a new connection and listens on a given port
 func CreateListenerAndGrpcServer() (net.Listener, *grpc.Server) {
 	// create server
-	lis, err := net.Listen("tcp", ":"+grpcserver.PortNumber)
+	lis, err := net.Listen("tcp", ":"+viper.GetString("server.port"))
 	if err != nil {
 		log.Error().Msgf("gRPC server failed to listen: %v", err)
 		os.Exit(1)

diff --git a/src/server/grpcServer.go b/src/server/grpcServer.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/accuknox/auto-policy-discovery/src/license"
+	"github.com/spf13/viper"
 
 	"github.com/rs/zerolog"
 
@@ -32,13 +33,12 @@ import (
 	"github.com/accuknox/auto-policy-discovery/src/types"
 
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/health"
 	"google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/reflection"
 )
 
-const PortNumber = "9089"
-
 var log *zerolog.Logger
 
 func init() {
@@ -303,7 +303,18 @@ func (ps *publisherServer) GetSummary(req *ppb.SummaryRequest, srv ppb.Publisher
 }
 
 func StartGrpcServer() *grpc.Server {
-	s := grpc.NewServer()
+	var s *grpc.Server
+	if viper.GetBool("server.tls.enable") {
+		creds := GetTLSCredentails()
+		if creds != nil {
+			s = grpc.NewServer(grpc.ServerOption(grpc.Creds(creds)))
+		} else {
+			log.Fatal().Msgf("Unable to read credentails ::  %s", creds)
+		}
+	} else {
+		s = grpc.NewServer()
+	}
+
 	grpc_health_v1.RegisterHealthServer(s, health.NewServer())
 
 	reflection.Register(s)
@@ -362,3 +373,14 @@ func AddServers(s *grpc.Server) *grpc.Server {
 
 	return s
 }
+
+func GetTLSCredentails() credentials.TransportCredentials {
+	certFile := viper.GetString("server.tls.cert")
+	keyFile := viper.GetString("server.tls.key")
+	creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)
+	if err != nil {
+		log.Error().Msgf("Unable to read tls certificate credentails ::  %s", err)
+		return nil
+	}
+	return creds
+}