tls changes

Gopkg.toml

 [[constraint]]
-  branch = "master"
+  branch = "1-loadbalancing"
   name = "code.vereign.com/code/viam-apis"
 
+[[override]]
+  branch = "1-loadbalancing"
+  name = "code.vereign.com/billing-and-federation/apis"
+
 [[override]]
   name = "github.com/hashicorp/go-retryablehttp"
   version = "=v0.5.4"

config/configs.go

@@ -29,6 +29,7 @@ var VereignCaKeyPEM []byte
 var ReplaceKey bool
 
 var MaxMessageSize int
+var UseTLS bool
 
 var GrpcListenAddress string
 var RestListenAddress string
@@ -55,6 +56,7 @@ func SetConfigValues(configFile, etcdURL string) {
 	viper.SetDefault("viamSession", "viam-session")
 
 	viper.SetDefault("maxMessageSize", 64)
+	viper.SetDefault("useTls", 1)
 
 	// Certification Related
 	// File System Defaults
@@ -143,6 +145,11 @@ func SetConfigValues(configFile, etcdURL string) {
 	SystemAuth.Session = viper.GetString("viamSession")
 
 	MaxMessageSize = viper.GetInt("maxMessageSize")
+	if viper.GetInt("useTls") == 0 {
+		UseTLS = false
+	} else {
+		UseTLS = true
+	}
 
 	PrometeusListenAddress = viper.GetString("prometeusListenAddress")
 

server/server.go

@@ -155,10 +155,6 @@ func createQueryTime(funcName string) prometheus.Summary {
 }
 
 func StartGRPCServer(address string, certPEM, privateKeyPEM, caCertPEM, vereignCertPEM, vereignPrivateKeyPEM []byte, dataStorageAddress string, maxMessageSize int) error {
-	pkgCertPEM = certPEM
-	pkgKeyPEM = privateKeyPEM
-	pkgCaCertPEM = caCertPEM
-
 	// create a listener on TCP port
 	lis, err := net.Listen("tcp", address)
 	if err != nil {
@@ -166,6 +162,45 @@ func StartGRPCServer(address string, certPEM, privateKeyPEM, caCertPEM, vereignC
 		return fmt.Errorf("failed to listen: %v", err)
 	}
 
+	pkgCertPEM = certPEM
+	pkgKeyPEM = privateKeyPEM
+	pkgCaCertPEM = caCertPEM
+
+	opts := []grpc.ServerOption{}
+	opts = append(opts, grpc.UnaryInterceptor(unaryInterceptor),
+		grpc.MaxRecvMsgSize(config.MaxMessageSize*1024*1024))
+
+	if config.UseTLS {
+		// Load the certificates from PEM Strings
+		certificate, err := tls.X509KeyPair(certPEM, privateKeyPEM)
+
+		if err != nil {
+			log.Printf("Error: %v", err)
+			return fmt.Errorf("could not load server key pair: %s", err)
+		}
+
+		// Create a certificate pool from the certificate authority
+		// Get the SystemCertPool, continue with an empty pool on error
+		certPool, _ := x509.SystemCertPool()
+		if certPool == nil {
+			certPool = x509.NewCertPool()
+		}
+
+		if ok := certPool.AppendCertsFromPEM(caCertPEM); !ok {
+			return fmt.Errorf("failed to append server certs")
+		}
+
+		// Create the TLS credentials
+		creds := credentials.NewTLS(&tls.Config{
+			//ClientAuth:   tls.RequireAndVerifyClientCert,
+			Certificates: []tls.Certificate{certificate},
+			ClientCAs:    certPool,
+		})
+
+		// Create an array of gRPC options with the credentials
+		opts = append(opts, grpc.Creds(creds))
+	}
+
 	// create a server instance
 	s := handler.KeyStorageServerImpl{
 		DataStorageUrl:       dataStorageAddress,
@@ -177,39 +212,6 @@ func StartGRPCServer(address string, certPEM, privateKeyPEM, caCertPEM, vereignC
 		MaxMessageSize:       maxMessageSize,
 	}
 
-	// Load the certificates from PEM Strings
-	certificate, err := tls.X509KeyPair(certPEM, privateKeyPEM)
-
-	if err != nil {
-		log.Printf("Error: %v", err)
-		return fmt.Errorf("could not load server key pair: %s", err)
-	}
-
-	// Create a certificate pool from the certificate authority
-	// Get the SystemCertPool, continue with an empty pool on error
-	certPool, _ := x509.SystemCertPool()
-	if certPool == nil {
-		certPool = x509.NewCertPool()
-	}
-
-	if ok := certPool.AppendCertsFromPEM(caCertPEM); !ok {
-		return fmt.Errorf("failed to append server certs")
-	}
-
-	// Create the TLS credentials
-	creds := credentials.NewTLS(&tls.Config{
-		//ClientAuth:   tls.RequireAndVerifyClientCert,
-		Certificates: []tls.Certificate{certificate},
-		ClientCAs:    certPool,
-	})
-
-	// Create an array of gRPC options with the credentials
-	opts := []grpc.ServerOption{
-		grpc.Creds(creds),
-		grpc.UnaryInterceptor(unaryInterceptor),
-		grpc.MaxRecvMsgSize(config.MaxMessageSize * 1024 * 1024),
-	}
-
 	// create a gRPC server object
 	grpcServer := grpc.NewServer(opts...)
 

utils/utils.go

@@ -18,12 +18,13 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
 package utils
 
 import (
-	"code.vereign.com/code/viam-apis/errors"
 	"crypto/rand"
 	"crypto/x509"
 	"fmt"
 	"io"
 
+	"code.vereign.com/code/viam-apis/errors"
+
 	"code.vereign.com/code/viam-apis/log"
 
 	"encoding/pem"
@@ -155,11 +156,11 @@ func GetKey(client *client.DataStorageClientImpl, uuid string, keyType api.KeyTy
 }
 
 func CreateDataStorageClient(auth *authentication.Authentication) *dsclient.DataStorageClientImpl {
-	return clientutils.CreateDataStorageClient(auth, config.DataStorageUrl, config.CertificatePEM,
+	return clientutils.CreateDataStorageClient(auth, config.DataStorageUrl, config.UseTLS, config.CertificatePEM,
 		config.PrivateKeyPEM, config.CaCertificatePEM, config.MaxMessageSize)
 }
 
 func CreateEntitiesManagementClient(auth *authentication.Authentication) *emclient.EntitiesManagerClientImpl {
-	return clientutils.CreateEntitiesManagementClient(auth, config.EntitiesManagerUrl, config.CertificatePEM,
+	return clientutils.CreateEntitiesManagementClient(auth, config.EntitiesManagerUrl, config.UseTLS, config.CertificatePEM,
 		config.PrivateKeyPEM, config.CaCertificatePEM, config.MaxMessageSize)
 }