remove GRPC insecure config options, since it always needs to be set to insecure

.drone.star

@@ -1477,7 +1477,6 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = []):
         "PROXY_OIDC_INSECURE": "true",
         "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true",
         "THUMBNAILS_CS3SOURCE_INSECURE": "true",
-        "REVA_GATEWAY_INSECURE": "true",
         "STORAGE_OIDC_INSECURE": "true",
         "STORAGE_HOME_DATAPROVIDER_INSECURE": "true",
         "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true",

.vscode/launch.json

@@ -21,7 +21,6 @@
                 "PROXY_OIDC_INSECURE": "true",
                 "THUMBNAILS_WEBDAVSOURCE_INSECURE": "true",
                 "THUMBNAILS_CS3SOURCE_INSECURE": "true",
-                "REVA_GATEWAY_INSECURE": "true",
                 "STORAGE_OIDC_INSECURE": "true",
                 "STORAGE_HOME_DATAPROVIDER_INSECURE": "true",
                 "STORAGE_METADATA_DATAPROVIDER_INSECURE": "true",

changelog/unreleased/insecure-options.md

@@ -4,7 +4,6 @@ We had several hard-coded 'insecure' flags. These options are now configurable a
 
 ```
 PROXY_OIDC_INSECURE=true
-REVA_GATEWAY_INSECURE=true
 STORAGE_FRONTEND_APPPROVIDER_INSECURE=true
 STORAGE_FRONTEND_ARCHIVER_INSECURE=true
 STORAGE_FRONTEND_OCDAV_INSECURE=true

graph/pkg/service/v0/graph.go

@@ -24,7 +24,7 @@ func (g Graph) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 // GetClient returns a gateway client to talk to reva
 func (g Graph) GetClient() (gateway.GatewayAPIClient, error) {
-	return pool.GetGatewayServiceClient(g.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+	return pool.GetGatewayServiceClient(g.config.Reva.Address)
 }
 
 // The key type is unexported to prevent collisions with context keys defined in

ocs/pkg/service/v0/service.go

@@ -161,7 +161,7 @@ func (o Ocs) getAccountService() accounts.AccountsService {
 }
 
 func (o Ocs) getCS3Backend() backend.UserBackend {
-	revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+	revaClient, err := pool.GetGatewayServiceClient(o.config.Reva.Address)
 	if err != nil {
 		o.logger.Fatal().Msgf("could not get reva client at address %s", o.config.Reva.Address)
 	}

ocs/pkg/service/v0/users.go

@@ -384,7 +384,7 @@ func (o Ocs) DeleteUser(w http.ResponseWriter, r *http.Request) {
 
 		ctx := metadata.AppendToOutgoingContext(r.Context(), revactx.TokenHeader, t)
 
-		gwc, err := pool.GetGatewayServiceClient(o.config.Reva.Address) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+		gwc, err := pool.GetGatewayServiceClient(o.config.Reva.Address)
 		if err != nil {
 			o.logger.Error().Err(err).Msg("error securing a connection to Reva gateway")
 		}

proxy/pkg/command/server.go

@@ -149,7 +149,7 @@ func Server(cfg *config.Config) *cli.Command {
 
 func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config) alice.Chain {
 	rolesClient := settings.NewRoleService("com.owncloud.api.settings", grpc.DefaultClient)
-	revaClient, err := cs3.GetGatewayServiceClient(cfg.Reva.Address, cfg.Reva.Insecure) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+	revaClient, err := cs3.GetGatewayServiceClient(cfg.Reva.Address)
 	var userProvider backend.UserBackend
 	switch cfg.AccountBackend {
 	case "accounts":

proxy/pkg/config/config.go

@@ -81,7 +81,6 @@ var (
 // Reva defines all available REVA configuration.
 type Reva struct {
 	Address    string
-	Insecure   bool
 	Middleware Middleware
 }
 

proxy/pkg/cs3/client.go

@@ -7,24 +7,17 @@ import (
 	"google.golang.org/grpc"
 )
 
-func newConn(endpoint string, insecure bool) (*grpc.ClientConn, error) {
-	opts := []grpc.DialOption{}
-
-	opts = append(opts, grpc.WithUnaryInterceptor(
-		otelgrpc.UnaryClientInterceptor(
-			otelgrpc.WithTracerProvider(
-				proxytracing.TraceProvider,
-			),
-		),
-	))
-
-	if insecure {
-		opts = append(opts, grpc.WithInsecure())
-	}
-
+func newConn(endpoint string) (*grpc.ClientConn, error) {
 	conn, err := grpc.Dial(
 		endpoint,
-		opts...,
+		grpc.WithInsecure(),
+		grpc.WithUnaryInterceptor(
+			otelgrpc.UnaryClientInterceptor(
+				otelgrpc.WithTracerProvider(
+					proxytracing.TraceProvider,
+				),
+			),
+		),
 	)
 	if err != nil {
 		return nil, err
@@ -34,8 +27,8 @@ func newConn(endpoint string, insecure bool) (*grpc.ClientConn, error) {
 }
 
 // GetGatewayServiceClient returns a new cs3 gateway client
-func GetGatewayServiceClient(endpoint string, insecure bool) (gateway.GatewayAPIClient, error) {
-	conn, err := newConn(endpoint, insecure)
+func GetGatewayServiceClient(endpoint string) (gateway.GatewayAPIClient, error) {
+	conn, err := newConn(endpoint)
 	if err != nil {
 		return nil, err
 	}

proxy/pkg/flagset/flagset.go

@@ -189,13 +189,6 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"REVA_GATEWAY"},
 			Destination: &cfg.Reva.Address,
 		},
-		&cli.BoolFlag{
-			Name:        "reva-gateway-insecure",
-			Value:       flags.OverrideDefaultBool(cfg.Reva.Insecure, false),
-			Usage:       "allow insecure communication to REVA gateway endpoint",
-			EnvVars:     []string{"REVA_GATEWAY_INSECURE"},
-			Destination: &cfg.Reva.Insecure,
-		},
 		&cli.BoolFlag{
 			Name:        "insecure",
 			Value:       flags.OverrideDefaultBool(cfg.InsecureBackends, false),

thumbnails/pkg/server/grpc/server.go

@@ -25,7 +25,7 @@ func NewService(opts ...Option) grpc.Service {
 		grpc.Version(options.Config.Server.Version),
 	)
 	tconf := options.Config.Thumbnail
-	gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway) //TODO: insecure defaults to true, https://github.com/cs3org/reva/issues/2216
+	gc, err := pool.GetGatewayServiceClient(tconf.RevaGateway)
 	if err != nil {
 		options.Logger.Error().Err(err).Msg("could not get gateway client")
 		return grpc.Service{}