Tls supprt (#540)

* added tls support to controller and access proxies

* few pr comments
This commit is contained in:
Cam Otts 2024-01-17 15:37:46 -06:00 committed by GitHub
parent 2ef52607f0
commit 53940d51ab
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 50 additions and 4 deletions

View File

@ -14,6 +14,10 @@ FEATURE: Python SDK now has a decorator for integrating with various server side
FEATURE: Python SDK share and access handling now supports context management. FEATURE: Python SDK share and access handling now supports context management.
FEATURE: TLS for `zrok` controller and acces endpoints. Add the specified stanza to your controller file (see `etc/ctrl.yml`). Your controller will now listen over TLS. (Note: you will need to update your client environments/configs to use the new https:// url). Likewise with `access` add the stanza to your frontend configuration (see `etc/frontend.yml`). Additionally you will have to update the frontend url template to emit a https:// scheme.
FEATURE: TLS for `zrok` controller and frontends. Add the `tls:` stanza to your controller configuration (see `etc/ctrl.yml`) to enable TLS support for the controller API. Add the `tls:` stanza to your frontend configuration (see `etc/frontend.yml`) to enable TLS support for frontends (be sure to check your `public` frontend template) (#24)(https://github.com/openziti/zrok/issues/24)
## v0.4.22 ## v0.4.22
FIX: The goreleaser action is not updated to work with the latest golang build. Modifed `go.mod` to comply with what goreleaser expects FIX: The goreleaser action is not updated to work with the latest golang build. Modifed `go.mod` to comply with what goreleaser expects

View File

@ -31,6 +31,7 @@ type Config struct {
ResetPassword *ResetPasswordConfig ResetPassword *ResetPasswordConfig
Store *store.Config Store *store.Config
Ziti *zrokEdgeSdk.Config Ziti *zrokEdgeSdk.Config
Tls *TlsConfig
} }
type AdminConfig struct { type AdminConfig struct {
@ -83,6 +84,11 @@ type ResetPasswordMaintenanceConfig struct {
BatchLimit int BatchLimit int
} }
type TlsConfig struct {
CertPath string
KeyPath string
}
func DefaultConfig() *Config { func DefaultConfig() *Config {
return &Config{ return &Config{
Limits: limits.DefaultConfig(), Limits: limits.DefaultConfig(),

View File

@ -2,6 +2,7 @@ package controller
import ( import (
"context" "context"
"github.com/jessevdk/go-flags"
"github.com/openziti/zrok/controller/config" "github.com/openziti/zrok/controller/config"
"github.com/openziti/zrok/controller/limits" "github.com/openziti/zrok/controller/limits"
"github.com/openziti/zrok/controller/metrics" "github.com/openziti/zrok/controller/metrics"
@ -128,8 +129,16 @@ func Run(inCfg *config.Config) error {
server := rest_server_zrok.NewServer(api) server := rest_server_zrok.NewServer(api)
defer func() { _ = server.Shutdown() }() defer func() { _ = server.Shutdown() }()
if cfg.Tls != nil {
server.TLSHost = cfg.Endpoint.Host
server.TLSPort = cfg.Endpoint.Port
server.TLSCertificate = flags.Filename(cfg.Tls.CertPath)
server.TLSCertificateKey = flags.Filename(cfg.Tls.KeyPath)
server.EnabledListeners = []string{"https"}
} else {
server.Host = cfg.Endpoint.Host server.Host = cfg.Endpoint.Host
server.Port = cfg.Endpoint.Port server.Port = cfg.Endpoint.Port
}
rest_server_zrok.HealthCheck = HealthCheckHTTP rest_server_zrok.HealthCheck = HealthCheckHTTP
server.ConfigureAPI() server.ConfigureAPI()
if err := server.Serve(); err != nil { if err := server.Serve(); err != nil {

6
endpoints/config.go Normal file
View File

@ -0,0 +1,6 @@
package endpoints
type TlsConfig struct {
CertPath string
KeyPath string
}

View File

@ -22,6 +22,7 @@ type FrontendConfig struct {
IdentityName string IdentityName string
ShrToken string ShrToken string
Address string Address string
Tls *endpoints.TlsConfig
RequestsChan chan *endpoints.Request RequestsChan chan *endpoints.Request
} }
@ -76,6 +77,9 @@ func NewFrontend(cfg *FrontendConfig) (*Frontend, error) {
} }
func (h *Frontend) Run() error { func (h *Frontend) Run() error {
if h.cfg.Tls != nil {
return http.ListenAndServeTLS(h.cfg.Address, h.cfg.Tls.CertPath, h.cfg.Tls.KeyPath, h.handler)
}
return http.ListenAndServe(h.cfg.Address, h.handler) return http.ListenAndServe(h.cfg.Address, h.handler)
} }

View File

@ -3,6 +3,7 @@ package publicProxy
import ( import (
"context" "context"
"github.com/michaelquigley/cf" "github.com/michaelquigley/cf"
"github.com/openziti/zrok/endpoints"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
zhttp "github.com/zitadel/oidc/v2/pkg/http" zhttp "github.com/zitadel/oidc/v2/pkg/http"
@ -16,6 +17,7 @@ type Config struct {
Address string Address string
HostMatch string HostMatch string
Oauth *OauthConfig Oauth *OauthConfig
Tls *endpoints.TlsConfig
} }
type OauthConfig struct { type OauthConfig struct {

View File

@ -69,7 +69,7 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
return nil, err return nil, err
} }
proxy.Transport = zTransport proxy.Transport = zTransport
if err := configureOauthHandlers(context.Background(), cfg, false); err != nil { if err := configureOauthHandlers(context.Background(), cfg, cfg.Tls != nil); err != nil {
return nil, err return nil, err
} }
handler := authHandler(util.NewProxyHandler(proxy), cfg, key, zCtx) handler := authHandler(util.NewProxyHandler(proxy), cfg, key, zCtx)
@ -81,6 +81,9 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
} }
func (f *HttpFrontend) Run() error { func (f *HttpFrontend) Run() error {
if f.cfg.Tls != nil {
return http.ListenAndServeTLS(f.cfg.Address, f.cfg.Tls.CertPath, f.cfg.Tls.KeyPath, f.handler)
}
return http.ListenAndServe(f.cfg.Address, f.handler) return http.ListenAndServe(f.cfg.Address, f.handler)
} }

View File

@ -181,6 +181,12 @@ store:
path: zrok.db path: zrok.db
type: sqlite3 type: sqlite3
# The `tls` section sets the cert and key to use and enables serving over HTTPS
#
#tls:
# cert_path: "/Path/To/Cert/zrok.crt"
# key_path: "/Path/To/Cert/zrok.key"
# Ziti configuration. # Ziti configuration.
# #
ziti: ziti:

View File

@ -42,3 +42,9 @@ v: 3
# - name: github # - name: github
# client_id: <client-id> # client_id: <client-id>
# client_secret: <client-secret> # client_secret: <client-secret>
#
# The `tls` section sets the cert and key to use and enables serving over HTTPS
#
#tls:
# cert_path: "/Path/To/Cert/zrok.crt"
# key_path: "/Path/To/Cert/zrok.key"