penumbra-zone
Add TLS support for `pd`'s gRPC endpoint
Is your feature request related to a problem? Please describe.
It should be possible for pd to serve gRPC using TLS, without requiring the use of an extra proxy layer.
Describe the solution you'd like
Add a way to specify a certificate that pd will use to do TLS. Then use Tonic's TLS support to enable TLS connections on the Server.
It looks like the way to do this is:
- Use
tls_configon the server builder to set a TLS config - Configure a
ServerTlsConfigwith the cert details.
Since we're not going to use TLS for client auth, I don't think we need to set the client_ca_root, so we just need to set the Identity. We could add a command-line flag to pd with a path to the cert -- currently, pd has no config files, only command line arguments (i.e., the "config file" is whatever is invoking the binary), and I think it'd be nice to keep it this way.
At this stage we don't need to do cert management, we can punt all of that to the user for now.
Closing in favor of #1406; I don't think we should support TLS other than auto-TLS, since anyone willing to configure certs manually could also configure a reverse proxy.