feat: improve UX for external configuration (#6861)

* docs: simplify traefik external tls * remove pass host header * docs: simplify and fix nginx external tls * fix: readiness with enabled tls * improve proxy docs * improve proxy docs * fix(ready): don't verify server cert * complete nginx docs * cleanup * complete traefik docs * add caddy docs * simplify traefik * standardize * fix caddy * add httpd docs * improve external config docs * guiding error message * docs(defaults.yaml): remove misleading comments * guiding error message cs and ru * improve proxy testability * fix compose up command * improve commands * fix nginx tls disabled * fix nginx tls enabled * fix: serve gateway when tls is enabled * fmt caddy files * fix caddy enabled tls * remove not-working commands * review * fix checks * fix link --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 21:37:32 +00:00 · 2023-11-09 11:30:15 +01:00
parent 22e2d55999
commit e0a5f8661d
57 changed files with 938 additions and 537 deletions
--- a/internal/api/grpc/server/gateway.go
+++ b/internal/api/grpc/server/gateway.go
@@ -2,6 +2,7 @@ package server

 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"strings"
@@ -9,6 +10,7 @@ import (
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"github.com/zitadel/logging"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	healthpb "google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -89,10 +91,11 @@ func CreateGatewayWithPrefix(
 	http1HostName string,
 	accessInterceptor *http_mw.AccessInterceptor,
 	queries *query.Queries,
+	tlsConfig *tls.Config,
 ) (http.Handler, string, error) {
 	runtimeMux := runtime.NewServeMux(serveMuxOptions...)
 	opts := []grpc.DialOption{
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithTransportCredentials(grpcCredentials(tlsConfig)),
 		grpc.WithUnaryInterceptor(client_middleware.DefaultTracingClient()),
 	}
 	connection, err := dial(ctx, port, opts)
@@ -106,11 +109,17 @@ func CreateGatewayWithPrefix(
 	return addInterceptors(runtimeMux, http1HostName, accessInterceptor, queries), g.GatewayPathPrefix(), nil
 }

-func CreateGateway(ctx context.Context, port uint16, http1HostName string, accessInterceptor *http_mw.AccessInterceptor) (*Gateway, error) {
+func CreateGateway(
+	ctx context.Context,
+	port uint16,
+	http1HostName string,
+	accessInterceptor *http_mw.AccessInterceptor,
+	tlsConfig *tls.Config,
+) (*Gateway, error) {
 	connection, err := dial(ctx,
 		port,
 		[]grpc.DialOption{
-			grpc.WithTransportCredentials(insecure.NewCredentials()),
+			grpc.WithTransportCredentials(grpcCredentials(tlsConfig)),
 			grpc.WithUnaryInterceptor(client_middleware.DefaultTracingClient()),
 		})
 	if err != nil {
@@ -217,3 +226,15 @@ func (r *cookieResponseWriter) WriteHeader(status int) {
 	}
 	r.ResponseWriter.WriteHeader(status)
 }
+
+func grpcCredentials(tlsConfig *tls.Config) credentials.TransportCredentials {
+	creds := insecure.NewCredentials()
+	if tlsConfig != nil {
+		tlsConfigClone := tlsConfig.Clone()
+		// We don't want to verify the certificate of the internal grpc server
+		// That's up to the client who called the gRPC gateway
+		tlsConfigClone.InsecureSkipVerify = true
+		creds = credentials.NewTLS(tlsConfigClone)
+	}
+	return creds
+}