feat: use tls (#7)

.github/workflows/build-images.yml

@@ -28,6 +28,8 @@ jobs:
           # generate Docker tags based on the following events/attributes
           tags: |
             type=ref,event=branch
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=sha,prefix={{branch}}-
             type=semver,pattern=v{{version}}
             type=semver,pattern=v{{major}}.{{minor}}
             type=semver,pattern=v{{major}}

.gitignore

@@ -20,3 +20,6 @@ bin
 
 # Go workspace file
 go.work
+
+# Local certs
+certs/*.pem

Makefile

@@ -1,5 +1,5 @@
 # Version is derived from tags
-VERSION ?= $(shell git describe --dirty --always --tags | sed 's/-/./2' | sed 's/-/./2')
+VERSION ?= $(shell git describe --dirty --always --tags)
 
 # REGISTRY_HOST defines the registry and organization used to publish the images.
 # Use localhost:5000 for the local registry
@@ -48,6 +48,12 @@ fmt: ## Run go fmt against code.
 vet: ## Run go vet against code.
 	go vet ./...
 
+.PHONY: local-certs
+local-certs: certs/cert.pem ## generate local certs
+
+certs/cert.pem:
+	mkcert -install -cert-file=certs/cert.pem -key-file=certs/key.pem localhost
+
 ##@ Build
 
 .PHONY: build
@@ -57,6 +63,11 @@ build: generate fmt vet ## Build server binary.
 .PHONY: run
 run: generate fmt vet ## Run a server from your host.
 	@echo "Listening on http://localhost:8082"
+	NO_TLS=true go run ./main.go
+
+.PHONY: run-tls
+run-tls: generate fmt vet local-certs ## Run a server from your host.
+	@echo "Listening on https://localhost:8082"
 	go run ./main.go
 
 # If you wish to build the version service image targeting other platforms you can use the --platform flag.
@@ -72,7 +83,7 @@ docker-push: ## Push docker image with the version service.
 
 .PHONY: docker-run-it
 docker-run-it: docker-build ## Run docker image
-	docker run -it --rm -p 8082:8082 ${IMG}
+	docker run -it --rm -p 8082:8082 -e NO_TLS=true ${IMG}
 
 ##@ Build Dependencies
 

README.md

@@ -1,11 +1,19 @@
 # KSD Version Service
+
 KSD Version service provides an API to access the supported versions of KSD 
 and its dependencies.
 
 For each version of the operator, there is a file in the `data` directory that 
 contains a list of supported components for that version.
 
 ## Running locally
+
 ```bash
 make run
 ```
+
+To run with tls, make sure that [`mkcert`](https://github.com/FiloSottile/mkcert) is installed, then run
+
+```bash
+make run-tls
+```

deploy.yaml

@@ -18,12 +18,15 @@ spec:
         name: koor-version-service
     spec:
       containers:
-      - image: koorinc/version-service:master-8ac1b21
+      - image: koorinc/version-service:main
         imagePullPolicy: Always
         name: koor-version-service
         ports:
         - containerPort: 8082
           protocol: TCP
+        env:
+        - name: NO_TLS
+          value: "true"
 ---
 apiVersion: v1
 kind: Service
@@ -33,7 +36,7 @@ metadata:
   name: koor-version-service
 spec:
   ports:
-  - port: 8082
+  - port: 80
     protocol: TCP
     targetPort: 8082
   selector:

main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"net/http"
+	"os"
 
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
@@ -31,9 +32,25 @@ func main() {
 	mux := http.NewServeMux()
 	path, handler := apiv1connect.NewVersionServiceHandler(vs)
 	mux.Handle(path, handler)
-	http.ListenAndServe(
-		":8082",
-		// Use h2c so we can serve HTTP/2 without TLS.
-		h2c.NewHandler(mux, &http2.Server{}),
-	)
+
+	connectPort := os.Getenv("CONNECT_PORT")
+	if connectPort == "" {
+		connectPort = "8082"
+	}
+
+	useTLS := os.Getenv("NO_TLS") != "true"
+	if useTLS {
+		http.ListenAndServeTLS(
+			":"+connectPort,
+			"certs/cert.pem",
+			"certs/key.pem",
+			mux,
+		)
+	} else {
+		http.ListenAndServe(
+			":"+connectPort,
+			// Use h2c so we can serve HTTP/2 without TLS.
+			h2c.NewHandler(mux, &http2.Server{}),
+		)
+	}
 }