Skip to content

feat: environment variables for TLS #7296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: environment variables for TLS #7296

wants to merge 2 commits into from
+392 −27

Conversation

RogerHYang
Copy link
Contributor

@RogerHYang RogerHYang commented Apr 25, 2025
edited
Loading

resolves #7272

Add TLS Support for Phoenix Server

Overview

This PR implements Transport Layer Security (TLS) support for the Phoenix server, enabling secure HTTPS and gRPC connections. This enhancement allows for encrypted communication between clients and the server, with optional mutual TLS (mTLS) authentication.

Caveat: When using encrypted private keys (via PHOENIX_TLS_KEY_FILE_PASSWORD), the cryptography package must be installed. This package is used for decrypting private keys and validating certificate-key pairs.

Key Features

  • Secure HTTP & gRPC Connections: Enable HTTPS and secure gRPC endpoints
  • Flexible Configuration: Control TLS settings through environment variables
  • Optional Client Verification: Support for mutual TLS (mTLS) authentication
  • Integration Test Support: Added TLS-aware testing infrastructure

Configuration Options

The following environment variables control TLS behavior:

Variable Type Description Example
PHOENIX_TLS_ENABLED boolean Enable/disable TLS support true
PHOENIX_TLS_CERT_FILE string Path to TLS certificate file /path/to/cert.pem
PHOENIX_TLS_KEY_FILE string Path to private key file /path/to/key.pem
PHOENIX_TLS_KEY_FILE_PASSWORD string Password for encrypted private key file mysecretpassword
PHOENIX_TLS_CA_FILE string Path to CA certificate (for client verification) /path/to/ca.pem
PHOENIX_TLS_VERIFY_CLIENT boolean Enable client certificate verification true

Technical Changes

  • Added TLS configuration handling in server setup
  • Implemented secure connection support for both HTTP and gRPC servers
  • Updated server welcome message to display TLS status
  • Enhanced integration tests with TLS support

Appendix

Implementation Details

  • Certificate Handling: The server supports both encrypted and unencrypted private keys. If the key file is password-protected, use PHOENIX_TLS_KEY_FILE_PASSWORD to provide the decryption password.
  • gRPC Integration: When TLS is enabled, gRPC server automatically switches to secure mode using the provided certificates.
  • Client Verification: When PHOENIX_TLS_VERIFY_CLIENT is enabled, clients must provide valid certificates signed by the CA specified in PHOENIX_TLS_CA_FILE.
  • OTLP Integration: OTLP exporter configuration automatically adapts to TLS settings using environment variables:
    • OTEL_EXPORTER_OTLP_TRACES_CERTIFICATE
    • OTEL_EXPORTER_OTLP_TRACES_CLIENT_CERTIFICATE
    • OTEL_EXPORTER_OTLP_TRACES_CLIENT_KEY

@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Apr 25, 2025
@github-project-automation github-project-automation bot moved this to 📘 Todo in phoenix Apr 25, 2025
axiomofjoy
axiomofjoy approved these changes Apr 25, 2025
View reviewed changes
@github-project-automation github-project-automation bot moved this from 📘 Todo to 👍 Approved in phoenix Apr 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@axiomofjoy axiomofjoy axiomofjoy approved these changes

Assignees
No one assigned
Labels
size:L This PR changes 100-499 lines, ignoring generated files.
Projects
phoenix
Status: 👍 Approved
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ENHANCEMENT]: Terminate TLS in phoenix service layer
2 participants
@RogerHYang @axiomofjoy