package main import ( "bytes" "crypto/rand" "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "fmt" "log" "math/big" "net" "net/http" "time" ) func main() { // setup certs fmt.Printf("Initializing certificates...\n") serverTLSConf, clientTLSConf, caPEM, err := certsetup() if err != nil { panic(err) } s := Server{ ServerTLSConf: serverTLSConf, ClientTLSConf: clientTLSConf, CaPEM: caPEM, } go func() { handler := http.NewServeMux() handler.HandleFunc("/ca.pem", s.getCA) fmt.Printf("Starting localhost http server on :8080 with ca.pem endpoint\n") err = http.ListenAndServe("localhost:8080", handler) if err != nil { log.Fatal(err) } }() // start TLS server fmt.Printf("Starting TLS server on :8443\n") handler := http.NewServeMux() handler.HandleFunc("/webhook", s.postWebhook) https := &http.Server{ Addr: ":8443", TLSConfig: serverTLSConf, Handler: handler, } log.Fatal(https.ListenAndServeTLS("", "")) } // certsetup adapted from https://gist.github.com/shaneutt/5e1995295cff6721c89a71d13a71c251 func certsetup() (serverTLSConf *tls.Config, clientTLSConf *tls.Config, caPEMBytes []byte, err error) { // set up our CA certificate ca := &x509.Certificate{ SerialNumber: big.NewInt(2019), Subject: pkix.Name{ Organization: []string{"Company, INC."}, Country: []string{"US"}, Province: []string{""}, Locality: []string{"San Francisco"}, StreetAddress: []string{"Golden Gate Bridge"}, PostalCode: []string{"94016"}, }, NotBefore: time.Now(), NotAfter: time.Now().AddDate(10, 0, 0), IsCA: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, } // create our private and public key caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096) if err != nil { return nil, nil, []byte{}, err } // create the CA caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey) if err != nil { return nil, nil, []byte{}, err } // pem encode caPEM := new(bytes.Buffer) pem.Encode(caPEM, &pem.Block{ Type: "CERTIFICATE", Bytes: caBytes, }) caPrivKeyPEM := new(bytes.Buffer) pem.Encode(caPrivKeyPEM, &pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey), }) // set up our server certificate cert := &x509.Certificate{ SerialNumber: big.NewInt(2019), Subject: pkix.Name{ Organization: []string{"Company, INC."}, Country: []string{"US"}, Province: []string{""}, Locality: []string{"San Francisco"}, StreetAddress: []string{"Golden Gate Bridge"}, PostalCode: []string{"94016"}, }, IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback}, NotBefore: time.Now(), NotAfter: time.Now().AddDate(10, 0, 0), SubjectKeyId: []byte{1, 2, 3, 4, 6}, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageDigitalSignature, DNSNames: []string{"mutatingwebhook.mutatingwebhook.svc"}, } certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096) if err != nil { return nil, nil, []byte{}, err } certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey) if err != nil { return nil, nil, []byte{}, err } certPEM := new(bytes.Buffer) pem.Encode(certPEM, &pem.Block{ Type: "CERTIFICATE", Bytes: certBytes, }) certPrivKeyPEM := new(bytes.Buffer) pem.Encode(certPrivKeyPEM, &pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey), }) serverCert, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes()) if err != nil { return nil, nil, []byte{}, err } serverTLSConf = &tls.Config{ Certificates: []tls.Certificate{serverCert}, } certpool := x509.NewCertPool() certpool.AppendCertsFromPEM(caPEM.Bytes()) clientTLSConf = &tls.Config{ RootCAs: certpool, } caPEMBytes = caPEM.Bytes() return }