1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
package main
import (
"context"
"fmt"
"io"
"log"
"net/http"
"time"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
)
// Worload API socket path
const socketPath = "unix:///tmp/agent.sock"
func main() {
if err := run(context.Background()); err != nil {
log.Fatal(err)
}
}
func run(ctx context.Context) error {
ctx, cancel := context.WithCancel(ctx)
defer cancel()
// Set up a `/` resource handler
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
log.Println("Request received")
_, _ = io.WriteString(w, "Success!!!")
})
// Create a `workloadapi.X509Source`, it will connect to Workload API using provided socket.
// If socket path is not defined using `workloadapi.SourceOption`, value from environment variable `SPIFFE_ENDPOINT_SOCKET` is used.
source, err := workloadapi.NewX509Source(ctx, workloadapi.WithClientOptions(workloadapi.WithAddr(socketPath)))
if err != nil {
return fmt.Errorf("unable to create X509Source: %w", err)
}
defer source.Close()
// Allowed SPIFFE ID
clientID := spiffeid.RequireFromString("spiffe://example.org/client")
// Create a `tls.Config` to allow mTLS connections, and verify that presented certificate has SPIFFE ID `spiffe://example.org/client`
tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeID(clientID))
server := &http.Server{
Addr: ":8443",
TLSConfig: tlsConfig,
ReadHeaderTimeout: time.Second * 10,
}
if err := server.ListenAndServeTLS("", ""); err != nil {
return fmt.Errorf("failed to serve: %w", err)
}
return nil
}
|
