Serving cert file OIDC provider

support/oidc-discovery-provider/README.md

@@ -57,13 +57,13 @@ The configuration file is **required** by the provider. It contains
 
 #### Considerations for Unix platforms
 
-[1]: One of `acme`, `serving_cert_file`, `listen_socket_path` must be defined.
+[1]: One of `acme`, `serving_cert_file` or `listen_socket_path` must be defined.
 
 [3]: The `allow_insecure_scheme` should only be used in a local development environment for testing purposes. It only works in conjunction with `insecure_addr` or `listen_socket_path`.
 
 #### Considerations for Windows platforms
 
-[1]: One of `acme`, `serving_cert_file`, `listen_named_pipe_name` must be defined.
+[1]: One of `acme`, `serving_cert_file` or `listen_named_pipe_name` must be defined.
 
 [3]: The `allow_insecure_scheme` should only be used in a local development environment for testing purposes. It only works in conjunction with `insecure_addr` or `listen_named_pipe_name`.
 
@@ -91,11 +91,13 @@ will terminate if another domain is requested.
 
 #### Serving Certificate Section
 
-| Key                  | Type     | Required? | Description                                                        | Default  |
-|----------------------|----------|-----------|--------------------------------------------------------------------|----------|
-| `cert_file_path`     | string   | required  | The certificate file path, the file must contain PEM encoded data. |          |
-| `key_file_path`      | string   | required  | The private key file path, the file must contain PEM encoded data. |          |
-| `file_sync_interval` | duration | optional  | Controls how frequently the service polls the files for changes.   | 1 minute |
+| Key                  | Type     | Required? | Description                                                        | Default    |
+|----------------------|----------|-----------|--------------------------------------------------------------------|------------|
+| `cert_file_path`     | string   | required  | The certificate file path, the file must contain PEM encoded data. |            |
+| `key_file_path`      | string   | required  | The private key file path, the file must contain PEM encoded data. |            |
+| `file_sync_interval` | duration | optional  | Controls how frequently the service polls the files for changes.   | 1 minute   |
+| `file_sync_interval` | duration | optional  | Controls how frequently the service polls the files for changes.   | 1 minute   |
+| `addr`               | string   | optional  | Exposes the service on the given address.                          | :433 |
 
 #### Server API Section
 

support/oidc-discovery-provider/config.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"net"
 	"os"
 	"time"
 
@@ -16,6 +17,7 @@ const (
 	defaultHealthChecksBindPort  = 8008
 	defaultHealthChecksReadyPath = "/ready"
 	defaultHealthChecksLivePath  = "/live"
+	defaultAddr                  = ":433"
 )
 
 type Config struct {
@@ -82,6 +84,10 @@ type ServingCertFileConfig struct {
 	// KeyFilePath is the path to the private key file. The provider will watch
 	// this file for changes and reload the key when it changes.
 	KeyFilePath string `hcl:"key_file_path"`
+	// Addr is the address to listen on. This is optional and defaults to ":433".
+	Addr *net.TCPAddr `hcl:"-"`
+	// RawAddr holds the string version of the Addr. Consumers should use Addr instead.
+	RawAddr string `hcl:"addr"`
 	// FileSyncInterval controls how frequently the service polls the certificate for changes.
 	FileSyncInterval time.Duration `hcl:"-"`
 	// RawFileSyncInterval holds the string version of the FileSyncInterval. Consumers
@@ -221,6 +227,16 @@ func ParseConfig(hclConfig string) (_ *Config, err error) {
 			return nil, errs.New("key_file_path must be configured in the serving_cert_file configuration section")
 		}
 
+		if c.ServingCertFile.RawAddr == "" {
+			c.ServingCertFile.RawAddr = defaultAddr
+		}
+
+		addr, err := net.ResolveTCPAddr("tcp", c.ServingCertFile.RawAddr)
+		if err != nil {
+			return nil, errs.New("invalid addr in the serving_cert_file configuration section: %v", err)
+		}
+		c.ServingCertFile.Addr = addr
+
 		c.ServingCertFile.FileSyncInterval, err = parseDurationField(c.ServingCertFile.RawFileSyncInterval, defaultFileSyncInterval)
 		if err != nil {
 			return nil, errs.New("invalid file_sync_interval in the serving_cert_file configuration section: %v", err)

support/oidc-discovery-provider/config_posix_test.go

@@ -3,7 +3,10 @@
 
 package main
 
-import "time"
+import (
+	"net"
+	"time"
+)
 
 var (
 	minimalServerAPIConfig = `
@@ -107,13 +110,45 @@ func parseConfigCasesOS() []parseConfigCase {
 			},
 		},
 		{
-			name: "serving_cert_file configuration",
+			name: "serving_cert_file configuration with defaults",
+			in: `
+				domains = ["domain.test"]
+				serving_cert_file {
+					cert_file_path = "test"
+					key_file_path = "test"
+				}
+				server_api {
+					address = "unix:///some/socket/path"
+				}
+			`,
+			out: &Config{
+				LogLevel: defaultLogLevel,
+				Domains:  []string{"domain.test"},
+				ServingCertFile: &ServingCertFileConfig{
+					CertFilePath:     "test",
+					KeyFilePath:      "test",
+					FileSyncInterval: time.Minute,
+					Addr: &net.TCPAddr{
+						IP:   nil,
+						Port: 433,
+					},
+					RawAddr: ":433",
+				},
+				ServerAPI: &ServerAPIConfig{
+					Address:      "unix:///some/socket/path",
+					PollInterval: defaultPollInterval,
+				},
+			},
+		},
+		{
+			name: "serving_cert_file configuration with optionals",
 			in: `
 				domains = ["domain.test"]
 				serving_cert_file {
 					cert_file_path = "test"
 					key_file_path = "test"
 					file_sync_interval = "5m"
+					addr = "127.0.0.1:9090"
 				}
 				server_api {
 					address = "unix:///some/socket/path"
@@ -127,6 +162,11 @@ func parseConfigCasesOS() []parseConfigCase {
 					KeyFilePath:         "test",
 					FileSyncInterval:    5 * time.Minute,
 					RawFileSyncInterval: "5m",
+					Addr: &net.TCPAddr{
+						IP:   net.ParseIP("127.0.0.1"),
+						Port: 9090,
+					},
+					RawAddr: "127.0.0.1:9090",
 				},
 				ServerAPI: &ServerAPIConfig{
 					Address:      "unix:///some/socket/path",
@@ -160,6 +200,21 @@ func parseConfigCasesOS() []parseConfigCase {
 			`,
 			err: "key_file_path must be configured in the serving_cert_file configuration section",
 		},
+		{
+			name: "serving_cert_file configuration with invalid addr",
+			in: `
+				domains = ["domain.test"]
+				serving_cert_file {
+					cert_file_path = "test"
+					key_file_path = "test"
+					addr = "127.0.0.1.1:9090"
+				}
+				server_api {
+					address = "unix:///some/socket/path"
+				}
+			`,
+			err: "invalid addr in the serving_cert_file configuration section: lookup 127.0.0.1.1: no such host",
+		},
 		{
 			name: "both acme and insecure_addr configured",
 			in: `

support/oidc-discovery-provider/config_windows_test.go

@@ -123,18 +123,48 @@ func parseConfigCasesOS() []parseConfigCase {
 			},
 		},
 		{
-			name: "serving_cert_file configuration",
+			name: "serving_cert_file configuration with defaults",
+			in: `
+				domains = ["domain.test"]
+				serving_cert_file {
+					cert_file_path = "test"
+					key_file_path = "test"
+				}
+				server_api {
+					address = "unix:///some/socket/path"
+				}
+			`,
+			out: &Config{
+				LogLevel: defaultLogLevel,
+				Domains:  []string{"domain.test"},
+				ServingCertFile: &ServingCertFileConfig{
+					CertFilePath:     "test",
+					KeyFilePath:      "test",
+					FileSyncInterval: time.Minute,
+					Addr: &net.TCPAddr{
+						IP:   nil,
+						Port: 433,
+					},
+					RawAddr: ":433",
+				},
+				ServerAPI: &ServerAPIConfig{
+					Address:      "unix:///some/socket/path",
+					PollInterval: defaultPollInterval,
+				},
+			},
+		},
+		{
+			name: "serving_cert_file configuration with optionals",
 			in: `
 				domains = ["domain.test"]
 				serving_cert_file {
 					cert_file_path = "test"
 					key_file_path = "test"
 					file_sync_interval = "5m"
+					addr = "127.0.0.1:9090"
 				}
 				server_api {
-					experimental {
-						named_pipe_name = "\\name\\for\\server\\api"
-					}
+					address = "unix:///some/socket/path"
 				}
 			`,
 			out: &Config{
@@ -145,11 +175,14 @@ func parseConfigCasesOS() []parseConfigCase {
 					KeyFilePath:         "test",
 					FileSyncInterval:    5 * time.Minute,
 					RawFileSyncInterval: "5m",
+					Addr: &net.TCPAddr{
+						IP:   net.ParseIP("127.0.0.1"),
+						Port: 9090,
+					},
+					RawAddr: "127.0.0.1:9090",
 				},
 				ServerAPI: &ServerAPIConfig{
-					Experimental: experimentalServerAPIConfig{
-						NamedPipeName: "\\name\\for\\server\\api",
-					},
+					Address:      "unix:///some/socket/path",
 					PollInterval: defaultPollInterval,
 				},
 			},
@@ -180,6 +213,21 @@ func parseConfigCasesOS() []parseConfigCase {
 			`,
 			err: "key_file_path must be configured in the serving_cert_file configuration section",
 		},
+		{
+			name: "serving_cert_file configuration with invalid addr",
+			in: `
+				domains = ["domain.test"]
+				serving_cert_file {
+					cert_file_path = "test"
+					key_file_path = "test"
+					addr = "127.0.0.1.1:9090"
+				}
+				server_api {
+					address = "unix:///some/socket/path"
+				}
+			`,
+			err: "invalid addr in the serving_cert_file configuration section: lookup 127.0.0.1.1: no such host",
+		},
 		{
 			name: "both acme and insecure_addr configured",
 			in: `

support/oidc-discovery-provider/main.go

@@ -100,8 +100,7 @@ func run(configPath string) error {
 
 	go func() {
 		<-ctx.Done()
-		err = server.Shutdown(context.Background())
-		if err != nil {
+		if err := server.Shutdown(context.Background()); err != nil {
 			log.Error(err)
 		}
 	}()
@@ -182,7 +181,7 @@ func newListenerWithServingCert(ctx context.Context, log logrus.FieldLogger, con
 
 	tlsConfig := certManager.TLSConfig()
 
-	tcpListener, err := net.ListenTCP("tcp", &net.TCPAddr{Port: 443})
+	tcpListener, err := net.ListenTCP("tcp", config.ServingCertFile.Addr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create listener using certificate from disk: %w", err)
 	}