Tls supprt (#540)

* added tls support to controller and access proxies * few pr comments
2024-11-07 08:44:14 +01:00 · 2024-01-17 15:37:46 -06:00 · 2024-01-17 15:37:46 -06:00 · 53940d51ab
commit 53940d51ab
parent 2ef52607f0
9 changed files with 50 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,10 @@ FEATURE: Python SDK now has a decorator for integrating with various server side

 FEATURE: Python SDK share and access handling now supports context management.

+FEATURE: TLS for `zrok` controller and acces endpoints. Add the specified stanza to your controller file (see `etc/ctrl.yml`). Your controller will now listen over TLS. (Note: you will need to update your client environments/configs to use the new https:// url). Likewise with `access` add the stanza to your frontend configuration (see `etc/frontend.yml`). Additionally you will have to update the frontend url template to emit a https:// scheme.
+
+FEATURE: TLS for `zrok` controller and frontends. Add the `tls:` stanza to your controller configuration (see `etc/ctrl.yml`) to enable TLS support for the controller API. Add the `tls:` stanza to your frontend configuration (see `etc/frontend.yml`) to enable TLS support for frontends (be sure to check your `public` frontend template) (#24)(https://github.com/openziti/zrok/issues/24)
+
 ## v0.4.22

 FIX: The goreleaser action is not updated to work with the latest golang build. Modifed `go.mod` to comply with what goreleaser expects
--- a/controller/config/config.go
+++ b/controller/config/config.go
@ -31,6 +31,7 @@ type Config struct {
 	ResetPassword *ResetPasswordConfig
 	Store         *store.Config
 	Ziti          *zrokEdgeSdk.Config
+	Tls           *TlsConfig
 }

 type AdminConfig struct {
@ -83,6 +84,11 @@ type ResetPasswordMaintenanceConfig struct {
 	BatchLimit        int
 }

+type TlsConfig struct {
+	CertPath string
+	KeyPath  string
+}
+
 func DefaultConfig() *Config {
 	return &Config{
 		Limits: limits.DefaultConfig(),
--- a/controller/controller.go
+++ b/controller/controller.go
@ -2,6 +2,7 @@ package controller

 import (
 	"context"
+	"github.com/jessevdk/go-flags"
 	"github.com/openziti/zrok/controller/config"
 	"github.com/openziti/zrok/controller/limits"
 	"github.com/openziti/zrok/controller/metrics"
@ -128,8 +129,16 @@ func Run(inCfg *config.Config) error {

 	server := rest_server_zrok.NewServer(api)
 	defer func() { _ = server.Shutdown() }()
+	if cfg.Tls != nil {
+		server.TLSHost = cfg.Endpoint.Host
+		server.TLSPort = cfg.Endpoint.Port
+		server.TLSCertificate = flags.Filename(cfg.Tls.CertPath)
+		server.TLSCertificateKey = flags.Filename(cfg.Tls.KeyPath)
+		server.EnabledListeners = []string{"https"}
+	} else {
 		server.Host = cfg.Endpoint.Host
 		server.Port = cfg.Endpoint.Port
+	}
 	rest_server_zrok.HealthCheck = HealthCheckHTTP
 	server.ConfigureAPI()
 	if err := server.Serve(); err != nil {
--- a/endpoints/config.go
+++ b/endpoints/config.go
@ -0,0 +1,6 @@
+package endpoints
+
+type TlsConfig struct {
+	CertPath string
+	KeyPath  string
+}
--- a/endpoints/proxy/frontend.go
+++ b/endpoints/proxy/frontend.go
@ -22,6 +22,7 @@ type FrontendConfig struct {
 	IdentityName string
 	ShrToken     string
 	Address      string
+	Tls          *endpoints.TlsConfig
 	RequestsChan chan *endpoints.Request
 }

@ -76,6 +77,9 @@ func NewFrontend(cfg *FrontendConfig) (*Frontend, error) {
 }

 func (h *Frontend) Run() error {
+	if h.cfg.Tls != nil {
+		return http.ListenAndServeTLS(h.cfg.Address, h.cfg.Tls.CertPath, h.cfg.Tls.KeyPath, h.handler)
+	}
 	return http.ListenAndServe(h.cfg.Address, h.handler)
 }

--- a/endpoints/publicProxy/config.go
+++ b/endpoints/publicProxy/config.go
@ -3,6 +3,7 @@ package publicProxy
 import (
 	"context"
 	"github.com/michaelquigley/cf"
+	"github.com/openziti/zrok/endpoints"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	zhttp "github.com/zitadel/oidc/v2/pkg/http"
@ -16,6 +17,7 @@ type Config struct {
 	Address   string
 	HostMatch string
 	Oauth     *OauthConfig
+	Tls       *endpoints.TlsConfig
 }

 type OauthConfig struct {
--- a/endpoints/publicProxy/http.go
+++ b/endpoints/publicProxy/http.go
@ -69,7 +69,7 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
 		return nil, err
 	}
 	proxy.Transport = zTransport
-	if err := configureOauthHandlers(context.Background(), cfg, false); err != nil {
+	if err := configureOauthHandlers(context.Background(), cfg, cfg.Tls != nil); err != nil {
 		return nil, err
 	}
 	handler := authHandler(util.NewProxyHandler(proxy), cfg, key, zCtx)
@ -81,6 +81,9 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
 }

 func (f *HttpFrontend) Run() error {
+	if f.cfg.Tls != nil {
+		return http.ListenAndServeTLS(f.cfg.Address, f.cfg.Tls.CertPath, f.cfg.Tls.KeyPath, f.handler)
+	}
 	return http.ListenAndServe(f.cfg.Address, f.handler)
 }

--- a/etc/ctrl.yml
+++ b/etc/ctrl.yml
@ -181,6 +181,12 @@ store:
  path:                           zrok.db
  type:                           sqlite3

+# The `tls` section sets the cert and key to use and enables serving over HTTPS
+#
+#tls:
+#  cert_path: "/Path/To/Cert/zrok.crt"
+#  key_path:  "/Path/To/Cert/zrok.key"
+
 # Ziti configuration.
 #
 ziti:
--- a/etc/frontend.yml
+++ b/etc/frontend.yml
@ -42,3 +42,9 @@ v: 3
 #    - name: github
 #      client_id: <client-id>
 #      client_secret: <client-secret>
+#
+# The `tls` section sets the cert and key to use and enables serving over HTTPS
+#
+#tls:
+#  cert_path: "/Path/To/Cert/zrok.crt"
+#  key_path:  "/Path/To/Cert/zrok.key"