feat: add config to overwrite grpc certificate

2024-11-26 17:03:06 +00:00 · 2024-04-13 04:49:25 +00:00 · 2024-04-13 04:49:25 +00:00 · e72bd1cc8c
commit e72bd1cc8c
parent 2858ab402a
3 changed files with 34 additions and 3 deletions
--- a/config-example.yaml
+++ b/config-example.yaml
@ -40,6 +40,11 @@ grpc_listen_addr: 127.0.0.1:50443
 # are doing.
 grpc_allow_insecure: false

+# Use separate a certificate for gRPC, this overwrites
+# the global certificate.
+grpc_tls_cert_path: ""
+grpc_tls_key_path: ""
+
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
 noise:
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@ -631,9 +631,27 @@ func (h *Headscale) Serve() error {
 	// https://github.com/soheilhy/cmux/issues/68
 	// https://github.com/soheilhy/cmux/issues/91

+	grpcTlsConfig := &tls.Config{
+		NextProtos:   []string{"http/1.1"},
+		Certificates: make([]tls.Certificate, 1),
+		MinVersion:   tls.VersionTLS12,
+	}
+
+	if h.cfg.TLS.GRPCCertPath == "" && h.cfg.TLS.GRPCKeyPath == "" {
+		grpcTlsConfig = tlsConfig
+	} else {
+		grpcTlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLS.GRPCCertPath, h.cfg.TLS.GRPCKeyPath)
+
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to set up gRPC TLS configuration")
+
+			return err
+		}
+	}
+
 	var grpcServer *grpc.Server
 	var grpcListener net.Listener
-	if tlsConfig != nil || h.cfg.GRPCAllowInsecure {
+	if grpcTlsConfig != nil || h.cfg.GRPCAllowInsecure {
 		log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr)

 		grpcOptions := []grpc.ServerOption{
@ -646,9 +664,9 @@ func (h *Headscale) Serve() error {
 			),
 		}

-		if tlsConfig != nil {
+		if grpcTlsConfig != nil {
 			grpcOptions = append(grpcOptions,
-				grpc.Creds(credentials.NewTLS(tlsConfig)),
+				grpc.Creds(credentials.NewTLS(grpcTlsConfig)),
 			)
 		} else {
 			log.Warn().Msg("gRPC is running without security")
--- a/hscontrol/types/config.go
+++ b/hscontrol/types/config.go
@ -99,6 +99,8 @@ type DatabaseConfig struct {
 type TLSConfig struct {
 	CertPath string
 	KeyPath  string
+	GRPCCertPath string
+	GRPCKeyPath  string

 	LetsEncrypt LetsEncryptConfig
 }
@ -303,6 +305,12 @@ func GetTLSConfig() TLSConfig {
 		KeyPath: util.AbsolutePathFromConfigPath(
 			viper.GetString("tls_key_path"),
 		),
+		GRPCCertPath: util.AbsolutePathFromConfigPath(
+			viper.GetString("grpc_tls_cert_path"),
+		),
+		GRPCKeyPath: util.AbsolutePathFromConfigPath(
+			viper.GetString("grpc_tls_key_path"),
+		),
 	}
 }