Add support for TLS to HTTP servers

We support TLS for gRPC clients, gRPC servers, and HTTP clients. HTTP servers are the only ones for which TLS is not supported. This is typically not an issue, because people generally put ingress controllers in front of HTTP servers. However, if people want to run Buildbarn in bare metal environments it may be useful to support this.
buildbarn · Jun 12, 2024 · 118cb9c · 118cb9c
1 parent a9d0937
commit 118cb9c
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 103 deletions.
diff --git a/pkg/http/server.go b/pkg/http/server.go
@@ -21,17 +21,30 @@ func NewServersFromConfigurationAndServe(configurations []*configuration.ServerC
 				return err
 			}
 			authenticatedHandler := NewAuthenticatingHandler(handler, authenticator)
+
+			tlsConfig, err := util.NewTLSConfigFromServerConfiguration(configuration.Tls)
+			if err != nil {
+				return err
+			}
+
 			for _, listenAddress := range configuration.ListenAddresses {
 				server := http.Server{
-					Addr:    listenAddress,
-					Handler: authenticatedHandler,
+					Addr:      listenAddress,
+					Handler:   authenticatedHandler,
+					TLSConfig: tlsConfig,
 				}
 				group.Go(func(ctx context.Context, siblingsGroup, dependenciesGroup program.Group) error {
 					<-ctx.Done()
 					return server.Close()
 				})
 				group.Go(func(ctx context.Context, siblingsGroup, dependenciesGroup program.Group) error {
-					if err := server.ListenAndServe(); err != http.ErrServerClosed {
+					var err error
+					if tlsConfig == nil {
+						err = server.ListenAndServe()
+					} else {
+						err = server.ListenAndServeTLS("", "")
+					}
+					if err != http.ErrServerClosed {
 						return util.StatusWrapf(err, "Failed to launch HTTP server %#v", server.Addr)
 					}
 					return nil