Skip to content

Add authentication to gRPC for Helm based Execution Environments (Stage 2)

Proposers

  • Gabriel Cuba (Whitestack)
  • Gianpietro Lavado (Whitestack)

Description

Currently gRPC is not supporting TLS authentication.

This features proposes adding TLS to gRPC channels on both sides (LCM and Execution Environment). Certificates should be managed by an external manager (e.g. cert-manager).

Backwards compatibility is considered by falling back to plain text gRPC, with an optional configuration flag to enforce the use of TLS.

As this implies multiple changes, the proposal is to separate this feature in 2 stages:

  • Stage 1: Creation of CA and TLS keys in LCM (using an external certificate manager) and adaptation of gRPC server to use TLS
  • Stage 2: Adaptation of LCM to use client side TLS

Demo or definition of done (Stage 2)

  • Communication to gRPC server in Helm based EE's is not allowed outside of LCM.

The robot test created in Stage 1 will be modified to do the following:

  • Create a Helm based EE
  • Instance an external gRPC client
  • Attempt to connect to the EE
  • The connection attempt should fail