Autodetect & Handle TLS for Lumera gRPC Connections#109
Merged
mateeullahmalik merged 1 commit intomasterfrom Jul 31, 2025
Merged
Autodetect & Handle TLS for Lumera gRPC Connections#109mateeullahmalik merged 1 commit intomasterfrom
mateeullahmalik merged 1 commit intomasterfrom
Conversation
j-rafique
previously approved these changes
Jul 31, 2025
mateeullahmalik
force-pushed
the
supportSecureLumeraConnections
branch
from
d886f44 to
84d0d83
Compare
mateeullahmalik
force-pushed
the
supportSecureLumeraConnections
branch
from
84d0d83 to
d4631f9
Compare
j-rafique
approved these changes
Jul 31, 2025
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces automatic TLS detection for Lumera gRPC connections based on the provided address format, replacing the previous hard-coded insecure connection approach. The implementation accepts various address formats (https://, grpcs://, host:443, plain host) and automatically selects appropriate transport credentials without requiring additional configuration flags.
Key changes:
- Automatic TLS detection based on address scheme or port 443
- Support for multiple address formats while maintaining backward compatibility
- Removal of hard-coded insecure credentials in favor of dynamic selection
Comments suppressed due to low confidence (1)
pkg/lumera/connection.go:100
- The variable name 'splitErr' is inconsistent with Go naming conventions. It should be 'err' since it's a standard error variable in this scope.
if splitErr != nil {
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Autodetect & Handle TLS for Lumera gRPC Connections
Why
Operators enter Lumera endpoints in mixed formats (
https://…,grpcs://…,host:443, plainhost:9090).The original dialer hard-coded h2c (
insecure.NewCredentials()), so any URL that expected TLS failed. We want:Zero-config: accept whatever string the user pastes in.
Back-compat: plaintext still works for local/test nets.
No extra flags: behaviour inferred from the address itself.
What’s inside
lumera/connection.gofully replacedParses address with
normaliseAddr():https://orgrpcs://⇒ TLS, default port 443Any
:443⇒ TLSEverything else ⇒ insecure h2c
Selects
credentials.NewClientTLSFromCert(nil, serverName)for TLS, otherwiseinsecure.NewCredentials().Keeps public
Connectioninterface unchanged.No external deps added – still uses Go stdlib +
google.golang.org/grpc.