-
Notifications
You must be signed in to change notification settings - Fork 1
/
ca.go
121 lines (107 loc) · 2.98 KB
/
ca.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package main
import (
"errors"
"fmt"
"log/slog"
"net/http"
"github.com/RealImage/bifrost/cafiles"
"github.com/RealImage/bifrost/internal/webapp"
"github.com/RealImage/bifrost/tinyca"
"github.com/urfave/cli/v2"
)
var (
caHost string
caPort int
webEnabled bool
webStaticPath string
exposeMetrics bool
caCmd = &cli.Command{
Name: "certificate-authority",
Aliases: []string{"ca"},
Flags: []cli.Flag{
caCertFlag,
caPrivKeyFlag,
&cli.StringFlag{
Name: "host",
Usage: "listen on `HOST`",
Aliases: []string{"H"},
EnvVars: []string{"HOST"},
Value: "localhost",
Destination: &caHost,
Action: func(_ *cli.Context, h string) error {
if h == "" {
return errors.New("host cannot be empty")
}
return nil
},
},
&cli.IntFlag{
Name: "port",
Usage: "listen on `PORT`",
Aliases: []string{"p"},
EnvVars: []string{"PORT"},
Value: 8008,
Destination: &caPort,
Action: func(_ *cli.Context, p int) error {
if p < 1 || p > 65535 {
return errors.New("port must be between 1 and 65535")
}
return nil
},
},
&cli.BoolFlag{
Name: "web",
Usage: "enable web interface",
Aliases: []string{"w"},
EnvVars: []string{"WEB"},
Destination: &webEnabled,
},
&cli.PathFlag{
Name: "web-static-path",
Usage: "read web static files from `PATH`",
EnvVars: []string{"WEB_STATIC_PATH"},
Destination: &webStaticPath,
},
&cli.BoolFlag{
Name: "metrics",
Usage: "expose Prometheus metrics",
EnvVars: []string{"METRICS"},
Value: false,
Destination: &exposeMetrics,
},
},
Action: func(cliCtx *cli.Context) error {
ctx := cliCtx.Context
cert, key, err := cafiles.GetCertKey(ctx, caCertUri, caPrivKeyUri)
if err != nil {
return cli.Exit(fmt.Sprintf("Error reading cert/key: %s", err), 1)
}
mux := http.NewServeMux()
if exposeMetrics {
slog.DebugContext(ctx, "metrics enabled")
mux.HandleFunc("GET /metrics", webapp.MetricsHandler)
}
ca, err := tinyca.New(cert, key)
if err != nil {
return cli.Exit(fmt.Sprintf("Error creating CA: %s", err), 1)
}
mux.Handle("POST /issue", ca)
nss := cert.Namespace.String()
mux.HandleFunc("GET /namespace", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, nss)
})
if webEnabled {
slog.DebugContext(ctx, "web enabled", "staticFiles", webStaticPath)
webapp.AddRoutes(mux, webStaticPath, cert.Namespace)
}
hdlr := webapp.RequestLogHandler(mux)
addr := fmt.Sprintf("%s:%d", caHost, caPort)
slog.InfoContext(ctx, "starting server", "address", addr, "namespace", nss)
server := http.Server{Addr: addr, Handler: hdlr}
if err := server.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
return cli.Exit(fmt.Sprintf("Error starting server: %s", err), 1)
}
return nil
},
}
)