Add cli tls support (uber#5027)

* introduce tls cert flag to CLI frontend, add logic for building tls CLIoutbound

* remove explicit default value for cert flag for style consistency

Co-authored-by: Shijie Sheng <shengs@uber.com>
Co-authored-by: David Porter <david.porter@uber.com>

tools/cli/app.go

@@ -79,6 +79,11 @@ func NewCliApp() *cli.App {
 			Usage:  "optional argument for transport protocol format, either 'grpc' or 'tchannel'. Defaults to tchannel if not provided",
 			EnvVar: "CADENCE_CLI_TRANSPORT_PROTOCOL",
 		},
+		cli.StringFlag{
+			Name:   FlagTLSCertPathWithAlias,
+			Usage:  "optional argument for path to TLS certificate. Defaults to an empty string if not provided",
+			EnvVar: "CADENCE_CLI_TLS_CERT_PATH",
+		},
 	}
 	app.Commands = []cli.Command{
 		{

tools/cli/factory.go

@@ -24,15 +24,22 @@ import (
 	"context"
 	"time"
 
+	"go.uber.org/yarpc/peer"
+	"go.uber.org/yarpc/peer/hostport"
 	"go.uber.org/yarpc/transport/grpc"
 	"go.uber.org/yarpc/transport/tchannel"
+	"google.golang.org/grpc/credentials"
 
 	"github.com/olivere/elastic"
 	"github.com/urfave/cli"
 	"go.uber.org/yarpc"
 	"go.uber.org/yarpc/api/transport"
 	"go.uber.org/zap"
 
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+
 	adminv1 "github.com/uber/cadence-idl/go/proto/admin/v1"
 	apiv1 "github.com/uber/cadence-idl/go/proto/api/v1"
 	serverAdmin "github.com/uber/cadence/.gen/go/admin/adminserviceclient"
@@ -152,9 +159,29 @@ func (b *clientFactory) ensureDispatcher(c *cli.Context) {
 	if addr := c.GlobalString(FlagAddress); addr != "" {
 		b.hostPort = addr
 	}
-
-	outbounds := transport.Outbounds{Unary: grpc.NewTransport().NewSingleOutbound(b.hostPort)}
-	if !shouldUseGrpc {
+	var outbounds transport.Outbounds
+	if shouldUseGrpc {
+		grpcTransport := grpc.NewTransport()
+		outbounds = transport.Outbounds{Unary: grpc.NewTransport().NewSingleOutbound(b.hostPort)}
+
+		tlsCertificatePath := c.GlobalString(FlagTLSCertPath)
+		if tlsCertificatePath != "" {
+			caCert, err := ioutil.ReadFile(tlsCertificatePath)
+			if err != nil {
+				b.logger.Fatal("Failed to load server CA certificate", zap.Error(err))
+			}
+			caCertPool := x509.NewCertPool()
+			if !caCertPool.AppendCertsFromPEM(caCert) {
+				b.logger.Fatal("Failed to add server CA certificate", zap.Error(err))
+			}
+			tlsConfig := tls.Config{
+				RootCAs: caCertPool,
+			}
+			tlsCreds := credentials.NewTLS(&tlsConfig)
+			tlsChooser := peer.NewSingle(hostport.Identify(b.hostPort), grpcTransport.NewDialer(grpc.DialerCredentials(tlsCreds)))
+			outbounds = transport.Outbounds{Unary: grpc.NewTransport().NewOutbound(tlsChooser)}
+		}
+	} else {
 		ch, err := tchannel.NewChannelTransport(tchannel.ServiceName(cadenceClientName), tchannel.ListenAddr("127.0.0.1:0"))
 		if err != nil {
 			b.logger.Fatal("Failed to create transport channel", zap.Error(err))

tools/cli/flags.go

@@ -238,6 +238,7 @@ const (
 	FlagServiceZoneWithAlias              = FlagServiceZone + ", sz"
 	FlagEnableTLS                         = "tls"
 	FlagTLSCertPath                       = "tls_cert_path"
+	FlagTLSCertPathWithAlias              = FlagTLSCertPath + ", tcp"
 	FlagTLSKeyPath                        = "tls_key_path"
 	FlagTLSCaPath                         = "tls_ca_path"
 	FlagTLSEnableHostVerification         = "tls_enable_host_verification"