feat: tls upstream

mxab · Mar 3, 2023 · e3bab4a · e3bab4a
1 parent 00d11e5
commit e3bab4a
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 10 deletions.
diff --git a/config/config.go b/config/config.go
@@ -21,11 +21,15 @@ type Mutator struct {
 	OpaRules []OpaRule `hcl:"opa_rule,block"`
 }
 
+type NomadServerTLS struct {
+	CaFile             string `hcl:"ca_file"`
+	CertFile           string `hcl:"cert_file"`
+	KeyFile            string `hcl:"key_file"`
+	InsecureSkipVerify bool   `hcl:"insecure_skip_verify,optional"`
+}
 type NomadServer struct {
-	Address string `hcl:"address"`
-	// CaFile   string `hcl:"ca_file"`
-	// CertFile string `hcl:"cert_file"`
-	// KeyFile  string `hcl:"key_file"`
+	Address string          `hcl:"address"`
+	TLS     *NomadServerTLS `hcl:"tls,block"`
 }
 type Config struct {
 	Port int    `hcl:"port,optional"`
@@ -55,6 +59,7 @@ func DefaultConfig() *Config {
 func LoadConfig(name string) (*Config, error) {
 
 	c := DefaultConfig()
+
 	evalContext := &hcl.EvalContext{}
 	err := hclsimple.DecodeFile(name, evalContext, c)
 	if err != nil {

diff --git a/main.go b/main.go
@@ -3,10 +3,13 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -32,13 +35,16 @@ var (
 	jobPlanPathRegex = regexp.MustCompile(`^/v1/job/[a-zA-Z]+[a-z-Z0-9\-]*/plan$`)
 )
 
-func NewProxyHandler(nomadAddress *url.URL, jobHandler *admissionctrl.JobHandler, appLogger hclog.Logger) func(http.ResponseWriter, *http.Request) {
+func NewProxyHandler(nomadAddress *url.URL, jobHandler *admissionctrl.JobHandler, appLogger hclog.Logger, transport *http.Transport) func(http.ResponseWriter, *http.Request) {
 
 	// create a reverse proxy that catches "/v1/jobs" post calls
 	// and forwards them to the jobs service
 	// create a new reverse proxy
 
 	proxy := httputil.NewSingleHostReverseProxy(nomadAddress)
+	if transport != nil {
+		proxy.Transport = transport
+	}
 
 	originalDirector := proxy.Director
 
@@ -370,7 +376,14 @@ func main() {
 		appLogger.Error("Failed to parse nomad address", "error", err)
 		os.Exit(1)
 	}
-
+	var transport *http.Transport
+	if c.Nomad.TLS != nil {
+		transport, err = buildCustomTransport(*c.Nomad.TLS)
+		if err != nil {
+			appLogger.Error("Failed to create custom transport", "error", err)
+			os.Exit(1)
+		}
+	}
 	jobMutators, err := createMutatators(c, appLogger)
 	if err != nil {
 		appLogger.Error("Failed to create mutators", "error", err)
@@ -389,7 +402,7 @@ func main() {
 		appLogger.Named("handler"),
 	)
 
-	proxy := NewProxyHandler(backend, handler, appLogger)
+	proxy := NewProxyHandler(backend, handler, appLogger, transport)
 
 	http.HandleFunc("/", proxy)
 
@@ -447,3 +460,32 @@ func createValidators(c *config.Config, appLogger hclog.Logger) ([]admissionctrl
 	}
 	return jobValidators, nil
 }
+
+func buildCustomTransport(config config.NomadServerTLS) (*http.Transport, error) {
+	// Create a custom transport to allow for self-signed certs
+	// and to allow for a custom timeout
+
+	//load key pair
+	cert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	// create CA pool
+	caCert, err := ioutil.ReadFile(config.CaFile)
+	if err != nil {
+		return nil, err
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: config.InsecureSkipVerify,
+
+			Certificates: []tls.Certificate{cert},
+			RootCAs:      caCertPool,
+		},
+	}
+	return transport, err
+}
diff --git a/main_test.go b/main_test.go
@@ -236,7 +236,7 @@ func TestProxy(t *testing.T) {
 				tc.validators,
 				hclog.NewNullLogger(),
 			)
-			proxy := NewProxyHandler(nomad, jobHandler, hclog.NewNullLogger())
+			proxy := NewProxyHandler(nomad, jobHandler, hclog.NewNullLogger(), nil)
 
 			proxyServer := httptest.NewServer(http.HandlerFunc(proxy))
 			defer proxyServer.Close()
@@ -319,7 +319,7 @@ func TestJobUpdateProxy(t *testing.T) {
 				tc.validators,
 				hclog.NewNullLogger(),
 			)
-			proxy := NewProxyHandler(nomad, jobHandler, hclog.NewNullLogger())
+			proxy := NewProxyHandler(nomad, jobHandler, hclog.NewNullLogger(), nil)
 
 			proxyServer := httptest.NewServer(http.HandlerFunc(proxy))
 			defer proxyServer.Close()
@@ -414,7 +414,7 @@ func TestAdmissionControllerErrors(t *testing.T) {
 		[]admissionctrl.JobValidator{validator},
 		hclog.NewNullLogger(),
 	)
-	proxy := NewProxyHandler(nomad, jobHandler, hclog.NewNullLogger())
+	proxy := NewProxyHandler(nomad, jobHandler, hclog.NewNullLogger(), nil)
 
 	proxyServer := httptest.NewServer(http.HandlerFunc(proxy))