clair: allow TLS for API server

This change allows Clair to serve its API over TLS (and HTTP/2). Serving a private API over TLS is generally a pain due to certificate management and naming issues. However, if required by site policy, it's now possible without using a sidecar service. Any reasonably complex Clair deployment will be non-homogeneous, meaning an application-level load balancer is required. This load balancer will have to decrypt and re-encrypt the traffic. That is to say, load balancing based on SNI or TCP connections will not work. As there are several ways to configure this across several different software stacks, it is left as an exercise for the reader. See-also: PROJQUAY-2757 Signed-off-by: Hank Donnay <hdonnay@redhat.com>
quay · Dec 7, 2021 · 11cb491 · 11cb491
1 parent 1b4a736
commit 11cb491
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/Documentation/reference/config.md b/Documentation/reference/config.md
@@ -52,6 +52,7 @@ documentation on defaults and use.
 http_listen_addr: ""
 introspection_addr: ""
 log_level: ""
+tls: {}
 indexer:
     connstring: ""
     scanlock_retry: 0
@@ -134,6 +135,16 @@ One of the following strings:
 * fatal
 * panic
 
+### `$.tls`
+TLS is a map containing the config for serving the HTTP API over TLS (and
+HTTP/2).
+
+#### `$.tls.cert`
+The TLS certificate to be used. Must be a full-chain certificate, as in nginx.
+
+#### `$.tls.key`
+A key file for the TLS certificate. Encryption is not supported on the key.
+
 ### `$.indexer`
 Indexer provides Clair Indexer node configuration.
 

diff --git a/cmd/clair/main.go b/cmd/clair/main.go
@@ -2,9 +2,11 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	golog "log"
+	"net"
 	"net/http"
 	"os"
 	"os/signal"
@@ -115,9 +117,21 @@ func main() {
 		if err != nil {
 			return fmt.Errorf("http transport configuration failed: %w", err)
 		}
+		l, err := net.Listen("tcp", conf.HTTPListenAddr)
+		if err != nil {
+			return fmt.Errorf("http transport configuration failed: %w", err)
+		}
+		if conf.TLS != nil {
+			cfg, err := conf.TLS.Config()
+			if err != nil {
+				return fmt.Errorf("tls configuration failed: %w", err)
+			}
+			cfg.NextProtos = []string{"h2"}
+			l = tls.NewListener(l, cfg)
+		}
 		down.Add(h.Server)
 		health.Ready()
-		if err := h.ListenAndServe(); err != http.ErrServerClosed {
+		if err := h.Serve(l); err != http.ErrServerClosed {
 			return fmt.Errorf("http transport failed to launch: %w", err)
 		}
 		return nil