From b68fb8d69510beaf086b016606202badcfd2eda0 Mon Sep 17 00:00:00 2001
From: kalder <61064868+kalder@users.noreply.github.com>
Date: Fri, 27 Jan 2023 09:59:42 -0800
Subject: vm/proxyapp: add TLS authentication (#3642)

The "security" field must be set if ProxyApp-over-TCP is used.

If "none", do no authentication

If "tls", do server TLS, optionally using the certificate specified by
"server_tls_cert".

mTLS is unimplemented for now.
---
 vm/proxyapp/init.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'vm/proxyapp/init.go')

diff --git a/vm/proxyapp/init.go b/vm/proxyapp/init.go
index afd0db00d..8153cf031 100644
--- a/vm/proxyapp/init.go
+++ b/vm/proxyapp/init.go
@@ -62,6 +62,12 @@ type Config struct {
 	// rpc_server_uri is used to specify plugin endpoint address.
 	// if not specified, we'll connect to the plugin by std[in, out, err].
 	RPCServerURI string `json:"rpc_server_uri"`
+	// security can be one of "none", "tls" (for server TLS) and "mtls" for mutal
+	// TLS.
+	Security string `json:"security"`
+	// server_tls_cert points a TLS certificate used to authenticate the server.
+	// If not provided, the default system certificate pool will be used.
+	ServerTLSCert string `json:"server_tls_cert"`
 	// config is an optional remote plugin config
 	ProxyAppConfig json.RawMessage `json:"config"`
 }
-- 
cgit mrf-deployment