Allow TLS enablement (#29)

* add tls command-line arguments To enable tls, we need to gather a few things from the environment: - the TLS key - the TLS certificate We also want to be able to disable TLS and listen on http. To enable this, add three options to the command-line: -cert-path string Path to TLS certificate store. -enable-tls Toggle tls enablement (default true) -key-path string Path to TLS private key. Signed-off-by: Andy Sadler <[email protected]> * disable tls in testing deployments We enable TLS by default, but we don't want to enable it during testing for debugging purposes. Signed-off-by: Andy Sadler <[email protected]> --------- Signed-off-by: Andy Sadler <[email protected]> Co-authored-by: Francesco Ilario <[email protected]>
konflux-ci · Jan 20, 2025 · ad09a17 · ad09a17
1 parent 4c6c64a
commit ad09a17
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 1 deletion.
diff --git a/config/deployment.yaml b/config/deployment.yaml
@@ -19,7 +19,9 @@ spec:
       #   runAsNonRoot: true
       serviceAccountName: namespace-lister
       containers:
-      - image: namespace-lister:latest
+      - args:
+        - -enable-tls=false
+        image: namespace-lister:latest
         name: namespace-lister
         imagePullPolicy: IfNotPresent
         env:

diff --git a/http_server.go b/http_server.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"log/slog"
 	"net/http"
 	"os"
@@ -16,6 +17,8 @@ const (
 
 type NamespaceListerServer struct {
 	*http.Server
+	useTLS  bool
+	tlsOpts []func(*tls.Config)
 }
 
 func addInjectLoggerMiddleware(l *slog.Logger, next http.Handler) http.HandlerFunc {
@@ -77,6 +80,16 @@ func NewServer(l *slog.Logger, ar authenticator.Request, lister NamespaceLister)
 	}
 }
 
+func (s *NamespaceListerServer) WithTLS(enableTLS bool) *NamespaceListerServer {
+	s.useTLS = enableTLS
+	return s
+}
+
+func (s *NamespaceListerServer) WithTLSOpts(tlsOpts ...func(*tls.Config)) *NamespaceListerServer {
+	s.tlsOpts = tlsOpts
+	return s
+}
+
 func (s *NamespaceListerServer) Start(ctx context.Context) error {
 	// HTTP Server graceful shutdown
 	go func() {
@@ -92,6 +105,17 @@ func (s *NamespaceListerServer) Start(ctx context.Context) error {
 		}
 	}()
 
+	// setup and serve over TLS if configured
+	if s.useTLS {
+		s.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+		for _, fun := range s.tlsOpts {
+			fun(s.TLSConfig)
+		}
+		return s.ListenAndServeTLS("", "")
+	}
+
 	// start server
 	return s.ListenAndServe()
 }
diff --git a/main.go b/main.go
@@ -2,6 +2,9 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
+	"flag"
+	"fmt"
 	"log/slog"
 	"os"
 	"os/signal"
@@ -21,9 +24,33 @@ func main() {
 	}
 }
 
+func loadTLSCert(l *slog.Logger, certPath, keyPath string) func(*tls.Config) {
+	getCertificate := func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+		if err != nil {
+			l.Error("Unable to load TLS certificates", "error", err)
+			return nil, fmt.Errorf("Unable to load TLS certificates: %w", err)
+		}
+
+		return &cert, err
+	}
+
+	return func(config *tls.Config) {
+		config.GetCertificate = getCertificate
+	}
+}
+
 func run(l *slog.Logger) error {
 	log.SetLogger(logr.FromSlogHandler(l.Handler()))
 
+	var enableTLS bool
+	var tlsCertificatePath string
+	var tlsCertificateKeyPath string
+	flag.BoolVar(&enableTLS, "enable-tls", true, "Toggle TLS enablement.")
+	flag.StringVar(&tlsCertificatePath, "cert-path", "", "Path to TLS certificate store.")
+	flag.StringVar(&tlsCertificateKeyPath, "key-path", "", "Path to TLS private key.")
+	flag.Parse()
+
 	// get config
 	cfg := ctrl.GetConfigOrDie()
 
@@ -57,6 +84,10 @@ func run(l *slog.Logger) error {
 	l.Info("building server")
 	s := NewServer(l, ar, nsl)
 
+	// configure TLS
+	s.WithTLS(enableTLS).
+		WithTLSOpts(loadTLSCert(l, tlsCertificatePath, tlsCertificateKeyPath))
+
 	// start the server
 	return s.Start(ctx)
 }