Skip to content

chore(router): refactor TLS configuration #2863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dkorittki merged 24 commits into from
May 19, 2026
Merged

chore(router): refactor TLS configuration #2863

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
35e1c7a
chore(router): Remove unnecessary tls config field from server
dkorittki May 13, 2026
a26f430
chore(router): invent global type for all tls configs
dkorittki May 13, 2026
e3690c3
chore(router): move subgraph tls config into router.tls field
dkorittki May 13, 2026
dda275c
chore(router): add layer to router cfg for server http settings
dkorittki May 13, 2026
f8b9ba8
chore(router): improve godoc
dkorittki May 13, 2026
14c7498
chore(router): consistent field naming
dkorittki May 13, 2026
1eb0f6b
Merge branch 'main' into dominik/eng-9572-improve-tls-server-configur…
dkorittki May 15, 2026
2648cf5
fix: detect tls_client usage correctly
dkorittki May 15, 2026
8f2eba0
fix: set tls client and server config independently
dkorittki May 15, 2026
39fab54
chore: use testify require instead of t.Fatal
dkorittki May 15, 2026
8d96e11
chore: minimize code by outsourcing repeats into vars
dkorittki May 15, 2026
adc9366
chore: minimize code by outsourcing repeats into vars #2
dkorittki May 15, 2026
30e6ada
chore: use keys in structs
dkorittki May 18, 2026
e0755ad
Merge branch 'main' into dominik/eng-9572-improve-tls-server-configur…
dkorittki May 18, 2026
18c950e
chore: use require instead of t.Fatal
dkorittki May 18, 2026
bf432d5
chore: make compiled config a private field
dkorittki May 18, 2026
ee6cad8
fix: create new tls configs for each test
dkorittki May 18, 2026
3375c32
chore: minimize intermediate config type
dkorittki May 18, 2026
46789d2
chore: depointer testenv tls config
dkorittki May 18, 2026
183f929
chore: cleanup and renames
dkorittki May 18, 2026
3a50379
chore: rename variable
dkorittki May 18, 2026
f7eb6a0
chore: no comparison to bool var
dkorittki May 19, 2026
4278728
Merge branch 'main' into dominik/eng-9572-improve-tls-server-configur…
dkorittki May 19, 2026
6a34cf1
Merge branch 'main' into dominik/eng-9572-improve-tls-server-configur…
dkorittki May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions router-tests/events/nats_events_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,9 +239,15 @@ func TestNatsEvents(t *testing.T) {
},
EnableNats: true,
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
subscribePayload := []byte(`{"query":"subscription { employeeUpdated(employeeID: 3) { id details { forename surname } } }"}`)
Expand Down
190 changes: 134 additions & 56 deletions router-tests/security/tls_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,15 @@ func TestTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
require.Contains(t, xEnv.RouterURL, "https://")
Expand All @@ -52,9 +58,15 @@ func TestTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
res := xEnv.MakeGraphQLRequestOK(testenv.GraphQLRequest{
Expand All @@ -72,9 +84,15 @@ func TestTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
res, err := xEnv.MakeRequest(http.MethodGet, "/", http.Header{
Expand All @@ -96,9 +114,15 @@ func TestTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
res := xEnv.MakeGraphQLRequestOK(testenv.GraphQLRequest{
Expand All @@ -113,9 +137,15 @@ func TestTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
req, err := http.NewRequestWithContext(xEnv.Context, http.MethodPost, xEnv.RouterURL, strings.NewReader(`query { employees { id } }`))
Expand Down Expand Up @@ -154,9 +184,15 @@ func TestTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
req, err := http.NewRequestWithContext(xEnv.Context, http.MethodPost, xEnv.RouterURL, strings.NewReader(`query { employees { id } }`))
Expand All @@ -175,9 +211,15 @@ func TestTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
req, err := http.NewRequestWithContext(xEnv.Context, http.MethodPost, xEnv.RouterURL, strings.NewReader(`query { employees { id } }`))
Expand All @@ -204,12 +246,18 @@ func TestMTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.TlsClientAuthConfig{
Required: true,
CertFile: "../testdata/tls/cert.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.HTTPServerMTLSConfigSettings{
Required: true,
CertFile: "../testdata/tls/cert.pem",
},
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
Expand All @@ -232,12 +280,18 @@ func TestMTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.TlsClientAuthConfig{
Required: true,
CertFile: "../testdata/tls/cert.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.HTTPServerMTLSConfigSettings{
Required: true,
CertFile: "../testdata/tls/cert.pem",
},
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
Expand All @@ -253,11 +307,17 @@ func TestMTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.TlsClientAuthConfig{
Required: false, // Default
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.HTTPServerMTLSConfigSettings{
Required: false, // Default
},
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
Expand All @@ -273,12 +333,18 @@ func TestMTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.TlsClientAuthConfig{
Required: false,
CertFile: "../testdata/tls/cert.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.HTTPServerMTLSConfigSettings{
Required: false,
CertFile: "../testdata/tls/cert.pem",
},
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
Expand Down Expand Up @@ -338,12 +404,18 @@ func TestMTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.TlsClientAuthConfig{
Required: true,
CertFile: "../testdata/tls/cert.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.HTTPServerMTLSConfigSettings{
Required: true,
CertFile: "../testdata/tls/cert.pem",
},
},
},
},
},
LogObservation: testenv.LogObservationConfig{
Expand Down Expand Up @@ -383,12 +455,18 @@ func TestMTLS(t *testing.T) {

testenv.Run(t, &testenv.Config{
TLSConfig: &core.TlsConfig{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.TlsClientAuthConfig{
Required: false,
CertFile: "../testdata/tls/cert.pem",
Server: core.ServerTLSConfig{
HTTP: core.HTTPServerTLSConfig{
Settings: core.HTTPServerTLSConfigSettings{
Enabled: true,
CertFile: "../testdata/tls/cert.pem",
KeyFile: "../testdata/tls/key.pem",
ClientAuth: &core.HTTPServerMTLSConfigSettings{
Required: false,
CertFile: "../testdata/tls/cert.pem",
},
},
},
},
},
}, func(t *testing.T, xEnv *testenv.Environment) {
Expand Down
12 changes: 6 additions & 6 deletions router-tests/testenv/testenv.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -717,12 +717,12 @@ func CreateTestSupervisorEnv(t testing.TB, cfg *Config) (*Environment, error) {
},
})

if cfg.TLSConfig != nil && cfg.TLSConfig.Enabled {
if cfg.TLSConfig != nil && cfg.TLSConfig.Server.HTTP.Settings.Enabled {

cert, err := tls.LoadX509KeyPair(cfg.TLSConfig.CertFile, cfg.TLSConfig.KeyFile)
cert, err := tls.LoadX509KeyPair(cfg.TLSConfig.Server.HTTP.Settings.CertFile, cfg.TLSConfig.Server.HTTP.Settings.KeyFile)
require.NoError(t, err)

caCert, err := os.ReadFile(cfg.TLSConfig.CertFile)
caCert, err := os.ReadFile(cfg.TLSConfig.Server.HTTP.Settings.CertFile)
if err != nil {
log.Fatal(err)
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
Expand Down Expand Up @@ -1148,12 +1148,12 @@ func CreateTestEnv(t testing.TB, cfg *Config) (*Environment, error) {
return nil, err
}

if cfg.TLSConfig != nil && cfg.TLSConfig.Enabled {
if cfg.TLSConfig != nil && cfg.TLSConfig.Server.HTTP.Settings.Enabled {

cert, err := tls.LoadX509KeyPair(cfg.TLSConfig.CertFile, cfg.TLSConfig.KeyFile)
cert, err := tls.LoadX509KeyPair(cfg.TLSConfig.Server.HTTP.Settings.CertFile, cfg.TLSConfig.Server.HTTP.Settings.KeyFile)
require.NoError(t, err)

caCert, err := os.ReadFile(cfg.TLSConfig.CertFile)
caCert, err := os.ReadFile(cfg.TLSConfig.Server.HTTP.Settings.CertFile)
if err != nil {
log.Fatal(err)
}
Expand Down
6 changes: 5 additions & 1 deletion router/core/graph_server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,11 @@ func newGraphServer(routerCtx context.Context, r *Router, response *routerconfig
}

// Build subgraph client TLS configs (mTLS for outbound subgraph connections)
defaultClientTLS, perSubgraphTLS, err := buildSubgraphTLSConfigs(r.logger, &r.subgraphTLSConfiguration)
var subgraphTLSConfiguration config.ClientTLSConfiguration
if r.tls != nil {
subgraphTLSConfiguration = r.tls.Client.Subgraphs.HTTP
}
defaultClientTLS, perSubgraphTLS, err := buildSubgraphTLSConfigs(r.logger, &subgraphTLSConfiguration)
if err != nil {
return nil, fmt.Errorf("could not build subgraph client TLS config: %w", err)
}
Expand Down
5 changes: 1 addition & 4 deletions router/core/http_server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@ var notReadyState = &serverState{
type server struct {
mu sync.RWMutex
httpServer *http.Server
tlsConfig *TlsConfig
logger *zap.Logger
state atomic.Pointer[serverState]
healthcheck health.Checker
Expand All @@ -57,7 +56,6 @@ type server struct {
type httpServerOptions struct {
addr string
logger *zap.Logger
tlsConfig *TlsConfig
tlsServerConfig *tls.Config
healthcheck health.Checker
baseURL string
Expand Down Expand Up @@ -93,7 +91,6 @@ func newServer(opts *httpServerOptions) (*server, error) {

n := &server{
httpServer: httpServer,
tlsConfig: opts.tlsConfig,
logger: opts.logger,
mu: sync.RWMutex{},
healthcheck: opts.healthcheck,
Expand Down Expand Up @@ -153,7 +150,7 @@ func (s *server) SwapGraphServer(ctx context.Context, svr *graphServer) {
// listenAndServe starts the server using the pre-bound listener and blocks until shutdown.
// This method is called in a goroutine; the port was already bound in newServer().
func (s *server) listenAndServe() error {
if s.tlsConfig != nil && s.tlsConfig.Enabled {
if s.httpServer.TLSConfig != nil {
// Use TLS with the pre-bound listener
if err := s.httpServer.ServeTLS(s.listener, "", ""); err != nil && !errors.Is(err, http.ErrServerClosed) {
return err
Expand Down
Loading
Loading