From 32109b3d10f8288ae151cc459fdae38e3923a18b Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Thu, 14 Oct 2021 14:32:10 +0200 Subject: [PATCH] Listen with TLS if configured (#746) Add flags to enable listening on TLS. --- CHANGELOG.md | 1 + Dockerfile | 2 +- README.md | 13 ++++++++++++- main.go | 14 +++++++++++++- 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8048b1d87..4143f8c5d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 * Configuration file path can be selected with the `-config` flag. [#745](https://github.com/elastic/package-registry/pull/745) * Configuration flags can be provided using environment variables. [#745](https://github.com/elastic/package-registry/pull/745) +* Add `-tls-cert` and `-tls-key` flags to configure HTTPS. [#711](https://github.com/elastic/package-registry/issues/711) [#746](https://github.com/elastic/package-registry/issues/746) ### Deprecated diff --git a/Dockerfile b/Dockerfile index fedc79af1..514349df9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,7 +32,7 @@ EXPOSE 8080 ENTRYPOINT ["./package-registry"] # Make sure it's accessible from outside the container -CMD ["--address=0.0.0.0:8080"] +ENV EPR_ADDRESS=0.0.0.0:8080 HEALTHCHECK --interval=1s --retries=30 CMD curl --silent --fail localhost:8080/health || exit 1 diff --git a/README.md b/README.md index 9b767d61a..f95ddb405 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,18 @@ docker run -p 8080:8080 {image id from prior step} **Commands ready to cut-and-paste** ``` docker build --rm -t docker.elastic.co/package-registry/package-registry:master . -docker run -i -t -p 8080:8080 $(docker images -q docker.elastic.co/package-registry/package-registry:master) +docker run -it -p 8080:8080 $(docker images -q docker.elastic.co/package-registry/package-registry:master) +``` + +**Listening on HTTPS** +``` +docker run -it -p 8443:8443 \ + -v /etc/ssl/package-registry.key:/etc/ssl/package-registry.key:ro \ + -v /etc/ssl/package-registry.crt:/etc/ssl/package-registry.crt:ro \ + -e EPR_ADDRESS=0.0.0.0:8443 + -e EPR_TLS_KEY=/etc/ssl/package-registry.key \ + -e EPR_TLS_CERT=/etc/ssl/package-registry.crt \ + docker.elastic.co/package-registry/package-registry:master ``` #### Docker images published diff --git a/main.go b/main.go index 3331ec021..423e8bdde 100644 --- a/main.go +++ b/main.go @@ -37,6 +37,9 @@ var ( address string httpProfAddress string + tlsCertFile string + tlsKeyFile string + dryRun bool configPath string @@ -50,6 +53,8 @@ var ( func init() { flag.StringVar(&address, "address", "localhost:8080", "Address of the package-registry service.") + flag.StringVar(&tlsCertFile, "tls-cert", "", "Path of the TLS certificate.") + flag.StringVar(&tlsKeyFile, "tls-key", "", "Path of the TLS key.") flag.StringVar(&configPath, "config", "config.yml", "Path to the configuration file.") flag.StringVar(&httpProfAddress, "httpprof", "", "Enable HTTP profiler listening on the given address.") // This flag is experimental and might be removed in the future or renamed @@ -74,7 +79,7 @@ func main() { server := initServer() go func() { - err := server.ListenAndServe() + err := runServer(server) if err != nil && err != http.ErrServerClosed { log.Fatalf("Error occurred while serving: %s", err) } @@ -130,6 +135,13 @@ func initServer() *http.Server { return &http.Server{Addr: address, Handler: router} } +func runServer(server *http.Server) error { + if tlsCertFile != "" && tlsKeyFile != "" { + return server.ListenAndServeTLS(tlsCertFile, tlsKeyFile) + } + return server.ListenAndServe() +} + func initAPMTracer() *apm.Tracer { apm.DefaultTracer.Close() if _, found := os.LookupEnv("ELASTIC_APM_SERVER_URL"); !found {