feat: grpc tls connectivity (grpcs)

[Kavindu-Dodan]

This PR

Introduce TLS connectivity for GRPC sync provider.

TLS can be enabled using schema grpcs://. For example,

./flagd start --uri grpcs://localhost:8090

Further, a self-sign certificate can be provided for TLS connectivity using configuration source field certPath

ex:- ./flagd start --sources='[{"uri":"grpcs://localhost:9090","provider":"grpc", "certPath":"<CA_CERT>"}]'

How to test

Start mock server impl - https://github.com/Kavindu-Dodan/flagd-grpc-sync-server & then run flagd with grpc tls mode

[codecov]

Codecov Report

Merging #477 (8a69ba8) into main (1762503) will increase coverage by 1.30%.
The diff coverage is 73.13%.

@@            Coverage Diff             @@
##             main     #477      +/-   ##
==========================================
+ Coverage   62.08%   63.39%   +1.30%     
==========================================
  Files          15       15              
  Lines        1891     1923      +32     
==========================================
+ Hits         1174     1219      +45     
+ Misses        654      639      -15     
- Partials       63       65       +2     

Impacted Files	Coverage Δ
pkg/runtime/from_config.go	25.60% <50.00%> (+0.30%)	⬆️
pkg/sync/grpc/grpc_sync.go	77.24% <74.60%> (+15.20%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[beeme1mr]

This can be tested using the test server [1] @Kavindu-Dodan created and generating self signed certs.

Generate CA cert

• CA Private Key: openssl ecparam -name prime256v1 -genkey -noout -out ca.key
• CA Certificate: openssl req -new -x509 -sha256 -key ca.key -out ca.cert

Generate Server certificate

• Create OpenSSL config: echo "subjectAltName = DNS:localhost" > openssl.conf
• Server private key: openssl ecparam -name prime256v1 -genkey -noout -out server.key
• Server signing request: openssl req -new -sha256 -addext "subjectAltName=DNS:localhost" -key server.key -out server.csr
• Server cert: openssl x509 -req -in server.csr -CA ca.cert -CAkey ca.key -out server.crt -days 1000 -sha256 -extfile openssl.conf

Where the file opnessl.conf contains following,

subjectAltName = DNS:localhost

Once certificates & keys are ready,

• Running grpc server with certificates - go run main.go -s=true -certPath=server.crt -keyPath=server.key

• Running flagd with certificates - go run main.go start --sources='[{"uri":"grpcs://localhost:9090","provider":"grpc", "certPath":"ca.cert"}]'

[1] https://github.com/Kavindu-Dodan/flagd-grpc-sync-server

[toddbaert]

Largely this is working, but I believe it caused a regression in our reconnect which causes flagd to crash when the server connection is lost. This tells me we need a test, e2e or otherwise, for this... I will create a new issue for that. I think the crash itself needs to be resolved in this PR though.

Additionally, grpcs:// is not really a valid scheme. I think it's fine to keep for the uri style configuration, but I think a boolean for tls might make more sense for the --sources style configuration. This more a matter of opinion though... I just feel weird about relying on a non-standard scheme wherever we don't have to.

Edit: I created this issue for testing.

[Kavindu-Dodan]

Largely this is working, but I believe it caused a regression in our reconnect which causes flagd to crash when the server connection is lost. This tells me we need a test, e2e or otherwise, for this... I will create a new issue for that. I think the crash itself needs to be resolved in this PR though.

Additionally, grpcs:// is not really a valid scheme. I think it's fine to keep for the uri style configuration, but I think a boolean for tls might make more sense for the --sources style configuration. This more a matter of opinion though... I just feel weird about relying on a non-standard scheme wherever we don't have to.

Edit: I created this issue for testing.

Good catch. I fixed this and added a unit test to validate this scenario

I also have no hard opinion on the grpcs:// schema usage. But if there are no other alternatives, this is fine :)

[toddbaert]

Confirmed reconnect works now.