cmd: add TLS flags for gateway server

Signed-off-by: Jimmy Zelinskie <jimmy@zelinskie.com>
authzed · Oct 25, 2021 · 06fee34 · 06fee34
1 parent f42234a
commit 06fee34
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 13 deletions.
diff --git a/cmd/spicedb/root.go b/cmd/spicedb/root.go
@@ -16,12 +16,12 @@ func newRootCmd() *cobra.Command {
 		PersistentPreRunE: persistentPreRunE,
 		TraverseChildren:  true,
 		Example: fmt.Sprintf(`	%s:
-		spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls
+		spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls --http-no-tls
 
 	%s:
-		spicedb serve --grpc-preshared-key "realkeyhere" --grpc-cert-path path/to/tls/cert
-	        		  --grpc-key-path path/to/tls/key --datastore-engine postgres
-	        		  --datastore-conn-uri "postgres-connection-string-here"
+		spicedb serve --grpc-preshared-key "realkeyhere" --grpc-cert-path path/to/tls/cert --grpc-key-path path/to/tls/key \
+			--http-cert-path path/to/tls/cert --http-key-path path/to/tls/key \
+			--datastore-engine postgres --datastore-conn-uri "postgres-connection-string-here"
 	%s:
 		spicedb serve-testing
 `,

diff --git a/cmd/spicedb/serve.go b/cmd/spicedb/serve.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -51,12 +52,12 @@ func registerServeCmd(rootCmd *cobra.Command) {
 		PersistentPreRunE: persistentPreRunE,
 		Run:               serveRun,
 		Example: fmt.Sprintf(`	%s:
-		spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls
+		spicedb serve --grpc-preshared-key "somerandomkeyhere" --grpc-no-tls --http-no-tls
 
 	%s:
-		spicedb serve --grpc-preshared-key "realkeyhere" --grpc-cert-path path/to/tls/cert
-	        		  --grpc-key-path path/to/tls/key --datastore-engine postgres
-	        		  --datastore-conn-uri "postgres-connection-string-here"
+		spicedb serve --grpc-preshared-key "realkeyhere" --grpc-cert-path path/to/tls/cert --grpc-key-path path/to/tls/key \
+			--http-cert-path path/to/tls/cert --http-key-path path/to/tls/key \
+			--datastore-engine postgres --datastore-conn-uri "postgres-connection-string-here"
 `, color.YellowString("No TLS and in-memory"), color.GreenString("TLS and a real datastore")),
 	}
 
@@ -103,6 +104,9 @@ func registerServeCmd(rootCmd *cobra.Command) {
 
 	// Flags for HTTP gateway
 	serveCmd.Flags().String("http-addr", ":443", "address to listen for HTTP API requests")
+	serveCmd.Flags().Bool("http-no-tls", false, "serve HTTP API requests unencrypted")
+	serveCmd.Flags().String("http-cert-path", "", "local path to the TLS certificate used to serve HTTP API requests")
+	serveCmd.Flags().String("http-key-path", "", "local path to the TLS key used to serve HTTP API requests")
 
 	// Flags for configuring dispatch behavior
 	serveCmd.Flags().Uint32("dispatch-max-depth", 50, "maximum recursion depth for nested calls")
@@ -385,15 +389,28 @@ func serveRun(cmd *cobra.Command, args []string) {
 		Addr:                cobrautil.MustGetStringExpanded(cmd, "http-addr"),
 		UpstreamAddr:        cobrautil.MustGetStringExpanded(cmd, "grpc-addr"),
 		UpstreamTlsDisabled: cobrautil.MustGetBool(cmd, "grpc-no-tls"),
-		UpstreamTlsCaPath:   cobrautil.MustGetStringExpanded(cmd, "grpc-cert-path"),
+		UpstreamTlsCertPath: cobrautil.MustGetStringExpanded(cmd, "grpc-cert-path"),
 	})
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed to initialize rest gateway")
 	}
 	go func() {
 		log.Info().Str("addr", gatewaySrv.Addr).Msg("rest gateway server started listening")
-		if err := gatewaySrv.ListenAndServe(); err != http.ErrServerClosed {
-			log.Fatal().Err(err).Msg("failed while serving rest gateway")
+		if cobrautil.MustGetBool(cmd, "http-no-tls") {
+			if err := gatewaySrv.ListenAndServe(); err != http.ErrServerClosed {
+				log.Fatal().Err(err).Msg("failed while serving rest gateway")
+			}
+		} else {
+			certPath := cobrautil.MustGetStringExpanded(cmd, "http-cert-path")
+			keyPath := cobrautil.MustGetStringExpanded(cmd, "http-key-path")
+			if certPath == "" || keyPath == "" {
+				errStr := "failed to start http server: must provide either --http-no-tls or --http-cert-path and --http-key-path"
+				log.Fatal().Err(errors.New(errStr)).Msg("failed to create http server")
+			}
+
+			if err := gatewaySrv.ListenAndServeTLS(certPath, keyPath); err != http.ErrServerClosed {
+				log.Fatal().Err(err).Msg("failed while serving rest gateway")
+			}
 		}
 	}()
 

diff --git a/internal/gateway/gateway.go b/internal/gateway/gateway.go
@@ -28,7 +28,7 @@ type Config struct {
 	Addr                string
 	UpstreamAddr        string
 	UpstreamTlsDisabled bool
-	UpstreamTlsCaPath   string
+	UpstreamTlsCertPath string
 }
 
 // NewHttpServer initializes a new HTTP server with the provided configuration.
@@ -37,7 +37,7 @@ func NewHttpServer(ctx context.Context, cfg Config) (*http.Server, error) {
 	if cfg.UpstreamTlsDisabled {
 		opts = append(opts, grpc.WithInsecure())
 	} else {
-		opts = append(opts, grpcutil.WithCustomCerts(cfg.UpstreamTlsCaPath, grpcutil.SkipVerifyCA))
+		opts = append(opts, grpcutil.WithCustomCerts(cfg.UpstreamTlsCertPath, grpcutil.SkipVerifyCA))
 	}
 
 	mux := runtime.NewServeMux(runtime.WithMetadata(auth.PresharedKeyAnnotator))