Merge pull request #802 from answer1991/feature/webhook-support-mtls

k8s-ci-robot · web-flow · commit 28f24de0fb19 · 2020-03-04T15:20:39.000-08:00
✨enable webhook server set-up mTLS service to verify client's certificate
diff --git a/pkg/webhook/server.go b/pkg/webhook/server.go
@@ -19,7 +19,9 @@ package webhook
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"os"
@@ -54,9 +56,13 @@ type Server struct {
 	// CertName is the server certificate name. Defaults to tls.crt.
 	CertName string
 
-	// CertName is the server key name. Defaults to tls.key.
+	// KeyName is the server key name. Defaults to tls.key.
 	KeyName string
 
+	// ClientCAName is the CA certificate name which server used to verify remote(client)'s certificate.
+	// Defaults to "", which means server does not verify client's certificate.
+	ClientCAName string
+
 	// WebhookMux is the multiplexer that handles different webhooks.
 	WebhookMux *http.ServeMux
 
@@ -168,6 +174,23 @@ func (s *Server) Start(stop <-chan struct{}) error {
 		GetCertificate: certWatcher.GetCertificate,
 	}
 
+	// load CA to verify client certificate
+	if s.ClientCAName != "" {
+		certPool := x509.NewCertPool()
+		clientCABytes, err := ioutil.ReadFile(filepath.Join(s.CertDir, s.ClientCAName))
+		if err != nil {
+			return fmt.Errorf("failed to read client CA cert: %v", err)
+		}
+
+		ok := certPool.AppendCertsFromPEM(clientCABytes)
+		if !ok {
+			return fmt.Errorf("failed to append client CA cert to CA pool")
+		}
+
+		cfg.ClientCAs = certPool
+		cfg.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
 	listener, err := tls.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(int(s.Port))), cfg)
 	if err != nil {
 		return err
