From 551166bb87ceaef762a098846e7f80eb8700535b Mon Sep 17 00:00:00 2001 From: Josh van Leeuwen Date: Tue, 17 Oct 2023 08:56:08 +0200 Subject: [PATCH] Change `DAPR_GRPC_ENDPOINT` to infer TLS based on query parameter (#40) * Change `DAPR_GRPC_ENDPOINT` to infer TLS based on query parameter Signed-off-by: joshvanl * Update 0008-S-sidecar-endpoint-tls.md with example results of parsing various DAPR_GRPC_ENDPOINT environment variable values Signed-off-by: joshvanl * Adds backwards compatibility to `https` scheme, and don't use TLS on port 443 by default. Signed-off-by: joshvanl --------- Signed-off-by: joshvanl --- 0008-S-sidecar-endpoint-tls.md | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/0008-S-sidecar-endpoint-tls.md b/0008-S-sidecar-endpoint-tls.md index 621f8f6..100f4a2 100644 --- a/0008-S-sidecar-endpoint-tls.md +++ b/0008-S-sidecar-endpoint-tls.md @@ -67,18 +67,31 @@ Cons: ### Design -* `DAPR_GRPC_ENDPOINT` defines entire endpoit for gRPC, not just host: `https://dapr-grpc.mycompany.com` -* `DAPR_HTTP_ENDPOINT` defines entire endpoit for HTTP, not just host: `https://dapr-http.mycompany.com` -* Port is parsed from the URL (`https://dapr.mycompany.com:8080`) or via the default port of the protocol used in the URL (80 for `http` and 443 for `https`) +* `DAPR_GRPC_ENDPOINT` defines entire endpoint for gRPC, not just host: `dapr-grpc.mycompany.com`. No port in the URL defaults to 443. +* `DAPR_HTTP_ENDPOINT` defines entire endpoint for HTTP, not just host: `https://dapr-http.mycompany.com` +* Port is parsed from the hostport string (`dapr.mycompany.com:8080`) or via the default port of the protocol used in the URL (80 for `plaintext` and 443 for `TLS`) * `DAPR_GRPC_ENDPOINT` and `DAPR_HTTP_ENDPOINT` can be set at the same time since some SDKs (Java, as of now) supports both protocols at the same time and app can pick which one to use. -* `DAPR_GRPC_ENDPOINT` and `DAPR_HTTP_ENDPOINT` must be parsed and the protocol will be used for SDK to determine if communication is over TLS (if not done automatically). In summary, `https` means secure channel. -* Initially, only `http` and `https` protocols should be supported. Other protocols can be added in the future depending on each language support. +* `DAPR_HTTP_ENDPOINT` must be parsed and the protocol will be used by SDK to determine if communication is over TLS (if not done automatically). In summary, `https` means secure channel. +* `DAPR_GRPC_ENDPOINT` must be parsed and the query parameter will be used to determine whether the endpoint uses TLS. In summary, `?tls=true` means to use TLS. An empty query parameter defaults TLS to false. SDKs should error on unrecognised or invalid query parameters. * `DAPR_GRPC_ENDPOINT` and `DAPR_HTTP_ENDPOINT` have priority over existing `DAPR_HOST` and `DAPR_HTTP_PORT` or `DAPR_GRPC_PORT` environment variables. Application's hardcoded values passed via constructor takes priority over any environment variable. In summary, this is the priority list (highest on top): 1. Values passed via constructor or builder method. 2. Properties or any other language specific configuration framework. 3. `DAPR_GRPC_ENDPOINT` and `DAPR_HTTP_ENDPOINT` 4. Existing `DAPR_HOST` (or equivalent, defaulting to `127.0.0.1`) + `DAPR_HTTP_PORT` or `DAPR_GRPC_PORT` +`DAPR_GRPC_ENDPOINT` host port parsing example: + +``` +myhost => port=443 tls=false resolver=dns +myhost?tls=false => port=443 tls=false resolver=dns +myhost:443 => port=443 tls=false resolver=dns +myhost:1003 => port=1003 tls=false resolver=dns +myhost:1003?tls=true => port=1003 tls=true resolver=dns +dns://myhost:1003?tls=true => port=1003 tls=true resolver=dns +unix://my.sock => port= tls=false resolver=unix +unix://my.sock?tls=true => port= tls=true resolver=unix +``` + #### Example of implementation https://github.com/dapr/java-sdk/blob/76aec01e9aa4af7a72b910d77685ddd3f0bf86f3/sdk/src/main/java/io/dapr/client/DaprClientBuilder.java#L172C3-L192 @@ -88,10 +101,17 @@ https://github.com/dapr/java-sdk/blob/76aec01e9aa4af7a72b910d77685ddd3f0bf86f3/s * Compatability guarantees This feature should allow localhost definition too `http://127.0.0.1:3500`, for example. +* This feature should continue to allow using other resolvers other than DNS (e.g. +`unix://`). + * Deprecation / co-existence with existing functionality This feature takes priority over existing (inconsistent) environment variables from each SDK. If app provides a hardcoded value for Dapr endpoint (via constructor, for example), it takes priority. Use of existing `DAPR_API_TOKEN` environment variables is highly encouraged for remote API but not required. +* SDKs will continue to accept the old behaviour of DAPR_GRPC_ENPOINT` with + the scheme value `https` to signal to use TLS. Where a value contains both the + `https` scheme and `?tls=false` query, SDKs will error and refuse to connect. + * Feature flags N/A