utility to setup TLS to make the first developer experience nice

[patriknw]

Either support plain text mode as the Netty client is already doing, or have a utility for setting up dummy test certificates on both sides.

Related akka/akka-http#1849

[ignasi35]

or have a utility for setting up dummy test certificates on both sides.

Akka could ship fake certs on the testkit, or there could be a tool to crete a CA and a server cert on the fly.

For Lagom we spiked the second alternative and built a FakeKeyStoreGenerator.scala based on Play's FakeKeyStore.

[raboof]

I think @richdougherty has been working on that, seeing if it is reasonable to use ssl-config here or we can make it convenient some other way.

[ktoso]

Right, I think our approach here should be "whichever style play already does it for dev" :)
If ssl config helps then good, but if not then don't force it in I think. It may be nice to use just to declare from where to load certs, but not expose it in any APIs unless needed perhaps for example.

[patriknw]

Remember to remove the certs from Quickstarts also, e.g. akka/akka-grpc-quickstart-scala.g8#1 (comment)

[ktoso]

The comment to do what play does still stands, but they what play does does not work very well now: playframework/playframework#8562 would need to be implemented and based on.

There's some weird cycles about generating and needing the cert

[ktoso]

For plain Akka to generate the certs we'd need to "steal" code that play has for these things I suppose:

from here

Rich Dougherty:
https://github.com/playframework/playframework/blob/master/framework/src/play-server/src/main/scala/play/core/server/ssl/FakeKeyStore.scala#L53-L82

Rich Dougherty:
https://github.com/playframework/playframework/blob/master/framework/src/play-server/src/main/scala/play/core/server/ssl/DefaultSSLEngineProvider.scala#L62

[patriknw]

We discussed this some more and concluded that the plain vanilla samples can be without TLS.
We can run without SSL, but then we cannot serve 'regular' HTTP requests on that port anymore. We also have to add documentation of how to enable TLS (if that doesn't exist).

[ignasi35]

Now that TLS is not required for akka-gRPC I think we'd better close this issue.

I would ship the .g8 templates with some sample certificates/keys and maybe some very vague instructions on how to recreate them (with a disclaimer wrt key size, state of art, etc etc) but detailed instructions on relevant details (e.g. subject, authority, ...).

Lagom provides in both DevMode and TestKit tools to create fake certificates on the fly. In the case of testkit, there's also an SSLContext baked for the client in tests so it trusts the server in the testkit. I don't think such mechanisms should be part of akka-grpc.

[ignasi35]

raised akka/akka-grpc-quickstart-java.g8#39

[ignasi35]

(sorry, pressed the wrong buttons)

[johanandren]

Not entirely sure this is still valid/important, but, related developments #1910

[johanandren]

We do support non-tls and samples and quickstarts has self-signed certs.

[johanandren]

We should update the quickstarts to use the new cert loading APIs when that is out.