Skip to content

fix(conductor): add explicit TLS config #2140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mycodecrafting merged 3 commits into from
Apr 30, 2025
Merged

fix(conductor): add explicit TLS config #2140

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9223320
Add TLS config for conductor when sequencer_uri is https
mycodecrafting Apr 28, 2025
72e7ca2
remove unecessary uri scheme check and add error context
mycodecrafting Apr 29, 2025
a04ac32
add changelog entry
mycodecrafting Apr 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add TLS config for conductor when sequencer_uri is https
  • Loading branch information
@mycodecrafting
mycodecrafting committed Apr 28, 2025
commit 9223320c0148105ee37c70fcfa7be0bec7385008
2 changes: 1 addition & 1 deletion crates/astria-conductor/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ tendermint-rpc = { workspace = true, features = ["http-client"] }
thiserror = { workspace = true }
tokio = { workspace = true, features = ["macros", "rt-multi-thread", "signal"] }
tokio-util = { workspace = true, features = ["rt"] }
tonic = { workspace = true, features = ["tls", "tls-roots"] }
tonic = { workspace = true, features = ["tls", "tls-native-roots"] }
tower = { workspace = true, features = ["buffer", "limit"] }
tracing = { workspace = true, features = ["valuable"] }
tryhard = { workspace = true }
Expand Down
6 changes: 5 additions & 1 deletion crates/astria-conductor/src/sequencer/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ use astria_eyre::eyre::{
};
use tonic::transport::{
Channel,
ClientTlsConfig,
Endpoint,
Uri,
};
Expand All @@ -38,7 +39,10 @@ impl SequencerGrpcClient {
let uri: Uri = sequencer_uri
.parse()
.wrap_err("failed parsing provided string as Uri")?;
let endpoint = Endpoint::from(uri.clone());
let mut endpoint = Endpoint::from(uri.clone());
if uri.scheme() == Some(&http::uri::Scheme::HTTPS) {
Copy link
Contributor

@SuperFluffy SuperFluffy Apr 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this necessary? Would setting the tls config preclude us from using http? I think we should be able to still connect (just like before)?

Either way, if this does blockhttp, I think I'd prefer to have ane explicit flag that deactivates tls so that one doesn't accidentally provide http instead of https and risk exposing the service to an unchecked endpoint.

Copy link
Contributor Author

@mycodecrafting mycodecrafting Apr 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point, I don't believe the TLS config prevents using http. Should not

endpoint = endpoint.tls_config(ClientTlsConfig::new().with_enabled_roots())?;
Copy link
Contributor

@SuperFluffy SuperFluffy Apr 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is missing error context. Report that you failed to set the tls config using wrap_err

}
let inner = SequencerServiceClient::new(endpoint.connect_lazy());
Ok(Self {
inner,
Expand Down
Loading