🔒 Add native HTTPS support

.github/workflows/build.yml

@@ -107,4 +107,4 @@ jobs:
         run: |
           set -ex
           kubectl get ns flowg-system || kubectl create ns flowg-system
-          ct install --chart-dirs ./k8s/charts --charts ./k8s/charts/flowg --namespace flowg-system
+          ct install --chart-dirs ./k8s/charts --charts ./k8s/charts/flowg --namespace flowg-system --helm-extra-set-args '--set=flowg.image.tag=latest'

VERSION.txt

@@ -1 +1 @@
-v0.16.0
+v0.17.0

cmd/flowg/serve.go

@@ -1,10 +1,14 @@
 package main
 
 import (
+	"fmt"
+
 	"os"
 	"os/signal"
 	"syscall"
 
+	"crypto/tls"
+
 	"github.com/spf13/cobra"
 
 	"link-society.com/flowg/internal/app/logging"
@@ -14,7 +18,11 @@ import (
 
 type serveCommandOpts struct {
 	httpBindAddress string
-	syslogBindAddr  string
+	httpTlsEnabled  bool
+	httpTlsCert     string
+	httpTlsCertKey  string
+
+	syslogBindAddr string
 
 	authDir   string
 	logDir    string
@@ -33,8 +41,25 @@ func NewServeCommand() *cobra.Command {
 			metrics.Setup()
 		},
 		Run: func(cmd *cobra.Command, args []string) {
+			var httpTlsConfig *tls.Config
+
+			if opts.httpTlsEnabled {
+				cert, err := tls.LoadX509KeyPair(opts.httpTlsCert, opts.httpTlsCertKey)
+				if err != nil {
+					fmt.Fprintf(os.Stderr, "Failed to load TLS certificate: %v", err)
+					exitCode = 1
+					return
+				}
+
+				httpTlsConfig = &tls.Config{
+					Certificates: []tls.Certificate{cert},
+				}
+			}
+
 			srv := server.NewServer(server.Options{
-				HttpBindAddress:   opts.httpBindAddress,
+				HttpBindAddress: opts.httpBindAddress,
+				HttpTlsConfig:   httpTlsConfig,
+
 				SyslogBindAddress: opts.syslogBindAddr,
 
 				ConfigStorageDir: opts.configDir,
@@ -70,6 +95,27 @@ func NewServeCommand() *cobra.Command {
 		"Address to bind the HTTP server to",
 	)
 
+	cmd.Flags().BoolVar(
+		&opts.httpTlsEnabled,
+		"http-tls",
+		false,
+		"Enable TLS for the HTTP server",
+	)
+
+	cmd.Flags().StringVar(
+		&opts.httpTlsCert,
+		"http-tls-cert",
+		"",
+		"Path to the certificate file for the HTTPS server",
+	)
+
+	cmd.Flags().StringVar(
+		&opts.httpTlsCertKey,
+		"http-tls-key",
+		"",
+		"Path to the certificate key file for the HTTPS server",
+	)
+
 	cmd.Flags().StringVar(
 		&opts.syslogBindAddr,
 		"syslog-bind",

docs/cli.md

@@ -28,13 +28,16 @@ Usage:
   flowg serve [flags]
 
 Flags:
-      --auth-dir string      Path to the auth database directory (default "./data/auth")
-      --config-dir string    Path to the config directory (default "./data/config")
-  -h, --help                 help for serve
-      --http-bind string     Address to bind the HTTP server to (default ":5080")
-      --log-dir string       Path to the log database directory (default "./data/logs")
-      --syslog-bind string   Address to bind the Syslog server to (default ":5514")
-      --verbose              Enable verbose logging
+      --auth-dir string        Path to the auth database directory (default "./data/auth")
+      --config-dir string      Path to the config directory (default "./data/config")
+  -h, --help                   help for serve
+      --http-bind string       Address to bind the HTTP server to (default ":5080")
+      --http-tls               Enable TLS for the HTTP server
+      --http-tls-cert string   Path to the certificate file for the HTTPS server
+      --http-tls-key string    Path to the certificate key file for the HTTPS server
+      --log-dir string         Path to the log database directory (default "./data/logs")
+      --syslog-bind string     Address to bind the Syslog server to (default ":5514")
+      --verbose                Enable verbose logging
 ```
 
 ## 2. `flowg admin`

internal/app/server/main.go

@@ -3,11 +3,15 @@ package server
 import (
 	"log/slog"
 
+	"crypto/tls"
+
 	"github.com/vladopajic/go-actor/actor"
 )
 
 type Options struct {
-	HttpBindAddress   string
+	HttpBindAddress string
+	HttpTlsConfig   *tls.Config
+
 	SyslogBindAddress string
 
 	AuthStorageDir   string
@@ -31,7 +35,10 @@ func NewServer(opts Options) *Server {
 	)
 	serviceLayer := newServiceLayer(
 		opts.HttpBindAddress,
+		opts.HttpTlsConfig,
+
 		opts.SyslogBindAddress,
+
 		storageLayer,
 		engineLayer,
 	)

internal/app/server/service_layer.go

@@ -3,7 +3,10 @@ package server
 import (
 	"errors"
 
+	"crypto/tls"
+
 	"github.com/vladopajic/go-actor/actor"
+
 	"link-society.com/flowg/internal/services/http"
 	"link-society.com/flowg/internal/services/syslog"
 )
@@ -17,13 +20,16 @@ type serviceLayer struct {
 
 func newServiceLayer(
 	httpBindAddress string,
+	httpTlsConfig *tls.Config,
+
 	syslogBindAddress string,
 
 	storageLayer *storageLayer,
 	engineLayer *engineLayer,
 ) *serviceLayer {
 	httpServer := http.NewServer(
 		httpBindAddress,
+		httpTlsConfig,
 		storageLayer.authStorage,
 		storageLayer.configStorage,
 		storageLayer.logStorage,

internal/services/http/main.go

@@ -3,6 +3,8 @@ package http
 import (
 	"log/slog"
 
+	"crypto/tls"
+
 	"github.com/vladopajic/go-actor/actor"
 
 	"link-society.com/flowg/internal/engines/lognotify"
@@ -21,6 +23,7 @@ type Server struct {
 
 func NewServer(
 	bindAddress string,
+	tlsConfig *tls.Config,
 	authStorage *auth.Storage,
 	configStorage *config.Storage,
 	logStorage *log.Storage,
@@ -37,7 +40,11 @@ func NewServer(
 		logNotifier:    logNotifier,
 		pipelineRunner: pipelineRunner,
 
-		state:     &workerStarting{bindAddress: bindAddress},
+		state: &workerStarting{
+			bindAddress: bindAddress,
+			tlsConfig:   tlsConfig,
+		},
+
 		startCond: sync.NewCondValue[error](),
 		stopCond:  sync.NewCondValue[error](),
 	}

internal/services/http/states.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"time"
 
+	"crypto/tls"
 	"net"
 	gohttp "net/http"
 
@@ -25,6 +26,7 @@ type workerState interface {
 
 type workerStarting struct {
 	bindAddress string
+	tlsConfig   *tls.Config
 }
 
 type workerRunning struct {
@@ -66,8 +68,9 @@ func (s *workerStarting) DoWork(ctx actor.Context, worker *worker) workerState {
 	)
 
 	server := &gohttp.Server{
-		Addr:    s.bindAddress,
-		Handler: logging.NewMiddleware(rootHandler),
+		Addr:      s.bindAddress,
+		Handler:   logging.NewMiddleware(rootHandler),
+		TLSConfig: s.tlsConfig,
 	}
 
 	worker.logger.InfoContext(
@@ -93,7 +96,11 @@ func (s *workerStarting) DoWork(ctx actor.Context, worker *worker) workerState {
 		return nil
 	}
 
-	go server.Serve(l)
+	if s.tlsConfig != nil {
+		go server.ServeTLS(l, "", "")
+	} else {
+		go server.Serve(l)
+	}
 
 	worker.startCond.Broadcast(nil)
 	return &workerRunning{server: server}

k8s/charts/flowg/Chart.yaml

@@ -1,9 +1,9 @@
 ---
 apiVersion: v2
 name: flowg
-version: "v0.16.0"
+version: "v0.17.0"
 type: application
-appVersion: "v0.16.0"
+appVersion: "v0.17.0"
 kubeVersion: ">=1.30.0-0"
 description: Flowg is a low-code log processing platform.
 home: https://github.com/link-society/flowg

k8s/charts/flowg/templates/flowg-certificate.yaml

@@ -0,0 +1,34 @@
+{{- if and .Values.flowg.https.enabled .Values.flowg.https.certificateFrom.certmanager -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "flowg.fullname" . }}-certificate
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: {{ include "flowg.fullname" . }}-tls
+
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+
+  isCA: false
+  usages:
+    - server auth
+
+  subject:
+    organizations:
+      - "FlowG"
+
+  commonName: {{ .Values.flowg.https.certificateFrom.certmanager.commonName }}
+  dnsNames:
+    - {{ .Values.flowg.https.certificateFrom.certmanager.commonName }}
+
+  {{- with .Values.flowg.https.certificateFrom.certmanager.issuerRef }}
+  issuerRef:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

k8s/charts/flowg/templates/flowg-deployment.yaml

@@ -33,6 +33,11 @@ spec:
           image: "{{ .Values.flowg.image.repository }}:{{ .Values.flowg.image.tag | default .Chart.AppVersion }}"
           args:
             - serve
+          {{- if .Values.flowg.https.enabled }}
+            - --http-tls
+            - --http-tls-cert=/data/ssl/tls.crt
+            - --http-tls-key=/data/ssl/tls.key
+          {{- end }}
           ports:
             - containerPort: 5080
               hostPort: 5080
@@ -53,7 +58,30 @@ spec:
           volumeMounts:
             - name: flowg-data
               mountPath: /data
+          {{- if and .Values.flowg.https.enabled (or .Values.flowg.https.certificateFrom.certmanager .Values.flowg.https.certificateFrom.secretRef) }}
+            - name: flowg-tls
+              mountPath: /data/ssl
+          {{- end }}
       volumes:
         - name: flowg-data
           persistentVolumeClaim:
             claimName: {{ include "flowg.fullname" . }}-data-pvc
+      {{- if and .Values.flowg.https.enabled .Values.flowg.https.certificateFrom.certmanager }}
+        - name: flowg-tls
+          secret:
+            secretName: {{ include "flowg.fullname" . }}-tls
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+      {{- else if and .Values.flowg.https.enabled .Values.flowg.https.certificateFrom.secretRef }}
+        - name: flowg-tls
+          secret:
+            secretName: {{ .Values.flowg.https.certificateFrom.secretRef.name }}
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+      {{- end }}

k8s/charts/flowg/values.yaml

@@ -14,6 +14,19 @@ flowg:
     size: 10Gi
     hostPath: /var/lib/flowg/data
 
+  https:
+    enabled: false
+
+    certificateFrom: {}
+      # secretRef:
+      #   name: flowg-tls
+      #
+      # certmanager:
+      #   commonName: logs.example.com
+      #   issuerRef:
+      #     name: letsencrypt-prod
+      #     kind: ClusterIssuer
+
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious
     # choice for the user. This also increases chances charts run on environments with little

website/docs/advanced/_category_.json

@@ -0,0 +1,4 @@
+{
+  "position": 4,
+  "label": "Advanced Configuration"
+}