Add support for gitaly tlsgitaly-tls

4 files changed, 28 insertions, 4 deletions

diff --git a/go/internal/handler/handler.go b/go/internal/handler/handler.go
index f8e8bee..abe59ec 100644
--- a/go/internal/handler/handler.go
+++ b/go/internal/handler/handler.go
@@ -1,11 +1,14 @@
 package handler
 
 import (
+	"crypto/x509"
 	"os"
 	"os/exec"
+	"strings"
 	"syscall"
 
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 
 	"gitlab.com/gitlab-org/gitaly/auth"
 	"gitlab.com/gitlab-org/gitaly/client"
@@ -31,6 +34,14 @@ func Prepare() error {
 	return nil
 }
 
+func transFormTls(gitalyAddress string) (string, bool) {
+	if !strings.HasPrefix(gitalyAddress, "tls://") {
+		return gitalyAddress, false
+	}
+
+	return strings.Replace(gitalyAddress, "tls://", "tcp://", 1), true
+}
+
 func execCommand(command string, args ...string) error {
 	binPath, err := exec.LookPath(command)
 	if err != nil {
@@ -41,11 +52,19 @@ func execCommand(command string, args ...string) error {
 	return syscall.Exec(binPath, args, os.Environ())
 }
 
-func dialOpts() []grpc.DialOption {
+func dialOpts(tls bool) []grpc.DialOption {
 	connOpts := client.DefaultDialOpts
 	if token := os.Getenv("GITALY_TOKEN"); token != "" {
 		connOpts = append(client.DefaultDialOpts, grpc.WithPerRPCCredentials(gitalyauth.RPCCredentialsV2(token)))
 	}
 
+	if tls {
+		certPool, err := x509.SystemCertPool()
+		if err == nil {
+			creds := credentials.NewClientTLSFromCert(certPool, "")
+			connOpts = append(connOpts, grpc.WithTransportCredentials(creds))
+		}
+	}
+
 	return connOpts
 }
diff --git a/go/internal/handler/receive_pack.go b/go/internal/handler/receive_pack.go
index e69486f..fecb83b 100644
--- a/go/internal/handler/receive_pack.go
+++ b/go/internal/handler/receive_pack.go
@@ -14,7 +14,9 @@ func ReceivePack(gitalyAddress string, request *pb.SSHReceivePackRequest) (int32
 		return 0, fmt.Errorf("no gitaly_address given")
 	}
 
-	conn, err := client.Dial(gitalyAddress, dialOpts())
+	gitalyAddress, isTls := transFormTls(gitalyAddress)
+	conn, err := client.Dial(gitalyAddress, dialOpts(isTls))
+
 	if err != nil {
 		return 0, err
 	}
diff --git a/go/internal/handler/upload_archive.go b/go/internal/handler/upload_archive.go
index 4ab1e71..f6bf412 100644
--- a/go/internal/handler/upload_archive.go
+++ b/go/internal/handler/upload_archive.go
@@ -14,7 +14,9 @@ func UploadArchive(gitalyAddress string, request *pb.SSHUploadArchiveRequest) (i
 		return 0, fmt.Errorf("no gitaly_address given")
 	}
 
-	conn, err := client.Dial(gitalyAddress, dialOpts())
+	gitalyAddress, isTls := transFormTls(gitalyAddress)
+	conn, err := client.Dial(gitalyAddress, dialOpts(isTls))
+
 	if err != nil {
 		return 0, err
 	}
diff --git a/go/internal/handler/upload_pack.go b/go/internal/handler/upload_pack.go
index 51a2f3b..721d6f8 100644
--- a/go/internal/handler/upload_pack.go
+++ b/go/internal/handler/upload_pack.go
@@ -14,7 +14,8 @@ func UploadPack(gitalyAddress string, request *pb.SSHUploadPackRequest) (int32,
 		return 0, fmt.Errorf("no gitaly_address given")
 	}
 
-	conn, err := client.Dial(gitalyAddress, dialOpts())
+	gitalyAddress, isTls := transFormTls(gitalyAddress)
+	conn, err := client.Dial(gitalyAddress, dialOpts(isTls))
 	if err != nil {
 		return 0, err
 	}