grepplabs
diff --git a/‎.github/workflows/build.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Earthfile‎
Lines changed: 24 additions & 0 deletions b/‎Earthfile‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 2 deletions b/‎Makefile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 3 additions & 4 deletions b/‎README.md‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎cmd/server.go‎
Lines changed: 39 additions & 8 deletions b/‎cmd/server.go‎
Lines changed: 39 additions & 8 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/config/config.go‎
Lines changed: 14 additions & 3 deletions b/‎pkg/config/config.go‎
Lines changed: 14 additions & 3 deletions
@@ -12,7 +12,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Run build
         run: make clean build
       - name: Run test
 
@@ -19,7 +19,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Run build
         run: make clean build
       - name: Run test
 
@@ -0,0 +1 @@
+## Changelog
@@ -1,4 +1,4 @@
-FROM golang:1.18-alpine3.16 as builder
+FROM golang:1.19-alpine3.16 as builder
 
 RUN apk add alpine-sdk ca-certificates
 
 
@@ -0,0 +1,24 @@
+VERSION 0.6
+FROM golang:1.19-alpine3.16
+WORKDIR "/code"
+RUN apk add alpine-sdk ca-certificates
+ARG BUILD_FLAGS='-tags musl'
+
+tidy:
+    LOCALLY
+    RUN go mod tidy
+
+fmt:
+    LOCALLY
+    RUN go fmt ./...
+
+build:
+    FROM +sources
+    RUN make BINARY=mqtt-proxy BUILD_FLAGS="${BUILD_FLAGS}" GOOS=linux GOARCH=amd64 build
+
+test:
+   FROM +sources
+   RUN go test -mod=vendor ${BUILD_FLAGS} -v ./...
+
+sources:
+    COPY . /code
@@ -2,7 +2,7 @@
 
 .PHONY: clean build fmt test
 
-TAG           ?= v0.0.2
+TAG           ?= v0.1.0
 
 BUILD_FLAGS   ?=
 BINARY        ?= mqtt-proxy
@@ -47,7 +47,7 @@ lint: ## Lint
 	golint $$(go list ./...) 2>&1
 
 test: ## Test
-	GO111MODULE=on go test -mod=vendor -v ./...
+	GO111MODULE=on go test -mod=vendor $(BUILD_FLAGS) -v ./...
 
 build: vet ## Build executable
 	CGO_ENABLED=1 GO111MODULE=on go build -mod=vendor -o $(BINARY) $(BUILD_FLAGS) -ldflags "$(LDFLAGS)" .
 
@@ -24,11 +24,10 @@ MQTT Proxy allows MQTT clients to send messages to other messaging systems
     * [x] Plain
     * [ ] Others
 * [x] Helm chart
+* [x] Client certificate revocation list
 * [ ] Server certificate rotation
-    * [ ] Self sign / intermediate certificates
-    * [ ] Let's Encrypt certificates
-    * [ ] HashiCorp Vault certificates
-    * [ ] K8S cert-manager
+    * [x] Files certificate source
+    * [ ] HashiCorp Vault certificate source
 
 
 ### Install binary release
 
@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"crypto/tls"
 	"github.com/grepplabs/mqtt-proxy/apis"
 	authinst "github.com/grepplabs/mqtt-proxy/pkg/auth/instrument"
 	authnoop "github.com/grepplabs/mqtt-proxy/pkg/auth/noop"
@@ -14,7 +15,9 @@ import (
 	pubnoop "github.com/grepplabs/mqtt-proxy/pkg/publisher/noop"
 	httpserver "github.com/grepplabs/mqtt-proxy/pkg/server/http"
 	mqttserver "github.com/grepplabs/mqtt-proxy/pkg/server/mqtt"
-	"github.com/grepplabs/mqtt-proxy/pkg/tls"
+	servertls "github.com/grepplabs/mqtt-proxy/pkg/tls"
+	"github.com/grepplabs/mqtt-proxy/pkg/tls/cert/filesource"
+	tlscert "github.com/grepplabs/mqtt-proxy/pkg/tls/cert/source"
 	"github.com/oklog/run"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
@@ -42,9 +45,14 @@ func registerServer(m map[string]setupFunc, app *kingpin.Application) {
 	cmd.Flag("mqtt.reader-buffer-size", "Read buffer size pro tcp connection.").Default("1024").IntVar(&cfg.MQTT.ReaderBufferSize)
 	cmd.Flag("mqtt.writer-buffer-size", "Write buffer size pro tcp connection.").Default("1024").IntVar(&cfg.MQTT.WriterBufferSize)
 
-	cmd.Flag("mqtt.server-tls-cert", "TLS Certificate for MQTT server, leave blank to disable TLS").Default("").StringVar(&cfg.MQTT.TLSSrv.Cert)
-	cmd.Flag("mqtt.server-tls-key", "TLS Key for the MQTT server, leave blank to disable TLS").Default("").StringVar(&cfg.MQTT.TLSSrv.Key)
-	cmd.Flag("mqtt.server-tls-client-ca", "TLS CA to verify clients against. If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)").Default("").StringVar(&cfg.MQTT.TLSSrv.ClientCA)
+	cmd.Flag("mqtt.server-tls.enable", "Enable server side TLS").Default("false").BoolVar(&cfg.MQTT.TLSSrv.Enable)
+	cmd.Flag("mqtt.server-tls.cert-source", "TLS certificate source").Default(config.CertSourceFile).EnumVar(&cfg.MQTT.TLSSrv.CertSource, config.CertSourceFile)
+	cmd.Flag("mqtt.server-tls.refresh", "Option to specify the refresh interval for the TLS certificates.").Default("0s").DurationVar(&cfg.MQTT.TLSSrv.Refresh)
+
+	cmd.Flag("mqtt.server-tls.file.cert", "TLS Certificate for MQTT server, leave blank to disable TLS").Default("").StringVar(&cfg.MQTT.TLSSrv.File.Cert)
+	cmd.Flag("mqtt.server-tls.file.key", "TLS Key for the MQTT server, leave blank to disable TLS").Default("").StringVar(&cfg.MQTT.TLSSrv.File.Key)
+	cmd.Flag("mqtt.server-tls.file.client-ca", "TLS CA to verify clients against. If no client CA is specified, there is no client verification on server side.").Default("").StringVar(&cfg.MQTT.TLSSrv.File.ClientCA)
+	cmd.Flag("mqtt.server-tls.file.client-clr", "TLS X509 CLR signed be the client CA. If no revocation list is specified, only client CA is verified").Default("").StringVar(&cfg.MQTT.TLSSrv.File.ClientCLR)
 
 	cmd.Flag("mqtt.handler.ignore-unsupported", "List of unsupported messages which are ignored. One of: [SUBSCRIBE, UNSUBSCRIBE]").PlaceHolder("MSG").EnumsVar(&cfg.MQTT.Handler.IgnoreUnsupported, "SUBSCRIBE", "UNSUBSCRIBE")
 	cmd.Flag("mqtt.handler.allow-unauthenticated", "List of messages for which connection is not disconnected if unauthenticated request is received. One of: [PUBLISH, PUBREL, PINGREQ]").PlaceHolder("MSG").EnumsVar(&cfg.MQTT.Handler.AllowUnauthenticated, "PUBLISH", "PUBREL", "PINGREQ")
@@ -162,9 +170,32 @@ func runServer(
 	{
 		logger.Infof("setting up MQTT server")
 
-		tlsCfg, err := tls.NewServerConfig(logger, cfg.MQTT.TLSSrv.Cert, cfg.MQTT.TLSSrv.Key, cfg.MQTT.TLSSrv.ClientCA)
-		if err != nil {
-			return errors.Wrap(err, "setup MQTT server")
+		var tlsConfig *tls.Config
+		if cfg.MQTT.TLSSrv.Enable {
+			logger.Infof("enabling server side TLS")
+			var (
+				source tlscert.ServerSource
+				err    error
+			)
+			switch cfg.MQTT.TLSSrv.CertSource {
+			case config.CertSourceFile:
+				source, err = filesource.New(
+					filesource.WithLogger(logger),
+					filesource.WithX509KeyPair(cfg.MQTT.TLSSrv.File.Cert, cfg.MQTT.TLSSrv.File.Key),
+					filesource.WithClientAuthFile(cfg.MQTT.TLSSrv.File.ClientCA),
+					filesource.WithClientCRLFile(cfg.MQTT.TLSSrv.File.ClientCLR),
+					filesource.WithRefresh(cfg.MQTT.TLSSrv.Refresh),
+				)
+				if err != nil {
+					return errors.Wrap(err, "setup cert file source")
+				}
+			default:
+				return errors.Errorf("unknown cert source %s", cfg.MQTT.TLSSrv.CertSource)
+			}
+			tlsConfig, err = servertls.NewServerConfig(logger, source)
+			if err != nil {
+				return errors.Wrap(err, "setup server TLS config")
+			}
 		}
 
 		handler := mqtthandler.New(logger, registry, publisher,
@@ -186,7 +217,7 @@ func runServer(
 			mqttserver.WithReaderBufferSize(cfg.MQTT.ReaderBufferSize),
 			mqttserver.WithWriterBufferSize(cfg.MQTT.WriterBufferSize),
 			mqttserver.WithHandler(handler),
-			mqttserver.WithTLSConfig(tlsCfg),
+			mqttserver.WithTLSConfig(tlsConfig),
 		)
 
 		_ = promauto.With(registry).NewGaugeFunc(prometheus.GaugeOpts{
 
@@ -1,6 +1,6 @@
 module github.com/grepplabs/mqtt-proxy
 
-go 1.18
+go 1.19
 
 require (
 	github.com/confluentinc/confluent-kafka-go v1.9.2
 
@@ -22,6 +22,11 @@ const (
 	AuthPlain = "plain"
 )
 
+// server certificate source
+const (
+	CertSourceFile = "file"
+)
+
 type Server struct {
 	HTTP struct {
 		ListenAddress string
@@ -36,9 +41,15 @@ type Server struct {
 		ReaderBufferSize int
 		WriterBufferSize int
 		TLSSrv           struct {
-			Cert     string
-			Key      string
-			ClientCA string
+			Enable     bool
+			CertSource string
+			Refresh    time.Duration
+			File       struct {
+				Cert      string
+				Key       string
+				ClientCA  string
+				ClientCLR string
+			}
 		}
 		Handler struct {
 			IgnoreUnsupported    []string
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:1.18-alpine3.16 as builder`
	`1`	`+FROM golang:1.19-alpine3.16 as builder`
`2`	`2`
`3`	`3`	`RUN apk add alpine-sdk ca-certificates`
`4`	`4`