feat: add TLS support for KMS server

Add ability to start the KMS server with TLS support by passing a TLS certificate and corresponding key to it. Signed-off-by: greenpsi <git@psinet.dev>
siderolabs · Nov 4, 2024 · b409d93 · b409d93
1 parent 4233ecd
commit b409d93
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/cmd/kms-server/main.go b/cmd/kms-server/main.go
@@ -16,6 +16,7 @@ import (
 
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 
 	"github.com/siderolabs/kms-client/api/kms"
 	"github.com/siderolabs/kms-client/pkg/server"
@@ -24,11 +25,17 @@ import (
 var kmsFlags struct {
 	apiEndpoint string
 	keyPath     string
+	tlsEnable   bool
+	tlsCertPath string
+	tlsKeyPath  string
 }
 
 func main() {
 	flag.StringVar(&kmsFlags.apiEndpoint, "kms-api-endpoint", ":4050", "gRPC API endpoint for the KMS")
 	flag.StringVar(&kmsFlags.keyPath, "key-path", "", "encryption key path")
+	flag.BoolVar(&kmsFlags.tlsEnable, "tls-enable", false, "whether to enable tls or not")
+	flag.StringVar(&kmsFlags.tlsCertPath, "tls-cert-path", "", "encryption key path")
+	flag.StringVar(&kmsFlags.tlsKeyPath, "tls-key-path", "", "encryption key path")
 	flag.Parse()
 
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
@@ -51,7 +58,18 @@ func run(ctx context.Context) error {
 
 	srv := server.NewServer(func(context.Context, string) ([]byte, error) { return key, nil })
 
-	s := grpc.NewServer()
+	var s *grpc.Server
+
+	if kmsFlags.tlsEnable {
+		creds, err := credentials.NewServerTLSFromFile(kmsFlags.tlsCertPath, kmsFlags.tlsKeyPath)
+		if err != nil {
+			return fmt.Errorf("failed to create credentials: %w", err)
+		}
+		s = grpc.NewServer(grpc.Creds(creds))
+	} else {
+		s = grpc.NewServer()
+	}
+
 	kms.RegisterKMSServiceServer(s, srv)
 
 	lis, err := net.Listen("tcp", kmsFlags.apiEndpoint)