Change DAPR_GRPC_ENDPOINT to infer TLS based on query parameter (#40)

* Change `DAPR_GRPC_ENDPOINT` to infer TLS based on query parameter Signed-off-by: joshvanl <[email protected]> * Update 0008-S-sidecar-endpoint-tls.md with example results of parsing various DAPR_GRPC_ENDPOINT environment variable values Signed-off-by: joshvanl <[email protected]> * Adds backwards compatibility to `https` scheme, and don't use TLS on port 443 by default. Signed-off-by: joshvanl <[email protected]> --------- Signed-off-by: joshvanl <[email protected]>
dapr · Oct 17, 2023 · 551166b · 551166b
1 parent 1eb3481
commit 551166b
Showing 1 changed file with 25 additions and 5 deletions.
diff --git a/0008-S-sidecar-endpoint-tls.md b/0008-S-sidecar-endpoint-tls.md
@@ -67,18 +67,31 @@ Cons:
 
 ### Design
 
-* `DAPR_GRPC_ENDPOINT` defines entire endpoit for gRPC, not just host: `https://dapr-grpc.mycompany.com`
-* `DAPR_HTTP_ENDPOINT` defines entire endpoit for HTTP, not just host: `https://dapr-http.mycompany.com`
-* Port is parsed from the URL (`https://dapr.mycompany.com:8080`) or via the default port of the protocol used in the URL (80 for `http` and 443 for `https`)
+* `DAPR_GRPC_ENDPOINT` defines entire endpoint for gRPC, not just host: `dapr-grpc.mycompany.com`. No port in the URL defaults to 443.
+* `DAPR_HTTP_ENDPOINT` defines entire endpoint for HTTP, not just host: `https://dapr-http.mycompany.com`
+* Port is parsed from the hostport string (`dapr.mycompany.com:8080`) or via the default port of the protocol used in the URL (80 for `plaintext` and 443 for `TLS`)
 * `DAPR_GRPC_ENDPOINT` and `DAPR_HTTP_ENDPOINT` can be set at the same time since some SDKs (Java, as of now) supports both protocols at the same time and app can pick which one to use.
-* `DAPR_GRPC_ENDPOINT` and `DAPR_HTTP_ENDPOINT` must be parsed and the protocol will be used for SDK to determine if communication is over TLS (if not done automatically). In summary, `https` means secure channel.
-* Initially, only `http` and `https` protocols should be supported. Other protocols can be added in the future depending on each language support.
+* `DAPR_HTTP_ENDPOINT` must be parsed and the protocol will be used by SDK to determine if communication is over TLS (if not done automatically). In summary, `https` means secure channel.
+* `DAPR_GRPC_ENDPOINT` must be parsed and the query parameter will be used to determine whether the endpoint uses TLS. In summary, `?tls=true` means to use TLS. An empty query parameter defaults TLS to false. SDKs should error on unrecognised or invalid query parameters.
 * `DAPR_GRPC_ENDPOINT` and `DAPR_HTTP_ENDPOINT` have priority over existing `DAPR_HOST` and `DAPR_HTTP_PORT` or `DAPR_GRPC_PORT` environment variables. Application's hardcoded values passed via constructor takes priority over any environment variable. In summary, this is the priority list (highest on top):
   1. Values passed via constructor or builder method.
   2. Properties or any other language specific configuration framework.
   3. `DAPR_GRPC_ENDPOINT` and `DAPR_HTTP_ENDPOINT`
   4. Existing `DAPR_HOST` (or equivalent, defaulting to `127.0.0.1`) + `DAPR_HTTP_PORT` or `DAPR_GRPC_PORT`
 
+`DAPR_GRPC_ENDPOINT` host port parsing example:
+
+```
+myhost => port=443 tls=false resolver=dns
+myhost?tls=false => port=443 tls=false resolver=dns
+myhost:443 => port=443 tls=false resolver=dns
+myhost:1003 => port=1003 tls=false resolver=dns
+myhost:1003?tls=true => port=1003 tls=true resolver=dns
+dns://myhost:1003?tls=true => port=1003 tls=true resolver=dns
+unix://my.sock => port=<no concept of port> tls=false resolver=unix
+unix://my.sock?tls=true => port=<no concept of port> tls=true resolver=unix
+```
+
 #### Example of implementation
 
 https://github.com/dapr/java-sdk/blob/76aec01e9aa4af7a72b910d77685ddd3f0bf86f3/sdk/src/main/java/io/dapr/client/DaprClientBuilder.java#L172C3-L192
@@ -88,10 +101,17 @@ https://github.com/dapr/java-sdk/blob/76aec01e9aa4af7a72b910d77685ddd3f0bf86f3/s
 * Compatability guarantees
 This feature should allow localhost definition too `http://127.0.0.1:3500`, for example.
 
+* This feature should continue to allow using other resolvers other than DNS (e.g.
+`unix://`).
+
 * Deprecation / co-existence with existing functionality
 This feature takes priority over existing (inconsistent) environment variables from each SDK. If app provides a hardcoded value for Dapr endpoint (via constructor, for example), it takes priority.
 Use of existing `DAPR_API_TOKEN` environment variables is highly encouraged for remote API but not required.
 
+* SDKs will continue to accept the old behaviour of DAPR_GRPC_ENPOINT` with
+  the scheme value `https` to signal to use TLS. Where a value contains both the
+  `https` scheme and `?tls=false` query, SDKs will error and refuse to connect.
+
 * Feature flags
 N/A