Dark-Alex-17/kapow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ec4c909a1496f0684d06abcf52c17b352d1407a5
kapow/internal/server/control/server.go
pancho horrillo 1e63f3c104 feat: Control API uses automatic cross-pinning mTLS (Closes #119) 
. kapow server generates on startup a pair of certificates
that will use to secure communications to its control server.
It will communicate the server and client certificates as well
as the client private key to the init programs it launches,
via environment variables.

. kapow server now understands a new flag --control-reachable-addr
which accepts either a IP address or a DNS name, that can be used
to ensure that the generated server certificate will be appropiate
in case the control server must be accessed from something other
than localhost.

Co-authored-by: Roberto Abdelkader Martínez Pérez <robertomartinezp@gmail.com>
2021-03-12 17:24:17 +01:00

64 lines
1.7 KiB
Go
Raw Blame History

/*
* Copyright 2019 Banco Bilbao Vizcaya Argentaria, S.A.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package control
import (
"crypto/tls"
"crypto/x509"
"net"
"net/http"
"sync"
"github.com/BBVA/kapow/internal/certs"
"github.com/BBVA/kapow/internal/logger"
)
// Run Starts the control server listening in bindAddr
func Run(bindAddr string, wg *sync.WaitGroup, serverCert, clientCert certs.Cert) {
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(clientCert.SignedCertPEMBytes())
ln, err := net.Listen("tcp", bindAddr)
if err != nil {
logger.L.Fatal(err)
}
server := &http.Server{
Addr: bindAddr,
TLSConfig: &tls.Config{
Certificates: []tls.Certificate{
tls.Certificate{
Certificate: [][]byte{serverCert.SignedCert},
PrivateKey: serverCert.PrivKey,
Leaf: serverCert.X509Cert,
},
},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: caCertPool,
},
Handler: configRouter(),
}
// Signal startup
logger.L.Printf("ControlServer listening at %s\n", bindAddr)
wg.Done()
// Listen to HTTPS connections with the server certificate and wait
logger.L.Fatal(server.ServeTLS(ln, "", ""))
}
Reference in New Issue View Git Blame Copy Permalink