From 5c0e4f0caebaee52a4d3088dca5d3a9877e84513 Mon Sep 17 00:00:00 2001 From: hperl <34397+hperl@users.noreply.github.com> Date: Thu, 18 Aug 2022 15:29:01 +0200 Subject: [PATCH] fix: use TLS in gRPC client Enable TLS and certificate checking in the gRPC client when communicating with remote hosts. --- cmd/client/grpc_client.go | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/cmd/client/grpc_client.go b/cmd/client/grpc_client.go index b497164ab..cc98b804c 100644 --- a/cmd/client/grpc_client.go +++ b/cmd/client/grpc_client.go @@ -3,6 +3,7 @@ package client import ( "context" "fmt" + "net" "os" "strings" "time" @@ -12,6 +13,7 @@ import ( "github.com/spf13/cobra" "github.com/spf13/pflag" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" ) @@ -62,7 +64,20 @@ func Conn(ctx context.Context, remote string) (*grpc.ClientConn, error) { ctx, cancel := context.WithTimeout(ctx, timeout) defer cancel() - return grpc.DialContext(ctx, remote, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock(), grpc.WithDisableHealthCheck()) + return grpc.DialContext(ctx, remote, + grpc.WithTransportCredentials(transportCredentials(remote)), + grpc.WithBlock(), + grpc.WithDisableHealthCheck()) +} + +func transportCredentials(remote string) credentials.TransportCredentials { + host, _, err := net.SplitHostPort(remote) + if err == nil && (host == "127.0.0.1" || host == "localhost") { + return insecure.NewCredentials() + } + + // Defaults to the default host root CA bundle + return credentials.NewTLS(nil) } func RegisterRemoteURLFlags(flags *pflag.FlagSet) {