dubey/kat
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: implement mTLS API server with client certificate verification in kat-agent

Browse Source
This commit is contained in:
Tanishq Dubey 2025-05-17 11:36:52 -04:00
parent 9e63518308
commit 8f1944ba15
No known key found for this signature in database
GPG Key ID: CFC1931B84DFC3F9
1 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
cmd/kat-agent/main.go
View File

@ -4,12 +4,14 @@ import (
"context"
"fmt"
"log"
"net/http"
"os"
"os/signal"
"path/filepath"
"syscall"
"time"
"git.dws.rip/dubey/kat/internal/api"
"git.dws.rip/dubey/kat/internal/config"
"git.dws.rip/dubey/kat/internal/leader"
"git.dws.rip/dubey/kat/internal/pki"
@ -208,6 +210,45 @@ func runInit(cmd *cobra.Command, args []string) {
parsedClusterConfig.Spec.ApiPort)
}
}
// Start API server with mTLS
log.Println("Starting API server with mTLS...")
apiAddr := fmt.Sprintf(":%d", parsedClusterConfig.Spec.ApiPort)
apiServer, err := api.NewServer(apiAddr, leaderCertPath, leaderKeyPath, caCertPath)
if err != nil {
log.Printf("Failed to create API server: %v", err)
} else {
// Register the join handler
apiServer.RegisterJoinHandler(func(w http.ResponseWriter, r *http.Request) {
log.Printf("Received join request from %s", r.RemoteAddr)
w.WriteHeader(http.StatusOK)
w.Write([]byte("Join endpoint is operational"))
})
// Start the server in a goroutine
go func() {
if err := apiServer.Start(); err != nil && err != http.ErrServerClosed {
log.Printf("API server error: %v", err)
}
}()
// Add a shutdown hook to the leadership context
go func() {
<-leadershipCtx.Done()
log.Println("Leadership lost, shutting down API server...")
shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := apiServer.Stop(shutdownCtx); err != nil {
log.Printf("Error shutting down API server: %v", err)
}
}()
log.Printf("API server started on port %d with mTLS", parsedClusterConfig.Spec.ApiPort)
log.Printf("Verification: API server requires client certificates signed by the cluster CA")
log.Printf("Test with: curl --cacert %s --cert <client_cert> --key <client_key> https://localhost:%d/internal/v1alpha1/join",
caCertPath, parsedClusterConfig.Spec.ApiPort)
}
log.Println("Initial leader setup complete. Waiting for leadership context to end or agent to be stopped.")
<-leadershipCtx.Done() // Wait until leadership is lost or context is cancelled by manager
},