changes to support http and https for CNS

cns/common/service.go

@@ -5,6 +5,7 @@ package common
 
 import (
 	"errors"
+	"github.com/Azure/azure-container-networking/server/tls"
 
 	"github.com/Azure/azure-container-networking/cns/logger"
 	acn "github.com/Azure/azure-container-networking/common"
@@ -37,6 +38,7 @@ type ServiceConfig struct {
 	ErrChan     chan error
 	Store       store.KeyValueStore
 	ChannelMode string
+	TlsSettings tls.TlsSettings
 }
 
 // NewService creates a new Service object.

cns/configuration/cns_config.json

@@ -14,5 +14,9 @@
         "NodeID": "",
         "NodeSyncIntervalInSeconds": 30
     },
-    "ChannelMode": "Direct"
+    "ChannelMode": "Direct",
+    "UseHTTPS" : false,
+    "TLSSubjectName" : "",
+    "TLSCertificatePath" : "",
+    "TLSEndpoint" : "localhost:10091"
 }

cns/configuration/configuration.go

@@ -17,9 +17,13 @@ const (
 )
 
 type CNSConfig struct {
-	TelemetrySettings TelemetrySettings
-	ManagedSettings   ManagedSettings
-	ChannelMode       string
+	TelemetrySettings  TelemetrySettings
+	ManagedSettings    ManagedSettings
+	ChannelMode        string
+	UseHTTPS           bool
+	TLSSubjectName     string
+	TLSCertificatePath string
+	TLSEndpoint        string
 }
 
 type TelemetrySettings struct {

cns/service.go

@@ -63,19 +63,23 @@ func (service *Service) Initialize(config *common.ServiceConfig) error {
 		if err != nil {
 			return err
 		}
-
 		// Create the listener.
 		listener, err := acn.NewListener(u)
 		if err != nil {
 			return err
 		}
-
+		if config.TlsSettings.TLSEndpoint != "" {
+			// Start the listener and HTTP and HTTPS server.
+			if err = listener.StartTLS(config.ErrChan, config.TlsSettings); err != nil {
+				return err
+			}
+		}
 		// Start the listener.
-		err = listener.Start(config.ErrChan)
-		if err != nil {
+		// continue to listen on the normal endpoint for http traffic, this will be supported
+		// for sometime until partners migrate fully to https
+		if err = listener.Start(config.ErrChan); err != nil {
 			return err
 		}
-
 		config.Listener = listener
 	}
 

cns/service/main.go

@@ -8,6 +8,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	localtls "github.com/Azure/azure-container-networking/server/tls"
 	"net/http"
 	"os"
 	"os/signal"
@@ -424,6 +425,14 @@ func main() {
 
 	// Start CNS.
 	if httpRestService != nil {
+		if cnsconfig.UseHTTPS {
+			config.TlsSettings = localtls.TlsSettings{
+				TLSSubjectName:     cnsconfig.TLSSubjectName,
+				TLSCertificatePath: cnsconfig.TLSCertificatePath,
+				TLSEndpoint:        cnsconfig.TLSEndpoint,
+			}
+		}
+
 		err = httpRestService.Start(&config)
 		if err != nil {
 			logger.Errorf("Failed to start CNS, err:%v.\n", err)

common/listener.go

@@ -4,8 +4,10 @@
 package common
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	localtls "github.com/Azure/azure-container-networking/server/tls"
 	"net"
 	"net/http"
 	"net/url"
@@ -16,13 +18,14 @@ import (
 
 // Listener represents an HTTP listener.
 type Listener struct {
-	URL          *url.URL
-	protocol     string
-	localAddress string
-	endpoints    []string
-	active       bool
-	l            net.Listener
-	mux          *http.ServeMux
+	URL            *url.URL
+	protocol       string
+	localAddress   string
+	endpoints      []string
+	active         bool
+	l              net.Listener
+	securelistener net.Listener
+	mux            *http.ServeMux
 }
 
 // NewListener creates a new Listener.
@@ -38,6 +41,66 @@ func NewListener(u *url.URL) (*Listener, error) {
 	return &listener, nil
 }
 
+func GetTlsConfig(tlsSettings localtls.TlsSettings) (*tls.Config, error) {
+	tlsCertRetriever, err := localtls.GetTlsCertificateRetriever(tlsSettings)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to get certificate retriever %+v", err)
+	}
+	leafCertificate, err := tlsCertRetriever.GetCertificate()
+	if err != nil {
+		return nil, fmt.Errorf("Failed to get certificate %+v", err)
+	}
+	if leafCertificate == nil {
+		return nil, fmt.Errorf("Certificate retrival returned empty %+v", err)
+	}
+	privateKey, err := tlsCertRetriever.GetPrivateKey()
+	if err != nil {
+		return nil, fmt.Errorf("Failed to get certificate private key %+v", err)
+	}
+	tlsCert := tls.Certificate{
+		Certificate: [][]byte{leafCertificate.Raw},
+		PrivateKey:  privateKey,
+		Leaf:        leafCertificate,
+	}
+	tlsConfig := &tls.Config{
+		MaxVersion: tls.VersionTLS12,
+		MinVersion: tls.VersionTLS12,
+		Certificates: []tls.Certificate{
+			tlsCert,
+		},
+	}
+	return tlsConfig, nil
+}
+
+// Start creates the listener socket and starts the HTTPS server.
+func (listener *Listener) StartTLS(errChan chan error, tlsSettings localtls.TlsSettings) error {
+	tlsConfig, err := GetTlsConfig(tlsSettings)
+	if err != nil {
+		log.Printf("[Listener] Failed to compose Tls Configuration with errror: %+v", err)
+		return err
+	}
+	server := http.Server{
+		TLSConfig: tlsConfig,
+		Handler:   listener.mux,
+	}
+
+	// listen on a seperate endpoint for secure tls connections
+	listener.securelistener, err = net.Listen(listener.protocol, tlsSettings.TLSEndpoint)
+	if err != nil {
+		log.Printf("[Listener] Failed to listen on TlsEndpoint: %+v", err)
+		return err
+	}
+	log.Printf("[Listener] Started listening on tls endpoint %s.", tlsSettings.TLSEndpoint)
+
+	// Launch goroutine for servicing https requests
+	go func() {
+		errChan <- server.ServeTLS(listener.securelistener, "", "")
+	}()
+
+	listener.active = true
+	return nil
+}
+
 // Start creates the listener socket and starts the HTTP server.
 func (listener *Listener) Start(errChan chan error) error {
 	var err error
@@ -75,6 +138,11 @@ func (listener *Listener) Stop() {
 	// Stop servicing requests.
 	listener.l.Close()
 
+	if listener.securelistener != nil {
+		// Stop servicing requests on secure listener
+		listener.securelistener.Close()
+	}
+
 	// Delete the unix socket.
 	if listener.protocol == "unix" {
 		os.Remove(listener.localAddress)

go.mod

@@ -27,6 +27,7 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.3.2
 	go.opencensus.io v0.22.2 // indirect
+	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
 	golang.org/x/net v0.0.0-20191112182307-2180aed22343 // indirect
 	golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
@@ -36,4 +37,5 @@ require (
 	k8s.io/apimachinery v0.18.2
 	k8s.io/client-go v0.18.2
 	sigs.k8s.io/controller-runtime v0.6.0
+	software.sslmate.com/src/go-pkcs12 v0.0.0-20201102150903-66718f75db0e
 )

go.sum

@@ -630,3 +630,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20201102150903-66718f75db0e h1:GP6k9CR+zxSHXs+agkNmd7ucZ/YuPY8vRRaKMGIFuWE=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20201102150903-66718f75db0e/go.mod h1:/xvNRWUqm0+/ZMiF4EX00vrSCMsE4/NHb+Pt3freEeQ=