initial POC for grpc tls

nodebuilder/core/config.go

@@ -16,9 +16,10 @@ var MetricsEnabled bool
 
 // Config combines all configuration fields for managing the relationship with a Core node.
 type Config struct {
-	IP       string
-	RPCPort  string
-	GRPCPort string
+	IP        string
+	RPCPort   string
+	GRPCPort  string
+	EnableTLS bool
 }
 
 // DefaultConfig returns default configuration for managing the

nodebuilder/core/flags.go

@@ -8,9 +8,10 @@ import (
 )
 
 var (
-	coreFlag     = "core.ip"
-	coreRPCFlag  = "core.rpc.port"
-	coreGRPCFlag = "core.grpc.port"
+	coreFlag          = "core.ip"
+	coreRPCFlag       = "core.rpc.port"
+	coreGRPCFlag      = "core.grpc.port"
+	coreEnableTLSFlag = "core.grpc.tls"
 )
 
 // Flags gives a set of hardcoded Core flags.
@@ -34,6 +35,11 @@ func Flags() *flag.FlagSet {
 		DefaultGRPCPort,
 		"Set a custom gRPC port for the core node connection. The --core.ip flag must also be provided.",
 	)
+	flags.Bool(
+		coreEnableTLSFlag,
+		false,
+		"Enables grpc TLS. The --core.ip flag must also be provided.",
+	)
 	return flags
 }
 
@@ -60,6 +66,11 @@ func ParseFlags(
 		cfg.GRPCPort = grpc
 	}
 
+	if cmd.Flag(coreEnableTLSFlag).Changed {
+		enabled := cmd.Flag(coreEnableTLSFlag).Value.String() == "true"
+		cfg.EnableTLS = enabled
+	}
+
 	cfg.IP = coreIP
 	return cfg.Validate()
 }

nodebuilder/state/core.go

@@ -30,8 +30,7 @@ func coreAccessor(
 	*modfraud.ServiceBreaker[*state.CoreAccessor, *header.ExtendedHeader],
 	error,
 ) {
-	ca, err := state.NewCoreAccessor(keyring, string(keyname), sync, corecfg.IP, corecfg.GRPCPort,
-		network.String(), opts...)
+	ca, err := state.NewCoreAccessor(keyring, string(keyname), sync, corecfg.IP, corecfg.GRPCPort, corecfg.EnableTLS, network.String(), opts...)
 
 	sBreaker := &modfraud.ServiceBreaker[*state.CoreAccessor, *header.ExtendedHeader]{
 		Service:   ca,

state/core_access.go

@@ -2,11 +2,18 @@ package state
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"sync"
 	"time"
 
+	"github.com/celestiaorg/celestia-app/v3/app"
+	"github.com/celestiaorg/celestia-app/v3/app/encoding"
+	apperrors "github.com/celestiaorg/celestia-app/v3/app/errors"
+	"github.com/celestiaorg/celestia-app/v3/pkg/user"
+	libhead "github.com/celestiaorg/go-header"
+	libshare "github.com/celestiaorg/go-square/v2/share"
 	nodeservice "github.com/cosmos/cosmos-sdk/client/grpc/node"
 	"github.com/cosmos/cosmos-sdk/client/grpc/tmservice"
 	"github.com/cosmos/cosmos-sdk/crypto/keyring"
@@ -20,15 +27,9 @@ import (
 	"github.com/tendermint/tendermint/proto/tendermint/crypto"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/connectivity"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 
-	"github.com/celestiaorg/celestia-app/v3/app"
-	"github.com/celestiaorg/celestia-app/v3/app/encoding"
-	apperrors "github.com/celestiaorg/celestia-app/v3/app/errors"
-	"github.com/celestiaorg/celestia-app/v3/pkg/user"
-	libhead "github.com/celestiaorg/go-header"
-	libshare "github.com/celestiaorg/go-square/v2/share"
-
 	"github.com/celestiaorg/celestia-node/header"
 )
 
@@ -67,10 +68,11 @@ type CoreAccessor struct {
 
 	prt *merkle.ProofRuntime
 
-	coreConn *grpc.ClientConn
-	coreIP   string
-	grpcPort string
-	network  string
+	coreConn  *grpc.ClientConn
+	coreIP    string
+	grpcPort  string
+	enableTLS bool
+	network   string
 
 	// these fields are mutatable and thus need to be protected by a mutex
 	lock            sync.Mutex
@@ -86,15 +88,7 @@ type CoreAccessor struct {
 // NewCoreAccessor dials the given celestia-core endpoint and
 // constructs and returns a new CoreAccessor (state service) with the active
 // connection.
-func NewCoreAccessor(
-	keyring keyring.Keyring,
-	keyname string,
-	getter libhead.Head[*header.ExtendedHeader],
-	coreIP,
-	grpcPort string,
-	network string,
-	options ...Option,
-) (*CoreAccessor, error) {
+func NewCoreAccessor(keyring keyring.Keyring, keyname string, getter libhead.Head[*header.ExtendedHeader], coreIP, grpcPort string, enableTLS bool, network string, options ...Option) (*CoreAccessor, error) {
 	// create verifier
 	prt := merkle.DefaultProofRuntime()
 	prt.RegisterOpDecoder(storetypes.ProofOpIAVLCommitment, storetypes.CommitmentOpDecoder)
@@ -106,6 +100,7 @@ func NewCoreAccessor(
 		getter:               getter,
 		coreIP:               coreIP,
 		grpcPort:             grpcPort,
+		enableTLS:            enableTLS,
 		prt:                  prt,
 		network:              network,
 	}
@@ -124,9 +119,15 @@ func (ca *CoreAccessor) Start(ctx context.Context) error {
 
 	// dial given celestia-core endpoint
 	endpoint := fmt.Sprintf("%s:%s", ca.coreIP, ca.grpcPort)
+	grpcOpts := make([]grpc.DialOption, 0)
+	if ca.enableTLS {
+		grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{})))
+	} else {
+		grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	}
 	client, err := grpc.NewClient(
 		endpoint,
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpcOpts...,
 	)
 	if err != nil {
 		return err

state/core_access_test.go

@@ -264,7 +264,7 @@ func buildAccessor(t *testing.T) (*CoreAccessor, []string) {
 		WithAppCreator(appCreator) // needed until https://github.com/celestiaorg/celestia-app/pull/3680 merges
 	cctx, _, grpcAddr := testnode.NewNetwork(t, config)
 
-	ca, err := NewCoreAccessor(cctx.Keyring, accounts[0].Name, nil, "127.0.0.1", extractPort(grpcAddr), chainID)
+	ca, err := NewCoreAccessor(cctx.Keyring, accounts[0].Name, nil, "127.0.0.1", extractPort(grpcAddr), false, chainID)
 	require.NoError(t, err)
 	return ca, getNames(accounts)
 }

state/integration_test.go

@@ -52,7 +52,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 	s.Require().Greater(len(s.accounts), 0)
 	accountName := s.accounts[0].Name
 
-	accessor, err := NewCoreAccessor(s.cctx.Keyring, accountName, localHeader{s.cctx.Client}, "", "", "")
+	accessor, err := NewCoreAccessor(s.cctx.Keyring, accountName, localHeader{s.cctx.Client}, "", "", false, "")
 	require.NoError(s.T(), err)
 	setClients(accessor, s.cctx.GRPCClient)
 	s.accessor = accessor