Add more helpers

2025-09-08 00:19:30 +00:00 · 2020-01-30 22:18:44 -07:00
parent ab900b5268
commit a75e84bc81
5 changed files with 308 additions and 46 deletions
--- a/server/server.go
+++ b/server/server.go
@@ -3,20 +3,35 @@ package server
 import (
 	"context"
 	"crypto"
+	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"log"
+	"net"
 	"net/http"

 	"github.com/rancher/dynamiclistener"
 	"github.com/rancher/dynamiclistener/factory"
+	"github.com/rancher/dynamiclistener/storage/file"
+	"github.com/rancher/dynamiclistener/storage/kubernetes"
 	"github.com/rancher/dynamiclistener/storage/memory"
+	v1 "github.com/rancher/wrangler-api/pkg/generated/controllers/core/v1"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/crypto/acme/autocert"
 )

 type ListenOpts struct {
-	CA      *x509.Certificate
-	CAKey   crypto.Signer
-	Storage dynamiclistener.TLSStorage
+	CA                *x509.Certificate
+	CAKey             crypto.Signer
+	Storage           dynamiclistener.TLSStorage
+	Secrets           v1.SecretController
+	CertNamespace     string
+	CertName          string
+	CANamespace       string
+	CAName            string
+	CertBackup        string
+	AcmeDomains       []string
+	TLSListenerConfig dynamiclistener.Config
 }

 func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.Handler, opts *ListenOpts) error {
@@ -29,40 +44,26 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H
 		opts = &ListenOpts{}
 	}

+	logger := logrus.StandardLogger()
+	errorLog := log.New(logger.WriterLevel(logrus.DebugLevel), "", log.LstdFlags)
+
 	if httpsPort > 0 {
-		var (
-			caCert *x509.Certificate
-			caKey  crypto.Signer
-			err    error
-		)
-
-		if opts.CA != nil && opts.CAKey != nil {
-			caCert, caKey = opts.CA, opts.CAKey
-		} else {
-			caCert, caKey, err = factory.LoadOrGenCA()
-			if err != nil {
-				return err
-			}
-		}
-
 		tlsTCPListener, err := dynamiclistener.NewTCPListener("0.0.0.0", httpsPort)
 		if err != nil {
 			return err
 		}

-		storage := opts.Storage
-		if storage == nil {
-			storage = memory.New()
-		}
-
-		dynListener, dynHandler, err := dynamiclistener.NewListener(tlsTCPListener, storage, caCert, caKey, dynamiclistener.Config{})
+		dynListener, dynHandler, err := getTLSListener(ctx, tlsTCPListener, *opts)
 		if err != nil {
 			return err
 		}

-		targetHandler = wrapHandler(dynHandler, handler)
+		if dynHandler != nil {
+			targetHandler = wrapHandler(dynHandler, handler)
+		}
 		tlsServer := http.Server{
-			Handler: targetHandler,
+			Handler:  targetHandler,
+			ErrorLog: errorLog,
 		}
 		targetHandler = dynamiclistener.HTTPRedirect(targetHandler)

@@ -81,8 +82,9 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H

 	if httpPort > 0 {
 		httpServer := http.Server{
-			Addr:    fmt.Sprintf("0.0.0.0:%d", httpPort),
-			Handler: targetHandler,
+			Addr:     fmt.Sprintf("0.0.0.0:%d", httpPort),
+			Handler:  targetHandler,
+			ErrorLog: errorLog,
 		}
 		go func() {
 			logrus.Infof("Listening on 0.0.0.0:%d", httpPort)
@@ -100,9 +102,113 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H
 	return nil
 }

+func getTLSListener(ctx context.Context, tcp net.Listener, opts ListenOpts) (net.Listener, http.Handler, error) {
+	if len(opts.TLSListenerConfig.TLSConfig.NextProtos) == 0 {
+		opts.TLSListenerConfig.TLSConfig.NextProtos = []string{"h2", "http/1.1"}
+	}
+
+	if len(opts.TLSListenerConfig.TLSConfig.Certificates) > 0 {
+		return tls.NewListener(tcp, &opts.TLSListenerConfig.TLSConfig), nil, nil
+	}
+
+	if len(opts.AcmeDomains) > 0 {
+		return acmeListener(tcp, opts), nil, nil
+	}
+
+	storage := opts.Storage
+	if storage == nil {
+		storage = newStorage(ctx, opts)
+	}
+
+	caCert, caKey, err := getCA(opts)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return dynamiclistener.NewListener(tcp, storage, caCert, caKey, opts.TLSListenerConfig)
+}
+
+func getCA(opts ListenOpts) (*x509.Certificate, crypto.Signer, error) {
+	if opts.CA != nil && opts.CAKey != nil {
+		return opts.CA, opts.CAKey, nil
+	}
+
+	if opts.Secrets == nil {
+		return factory.LoadOrGenCA()
+	}
+
+	if opts.CAName == "" {
+		opts.CAName = "serving-ca"
+	}
+
+	if opts.CANamespace == "" {
+		opts.CANamespace = opts.CertNamespace
+	}
+
+	if opts.CANamespace == "" {
+		opts.CANamespace = "kube-system"
+	}
+
+	return kubernetes.LoadOrGenCA(opts.Secrets, opts.CANamespace, opts.CAName)
+}
+
+func newStorage(ctx context.Context, opts ListenOpts) dynamiclistener.TLSStorage {
+	var result dynamiclistener.TLSStorage
+	if opts.CertBackup == "" {
+		result = memory.New()
+	} else {
+		result = memory.NewBacked(file.New(opts.CertBackup))
+	}
+
+	if opts.Secrets == nil {
+		return result
+	}
+
+	if opts.CertName == "" {
+		opts.CertName = "serving-cert"
+	}
+
+	if opts.CertNamespace == "" {
+		opts.CertNamespace = "kube-system"
+	}
+
+	return kubernetes.Load(ctx, opts.Secrets, opts.CertNamespace, opts.CertName, result)
+}
+
 func wrapHandler(handler http.Handler, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		handler.ServeHTTP(rw, req)
 		next.ServeHTTP(rw, req)
 	})
 }
+
+func acmeListener(tcp net.Listener, opts ListenOpts) net.Listener {
+	hosts := map[string]bool{}
+	for _, domain := range opts.AcmeDomains {
+		hosts[domain] = true
+	}
+
+	manager := autocert.Manager{
+		Cache: autocert.DirCache("certs-cache"),
+		Prompt: func(tosURL string) bool {
+			return true
+		},
+		HostPolicy: func(ctx context.Context, host string) error {
+			if !hosts[host] {
+				return fmt.Errorf("host %s is not configured", host)
+			}
+			return nil
+		},
+	}
+
+	opts.TLSListenerConfig.TLSConfig.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		if hello.ServerName == "localhost" || hello.ServerName == "" {
+			newHello := *hello
+			newHello.ServerName = opts.AcmeDomains[0]
+			return manager.GetCertificate(&newHello)
+		}
+		return manager.GetCertificate(hello)
+	}
+
+	return tls.NewListener(tcp, &opts.TLSListenerConfig.TLSConfig)
+}