webserver will now automatically create a certificate for itself if no certificates are defined.

2023-03-13 17:46:09 -05:00
parent 2d7593ddf9
commit dd19b87e8d
6 changed files with 218 additions and 30 deletions
--- a/cmd/webhook/httpServer.go
+++ b/cmd/webhook/httpServer.go
@ -1,7 +1,9 @@
 package main

 import (
+	"crypto/tls"
 	"log"
+	"mutating-webhook/internal/certificate"
 	"mutating-webhook/internal/config"
 	"net/http"
 	"strconv"
@ -21,7 +23,19 @@ func crossSiteOrigin(w http.ResponseWriter) {
 	w.Header().Add("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, Authorization, X-API-Token")
 }

+func strictTransport(w http.ResponseWriter) {
+	w.Header().Add("Strict-Transport-Security", "max-age=63072000")
+}
+
 func httpServer(cfg *config.Config) {
+	var serverCertificate tls.Certificate
+	if config.DefaultConfig().WebServerCertificate == "" || cfg.WebServerKey == "" {
+		log.Printf("[INFO] No webserver certificate configured, automatically generating self signed certificate.")
+		serverCertificate = certificate.CreateServerCert()
+	} else {
+		// read certificate from files
+		// check for errors
+	}
 	path := http.NewServeMux()

 	connection := &http.Server{
@ -30,6 +44,20 @@ func httpServer(cfg *config.Config) {
 		ReadTimeout:  time.Duration(cfg.WebServerReadTimeout) * time.Second,
 		WriteTimeout: time.Duration(cfg.WebServerWriteTimeout) * time.Second,
 		IdleTimeout:  time.Duration(cfg.WebServerIdleTimeout) * time.Second,
+		TLSConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			},
+			Certificates: []tls.Certificate{
+				serverCertificate,
+			},
+		},
 	}

 	// healthcheck
@ -39,7 +67,7 @@ func httpServer(cfg *config.Config) {
 	// web root
 	path.HandleFunc("/", webRoot)

-	if err := connection.ListenAndServe(); err != nil {
+	if err := connection.ListenAndServeTLS("", ""); err != nil {
 		log.Fatalf("[ERROR] %s\n", err)
 	}
 }
@ -47,6 +75,7 @@ func httpServer(cfg *config.Config) {
 func webRoot(w http.ResponseWriter, r *http.Request) {
 	httpAccessLog(r)
 	crossSiteOrigin(w)
+	strictTransport(w)

 	switch {
 	case strings.ToLower(r.Method) != "get":
@ -63,6 +92,7 @@ func webRoot(w http.ResponseWriter, r *http.Request) {
 func webHealthCheck(w http.ResponseWriter, r *http.Request) {
 	httpAccessLog(r)
 	crossSiteOrigin(w)
+	strictTransport(w)

 	if strings.ToLower(r.Method) == "get" {
 		tmpltHealthCheck(w)