Skip to content

fix!: flagd, wire up TLS support for gRPC connections #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
erenatas merged 8 commits into from
Jan 7, 2026
Merged

fix!: flagd, wire up TLS support for gRPC connections #95

erenatas merged 8 commits into from
Jan 7, 2026

Conversation

@erenatas
Copy link
Contributor

@erenatas erenatas commented Dec 31, 2025

This PR

  • Add tls: bool parameter to UpstreamConfig::new() to control http:// vs https:// scheme selection
  • Update GrpcStreamConnector to store and propagate TLS setting
  • Update all callers (RPC resolver, in-process resolver, connector)
  • Fix tonic TLS features for 0.14: use tls-ring + tls-webpki-roots (no OpenSSL dependency)
  • Add unit tests for TLS scheme selection

The FlagdOptions.tls field was documented but not wired up. This change ensures that when tls: true, gRPC connections use HTTPS.

@erenatas
fix(flagd): wire up TLS support for gRPC connections
8dfb6d2 
- Add `tls: bool` parameter to `UpstreamConfig::new()` to control
  `http://` vs `https://` scheme selection
- Update `GrpcStreamConnector` to store and propagate TLS setting
- Update all callers (RPC resolver, in-process resolver, connector)
- Fix tonic TLS features for 0.14: use `tls-ring` + `tls-webpki-roots`
  (no OpenSSL dependency)
- Add unit tests for TLS scheme selection

The `FlagdOptions.tls` field was documented but not wired up.
This change ensures that when `tls: true`, gRPC connections use HTTPS.

Signed-off-by: Eren Atas <[email protected]>
@github-actions github-actions bot requested a review from sheepduke December 31, 2025 13:43
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Dec 31, 2025

Summary of Changes

Hello @erenatas, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces robust TLS support for gRPC connections within the flagd crate. It ensures that all gRPC communication can be secured using HTTPS when the tls option is enabled, fulfilling a previously documented but unimplemented feature. The changes involve updating core configuration logic to dynamically handle secure schemes, propagating this setting through the connection components, and refining dependency features for a more streamlined and secure TLS implementation.

Highlights

  • TLS Support for gRPC: The FlagdOptions.tls field has been fully wired up, enabling gRPC connections to use HTTPS when configured, enhancing communication security.
  • Dependency Feature Update: The tonic dependency's TLS features were updated to use tls-ring and tls-webpki-roots, removing the need for an OpenSSL dependency.
  • Dynamic Upstream Configuration: The UpstreamConfig::new() function now accepts a tls parameter, allowing it to dynamically construct http:// or https:// endpoints based on the setting.
  • TLS Setting Propagation: The GrpcStreamConnector now stores and propagates the TLS setting, ensuring that underlying gRPC channels are consistently created with the correct secure scheme.
  • Comprehensive Unit Testing: New unit tests have been added to UpstreamConfig to thoroughly validate the correct selection of HTTP/HTTPS schemes under various conditions, including explicit URLs and Envoy targets.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 31, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly wires up TLS support for gRPC connections, which was a documented but unimplemented feature. The changes involve updating UpstreamConfig to handle http vs https schemes based on a tls flag, and propagating this setting through the RPC and in-process resolvers. The addition of tls-ring and tls-webpki-roots features for tonic is a good choice for enabling TLS without an OpenSSL dependency. The new unit tests for UpstreamConfig are comprehensive and cover the new logic well.

I've identified a couple of issues. First, a high-severity pre-existing bug that makes the in-process resolver's Unix socket support non-functional, which is affected by the changes in this PR. Second, a medium-severity inconsistency in how URL schemes are handled between the RPC and in-process resolvers. My feedback includes a suggestion to align their behavior for better predictability and maintainability.

@erenatas
Copy link
Contributor Author

erenatas commented Dec 31, 2025

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 31, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly wires up TLS support for gRPC connections, which was a missing feature. The changes include updating the tonic dependency to use tls-ring and tls-webpki-roots for TLS without an OpenSSL dependency, and modifying UpstreamConfig to handle https schemes. The addition of unit tests for the new TLS logic is also a great improvement.

My review has identified a few areas for improvement:

  • There's some code duplication in the TLS configuration logic that could be refactored.
  • A test contains a redundant assertion that could be removed for clarity.
  • There's duplicated logic for handling envoy:// URIs in the RPC resolver, which should be consolidated to use the new capabilities of UpstreamConfig.

Overall, this is a valuable fix, and addressing these points will improve the code's maintainability.

@erka
Copy link
Member

erka commented Jan 2, 2026

Hey @erenatas. Great work!

What about self-signed certs?

@erenatas
Copy link
Contributor Author

erenatas commented Jan 2, 2026

Hey @erenatas. Great work!

What about self-signed certs?

Thank you and nice catch! I missed handling cert files, can you have a look now? I also made sure rest implementation is consistent by utilizing FlagdOptions -> cert_path

erka
erka reviewed Jan 2, 2026
View reviewed changes
@erenatas erenatas changed the title fix(flagd): wire up TLS support for gRPC connections fix!: flagd, wire up TLS support for gRPC connections Jan 3, 2026
@erenatas erenatas force-pushed the erenatas/fix-tls-for-grpc branch from 8012c87 to 7af3815 Compare January 3, 2026 22:51
@erenatas erenatas requested a review from erka January 5, 2026 11:03
@erenatas erenatas merged commit 38bf6d0 into main Jan 7, 2026
13 checks passed
@openfeaturebot openfeaturebot mentioned this pull request Jan 7, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beeme1mr beeme1mr beeme1mr approved these changes

@sheepduke sheepduke Awaiting requested review from sheepduke

+2 more reviewers

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

@erka erka erka approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@erenatas erenatas

@sheepduke sheepduke

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@erenatas @erka @beeme1mr @sheepduke