From f5307f3a8206e590f3eda32c9afb65fac3432e19 Mon Sep 17 00:00:00 2001
From: Arnav Dugar <87779081+arnavdugar-stripe@users.noreply.github.com>
Date: Tue, 7 Feb 2023 09:58:04 -0800
Subject: [PATCH] Add mTLS support for forwarding metrics to veneur-proxy.
 (#1034)

---
 config.go                      |  2 ++
 server.go                      | 14 ++++++++++++--
 testdata/http_test_config.json |  1 +
 testdata/http_test_config.yaml |  2 ++
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/config.go b/config.go
index d5c138d93..ab316fc8c 100644
--- a/config.go
+++ b/config.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/stripe/veneur/v14/util"
 	"github.com/stripe/veneur/v14/util/matcher"
+	"github.com/stripe/veneur/v14/util/tls"
 )
 
 type Config struct {
@@ -50,6 +51,7 @@ type Config struct {
 	TLSAuthorityCertificate     string              `yaml:"tls_authority_certificate"`
 	TLSCertificate              string              `yaml:"tls_certificate"`
 	TLSKey                      util.StringSecret   `yaml:"tls_key"`
+	Tls                         tls.Tls             `yaml:"tls"`
 	TraceMaxLengthBytes         int                 `yaml:"trace_max_length_bytes"`
 	VeneurMetricsAdditionalTags []string            `yaml:"veneur_metrics_additional_tags"`
 	VeneurMetricsScopes         struct {
diff --git a/server.go b/server.go
index 759284e3c..528b41210 100644
--- a/server.go
+++ b/server.go
@@ -28,6 +28,7 @@ import (
 	"github.com/zenazn/goji/bind"
 	"github.com/zenazn/goji/graceful"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 
 	"github.com/pkg/profile"
 
@@ -807,8 +808,17 @@ func (s *Server) Start() {
 	}
 
 	// Initialize a gRPC connection for forwarding
-	var err error
-	s.grpcForwardConn, err = grpc.Dial(s.ForwardAddr, grpc.WithInsecure())
+	tlsConfig, err := s.Config.Tls.GetTlsConfig()
+	if err != nil {
+		s.logger.WithError(err).Fatal("failed to parse tls config")
+	}
+	if tlsConfig != nil {
+		s.grpcForwardConn, err = grpc.Dial(
+			s.ForwardAddr,
+			grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
+	} else {
+		s.grpcForwardConn, err = grpc.Dial(s.ForwardAddr, grpc.WithInsecure())
+	}
 	if err != nil {
 		s.logger.WithError(err).WithFields(logrus.Fields{
 			"forwardAddr": s.ForwardAddr,
diff --git a/testdata/http_test_config.json b/testdata/http_test_config.json
index 647d038aa..7230f6591 100644
--- a/testdata/http_test_config.json
+++ b/testdata/http_test_config.json
@@ -53,6 +53,7 @@
   "TLSAuthorityCertificate": "",
   "TLSCertificate": "",
   "TLSKey": "",
+  "Tls": {},
   "TraceMaxLengthBytes": 0,
   "VeneurMetricsAdditionalTags": null,
   "VeneurMetricsScopes": {
diff --git a/testdata/http_test_config.yaml b/testdata/http_test_config.yaml
index 60e943be0..524eee0d2 100644
--- a/testdata/http_test_config.yaml
+++ b/testdata/http_test_config.yaml
@@ -48,6 +48,8 @@ tags_exclude: []
 tls_authority_certificate: ""
 tls_certificate: ""
 tls_key: ""
+tls:
+  config: null
 trace_max_length_bytes: 0
 veneur_metrics_additional_tags: []
 veneur_metrics_scopes: