feat: support TLS (#5)

shelmangroup · Nov 1, 2024 · 86ba768 · 86ba768
1 parent 4b5f510
commit 86ba768
Show file tree

Hide file tree

Showing 9 changed files with 43 additions and 6 deletions.
diff --git a/.envrc b/.envrc
@@ -4,3 +4,5 @@ fi
 
 export DOCKER_HOST=unix:///run/user/$UID/podman/podman.sock
 export KO_DOCKER_REPO=ko.local/envoy-oidc-authserver
+
+[[ -f localhost.pem || -f localhost-key.pem ]] || mkcert localhost
diff --git a/.gitignore b/.gitignore
@@ -3,4 +3,6 @@
 .task
 internal
 coverage.out
+localhost-key.pem
+localhost.pem
 envoy-oidc-authserver
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -36,14 +36,21 @@ tasks:
     cmds:
       - watchexec --clear --restart --stop-signal INT --debounce 300ms -- task dev:server
 
+  dev:gen-tls:
+    desc: Generate TLS certificates
+    cmds:
+      - ls *.pem || mkcert localhost
+
   dev:server:
     desc: Run envoy-oidc-authserver for local development
-    deps: [buf:generate]
+    deps: [buf:generate, dev:gen-tls]
     env:
       OTEL_EXPORTER_OTLP_ENDPOINT: http://localhost:4317
       ENVOY_AUTHZ_SECRET_KEY: "G_TdvPJ9T8C4p&A?Wr3YAUYW$*9vn4?t"
       ENVOY_AUTHZ_REDIS_URL: "redis:///0?tracing=true"
       ENVOY_AUTHZ_PROVIDERS_CONFIG: run/config/providers.yaml
+      ENVOY_AUTHZ_TLS_SERVER_CERT_FILE: localhost.pem
+      ENVOY_AUTHZ_TLS_SERVER_KEY_FILE: localhost-key.pem
       ENVOY_AUTHZ_LOG_LEVEL: debug
     cmds:
       - go run .

diff --git a/compose.yaml b/compose.yaml
@@ -2,9 +2,10 @@ version: "3"
 
 services:
   envoy:
-    image: docker.io/envoyproxy/envoy:v1.30-latest
+    image: docker.io/envoyproxy/envoy:v1.32-latest
     volumes:
       - ./run/config/envoy.yaml:/envoy.yaml
+      - "$HOME/.local/share/mkcert/rootCA.pem:/rootCA.pem"
     depends_on:
       podinfo:
         condition: service_healthy

diff --git a/flake.nix b/flake.nix
@@ -35,6 +35,7 @@
           protobuf
           protoc-gen-go
           watchexec
+          mkcert
         ];
       in
       {

diff --git a/main.go b/main.go
@@ -25,6 +25,8 @@ func main() {
 	redisURL := fs.String('r', "redis-url", "", "URL to use for Redis cache, omit for in memory cache")
 	secretKey := fs.StringLong("secret-key", "", "secret key used to encrypt session tokens")
 	providersConfig := fs.String('c', "providers-config", "", "OIDC procider configuration file")
+	tlsServerCertFile := fs.StringLong("tls-server-cert-file", "", "TLS server certificate file")
+	tlsServerKeyFile := fs.StringLong("tls-server-key-file", "", "TLS server key file")
 	logJson := fs.BoolLong("log-json", "log in JSON format")
 	logLevel := fs.StringLong("log-level", "info", "log level (debug, info, warn, error)")
 
@@ -83,7 +85,7 @@ func main() {
 	}
 
 	// Create new server
-	s := server.NewServer(*addr, authz.NewService(c, *secretKey, u))
+	s := server.NewServer(*addr, *tlsServerCertFile, *tlsServerKeyFile, authz.NewService(c, *secretKey, u))
 	defer func() {
 		err := s.Shutdown()
 		if err != nil {

diff --git a/run/config/envoy.yaml b/run/config/envoy.yaml
@@ -107,3 +107,16 @@ static_resources:
                     socket_address:
                       address: localhost
                       port_value: 8080
+      transport_socket:
+        name: envoy.transport_sockets.tls
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+          sni: localhost
+          common_tls_context:
+            validation_context:
+              match_typed_subject_alt_names:
+                - san_type: DNS
+                  matcher:
+                    exact: "localhost"
+              trusted_ca:
+                filename: /rootCA.pem
diff --git a/server/server.go b/server/server.go
@@ -19,10 +19,12 @@ type Service interface {
 
 type Server struct {
 	httpServer *http.Server
+	certFile   string
+	keyFile    string
 }
 
 // NewServer creates a new server instance
-func NewServer(httpAddr string, services ...Service) *Server {
+func NewServer(httpAddr string, certFile, keyFile string, services ...Service) *Server {
 	mux := http.NewServeMux()
 
 	// Register service handlers
@@ -51,10 +53,17 @@ func NewServer(httpAddr string, services ...Service) *Server {
 
 	return &Server{
 		httpServer: httpServer,
+		certFile:   certFile,
+		keyFile:    keyFile,
 	}
 }
 
 func (s *Server) Serve() error {
+	if s.certFile != "" && s.keyFile != "" {
+		slog.Info("Start HTTPS server", slog.String("addr", s.httpServer.Addr))
+		return s.httpServer.ListenAndServeTLS(s.certFile, s.keyFile)
+	}
+
 	slog.Info("Start HTTP server", slog.String("addr", s.httpServer.Addr))
 	return s.httpServer.ListenAndServe()
 }

diff --git a/server/server_test.go b/server/server_test.go
@@ -22,10 +22,10 @@ func (s *dummyService) Name() string {
 // TestServer
 func TestServer(t *testing.T) {
 	// Should panic if no service is provided
-	assert.Panics(t, func() { NewServer("127.0.0.1:8080", nil) })
+	assert.Panics(t, func() { NewServer("127.0.0.1:8080", "", "", nil) })
 
 	// register dummy service which implements Service interface
-	s := NewServer("127.0.0.1:8080", &dummyService{})
+	s := NewServer("127.0.0.1:8080", "", "", &dummyService{})
 	assert.NotNil(t, s)
 	assert.NoError(t, s.Shutdown())
 }