Merge pull request #76 from mailgun/thrawn/tls-support

PIP-1012: Add GRPC/HTTP TLS support
mailgun · Nov 11, 2020 · 4d87ed8 · 4d87ed8
2 parents 70075b0 + 28c7e67
commit 4d87ed8
Show file tree

Hide file tree

Showing 52 changed files with 2,065 additions and 624 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.0-rc.3] - 2020-11-10
+### Change
+* Added TLS Support for both GRPC and HTTP interfaces #76
+* Prometheus metrics are now prefixed with `gubernator_`
+* Switched prometheus Histograms to Summary's
+* Changed gubernator.Config.GRPCServer to GRPCServers to support registering
+with GRPC instances on multiple ports.
+* Gubernator now opens a second GRPC instance on a random localhost port when
+TLS is enabled for use by the HTTP API Gateway.
+
 ## [1.0.0-rc.2] - 2020-11-05
 ### Change
 * Add Service Account to k8s deployment yaml

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build image
-FROM golang:1.15.1 as build
+FROM golang:1.15.4 as build
 
 WORKDIR /go/src
 

diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: release docker proto
+.PHONY: release docker proto certs
 .DEFAULT_GOAL := release
 
 VERSION=$(shell cat version)
@@ -18,3 +18,18 @@ release:
 
 proto:
 	scripts/proto.sh
+
+certs:
+	rm certs/*.key certs/*.srl certs/*.csr certs/*.pem
+	openssl genrsa -out certs/ca.key 4096
+	openssl req -new -x509 -key certs/ca.key -sha256 -subj "/C=US/ST=TX/O=Mailgun Technologies, Inc." -days 3650 -out certs/ca.cert
+	openssl genrsa -out certs/gubernator.key 4096
+	openssl req -new -key certs/gubernator.key -out certs/gubernator.csr -config certs/gubernator.conf
+	openssl x509 -req -in certs/gubernator.csr -CA certs/ca.cert -CAkey certs/ca.key -CAcreateserial -out certs/gubernator.pem -days 3650 -sha256 -extfile certs/gubernator.conf -extensions req_ext
+	# Client Auth
+	openssl req -new -x509 -days 3650 -keyout certs/client-auth-ca.key -out certs/client-auth-ca.pem -subj "/C=TX/ST=TX/O=Mailgun Technologies, Inc./CN=mailgun.com/[email protected]" -passout pass:test
+	openssl genrsa -out certs/client-auth.key 2048
+	openssl req -sha1 -key certs/client-auth.key -new -out certs/client-auth.req -subj "/C=US/ST=TX/O=Mailgun Technologies, Inc./CN=client.com/[email protected]"
+	openssl x509 -req -days 3650 -in certs/client-auth.req -CA certs/client-auth-ca.pem -CAkey certs/client-auth-ca.key -passin pass:test -out certs/client-auth.pem
+	openssl x509 -extfile certs/client-auth.conf -extensions ssl_client -req -days 3650 -in certs/client-auth.req -CA certs/client-auth-ca.pem -CAkey certs/client-auth-ca.key -passin pass:test -out certs/client-auth.pem
+
diff --git a/README.md b/README.md
@@ -252,15 +252,15 @@ don't have either, the docker-compose method is the simplest way to try gubernat
 
 ##### Docker with existing etcd cluster
 ```bash
-$ docker run -p 8081:81 -p 8080:80 -e GUBER_ETCD_ENDPOINTS=etcd1:2379,etcd2:2379 \
+$ docker run -p 8081:81 -p 9080:80 -e GUBER_ETCD_ENDPOINTS=etcd1:2379,etcd2:2379 \
    thrawn01/gubernator:latest 
 
-# Hit the API at localhost:8080 (GRPC is at 8081)
-$ curl http://localhost:8080/v1/HealthCheck
+# Hit the HTTP API at localhost:9080
+$ curl http://localhost:9080/v1/HealthCheck
 ```
 
 ##### Docker compose
-The docker compose file includes a local etcd server and 2 gubernator instances
+The docker compose file uses member-list for peer discovery
 ```bash
 # Download the docker-compose file
 $ curl -O https://raw.githubusercontent.com/mailgun/gubernator/master/docker-compose.yaml
@@ -271,8 +271,8 @@ $ vi docker-compose.yaml
 # Run the docker container
 $ docker-compose up -d
 
-# Hit the API at localhost:8080 (GRPC is at 8081)
-$ curl http://localhost:8080/v1/HealthCheck
+# Hit the HTTP API at localhost:9080 (GRPC is at 9081)
+$ curl http://localhost:9080/v1/HealthCheck
 ```
 
 ##### Kubernetes
@@ -287,16 +287,24 @@ $ vi k8s-deployment.yaml
 $ kubectl create -f k8s-deployment.yaml
 ```
 
+##### TLS
+Gubernator supports TLS for both HTTP and GRPC connections. You can see an example with
+self signed certs by running `docker-compose-tls.yaml`
+```bash
+# Run docker compose
+$ docker-compose -f docker-compose-tls.yaml up -d
+
+# Hit the HTTP API at localhost:9080 (GRPC is at 9081)
+$ curl --cacert certs/ca.pem --cert certs/gubernator.pem --key certs/gubernator.key  https://localhost:9080/v1/HealthCheck
+`
+
 ### Configuration
 Gubernator is configured via environment variables with an optional `--config` flag
 which takes a file of key/values and places them into the local environment before startup.
 
 See the `example.conf` for all available config options and their descriptions.
 
-
 ### Architecture
 See [architecture.md](/architecture.md) for a full description of the architecture and the inner 
 workings of gubernator.
 
-
-
diff --git a/benchmark_test.go b/benchmark_test.go
@@ -31,7 +31,10 @@ func BenchmarkServer_GetPeerRateLimitNoBatching(b *testing.B) {
 		b.Errorf("SetDefaults err: %s", err)
 	}
 
-	client := guber.NewPeerClient(conf.Behaviors, cluster.GetRandomPeer())
+	client := guber.NewPeerClient(guber.PeerConfig{
+		Info:     cluster.GetRandomPeer(),
+		Behavior: conf.Behaviors,
+	})
 
 	b.Run("GetPeerRateLimitNoBatching", func(b *testing.B) {
 		for n := 0; n < b.N; n++ {
@@ -51,7 +54,7 @@ func BenchmarkServer_GetPeerRateLimitNoBatching(b *testing.B) {
 }
 
 func BenchmarkServer_GetRateLimit(b *testing.B) {
-	client, err := guber.DialV1Server(cluster.GetRandomPeer().GRPCAddress)
+	client, err := guber.DialV1Server(cluster.GetRandomPeer().GRPCAddress, nil)
 	if err != nil {
 		b.Errorf("NewV1Client err: %s", err)
 	}
@@ -77,7 +80,7 @@ func BenchmarkServer_GetRateLimit(b *testing.B) {
 }
 
 func BenchmarkServer_Ping(b *testing.B) {
-	client, err := guber.DialV1Server(cluster.GetRandomPeer().GRPCAddress)
+	client, err := guber.DialV1Server(cluster.GetRandomPeer().GRPCAddress, nil)
 	if err != nil {
 		b.Errorf("NewV1Client err: %s", err)
 	}
@@ -105,7 +108,7 @@ func BenchmarkServer_Ping(b *testing.B) {
 }*/
 
 func BenchmarkServer_ThunderingHeard(b *testing.B) {
-	client, err := guber.DialV1Server(cluster.GetRandomPeer().GRPCAddress)
+	client, err := guber.DialV1Server(cluster.GetRandomPeer().GRPCAddress, nil)
 	if err != nil {
 		b.Errorf("NewV1Client err: %s", err)
 	}

diff --git a/cache.go b/cache.go
@@ -85,9 +85,9 @@ func NewLRUCache(maxSize int) *LRUCache {
 		cache:     make(map[interface{}]*list.Element),
 		ll:        list.New(),
 		cacheSize: maxSize,
-		sizeMetric: prometheus.NewDesc("cache_size",
+		sizeMetric: prometheus.NewDesc("gubernator_cache_size",
 			"Size of the LRU Cache which holds the rate limits.", nil, nil),
-		accessMetric: prometheus.NewDesc("cache_access_count",
+		accessMetric: prometheus.NewDesc("gubernator_cache_access_count",
 			"Cache access counts.", []string{"type"}, nil),
 	}
 }

diff --git a/certs/DO_NOT_USE_THESE_IN_PRODUCTION b/certs/DO_NOT_USE_THESE_IN_PRODUCTION
@@ -0,0 +1 @@
+These are for testing only
diff --git a/certs/ca.key b/certs/ca.key
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAvv4lHiIN5r+D5Ih6g0EQEo3ZB3P/GPdXZCJlybrgXssbn+OD
+mcU42Iq25IzF+Dq65SRZvg+ZGI59uXmh4T0eyyBY1JjQAb+7PpXWU+GYcFIEOMDR
+6IHOG2KLURYgmGL9AcgFP38ZOYRFczZMwpK7JfLDbFPjZkjhcGhnzBLPF4y3xA75
+E0cseJ6OA8reEKzhxVXoECqnLnlcZTbltlLmc4EI7tE2dAgvZoIx6K5tpR+6aOem
+0gz/YwniJdj5mHnNL5bEMtlESzFEn8txp8iTgsKgfSI+2IRkVA+zg7hpq50+m4Dv
+P6qmZ+e92ovMCiC89y5Oua11n5DJQeeo0wf/B8BTkphJ9TYNcvZJybB+YGemBT7G
+AwyxM0kcO2Bl8SH6FDrglXgQpYCJGVdOnGBqfQir288Rvt3Q463v6gnProJLkCPM
+eODKSdiPbn2tbUwo1hf4fUHiQ52bQHH15cfE5rG0lokkdqYj3WRPQ1YkYuDLY95K
+MoAEx+tyaVhIRyTc/vUOCif4QOG/o1IMcyfj15Z4NBHLBNnUuR3uC4Yv1tq68ZmI
+ZxZTjStCogd7sAJOefJKA/AhHdYSlwfW70tVSy2w9+y8QlPErT4C4386KVyW1jUh
+JXb8vpRzipx7Z/3vQneFGEef2V16I6EWm4UEJGoX3QGIF7ZWd25mrdEFZfMCAwEA
+AQKCAgBCSP/m0ljSwZrrwLYMQZNrbRFqdcaOCqGo3gtHlPTz0TfYKOTuhDUzagkJ
+jxXSDcf5aMFApjcy/5kAuwcEnerHAoXx2ssuIDXDBcuptvzp1n0imUEAmbRHas8B
+KFXNrWUzrhCsNdcyUAaucqT3TmdnRzatrPuZ7ydWlNWZTNnUyYCpqaymFSiJADY3
+eLvTO7zreOIeYj89cN8xPXlB6smSQrEv+SoV4RVaVUsu/wKMsVNHv0X1Vo939uEm
+04PkeDlPD9st7pu2IPY5Iylh2snfMt7yLuVyzZfoWL6rs1/xMJSe8YOXLAmuvA33
+AFejGDOc8dReuqW86EoA9n5wJzFKDIHI4lo1gThULKaP4bUORr20KY+txxUMCf5+
+zkzuFfaPMB5AVvj6w6tbw2XRYlyC3Kq3WkmwYWel0vvnLUrDn6x0PdI39tdQqJmQ
+Eh4HEWfm8fV6evPx+DH8wus1p6Ke8ITbJ6AIB200Ju5D4ZNgY00K1Jyh3uvnIwDe
+VHSr9znaRreHQiOfU81c4hI7ktZV8g5uAOToGGINSz0GkhQ6/yQJpqQvhT3eQvVa
+mVKVM+8CQsZKw4xtd1hc33GFoN7Tt5MkpNGJkdD4aR2zFXfLuangV0xBgl43q8j5
+pmi7rDwsvUifra47Dhz9Wdm4i2mUKiR7NNhZ6yljYqNZu4MkYQKCAQEA7bZi8GhE
+tRiciou3T3I7/z/iZIIWuSi011Gfl9bR4UfzVLK7KDR2ZcHufwWWrkk03jL0nj0f
+UalTOFNnthOXbyW1aq+TTHI15n2nK56tSKzHqDe13kTbxuq0jEXA4dFT3m+oj4LC
+KupZYdXVA5100kYbqIRfaxvFAVTXt05IEcIbbYOo4/IrXXKw4OOGnzojc7l8zNKB
+zmF7sfz+HBk5aQoujiEpi8mcHq8UyyektBSO2VN/Y7DvytfUrjYHMbs7345N93xk
+Re2/AifTa+T/PYL1XPRLjhL2zoh9z5cc/XHan514Lxj9JGBTeshRB09l1a4KT9us
+OIiriE3J6zj54wKCAQEAza+j67F5RQBv8Tt7lB/T6apYB9EmXGScZOjR3fgvappd
+9lvy8nXu64b2dF25Gh5AcVzGrKM0jeYXEJOJcC1lu4wwFGBUSP+bM1YC7omwUacG
+Xjwy3EE56m6I+7E9ndBLD3boDKmCPoAIzBh96aMDGKsCEkejBuOEp41UVyovvkyK
+ig17JSyvKDPc2YF2JpA8TAZgkRohoKXQMp18CnGXEcjLTFkF8mLqAVv3lwJy+5xM
+TM8+A4+xvmc/pTm06wiogbsdCCUb/7JqhjTazXvvxOfB/e4D9quPoc3cPbLTSq+d
+jzQGt604lFuPlInk6UJw8cHEc9ehn44KbroyJT7gsQKCAQEAyCZSZhOVDlpbrDf5
+r7YCmGek6nWyRlLk+YsrckCZVTMsyfr3pOGPcxx4AJGnDrZrAlArMXVLgomsnXd0
+kpUqY5Z/iwWsY6iig6D2+b5QLynzrkrCIhUea/1A6f7tafXDxT2E0tkJPfM2MS9H
+fRS9wTLwpNJYOSoXlYhnXVtXSUSDrZE2yj8kjjk8fw50Ums0YIMkdp0kWK4x5Wqc
+VvJSKYQ+MMPxZFbr0dYfDvMhNdM9d/VbBIh9TvCtjcXGBvScdB4wvZoKH+sPcfQw
+it80ngk/KPY1C7oh/0JjlD+rVCbiKpT/FcDXnCJTB8XUm/AZUXKKEjVna+5/Z3P/
++MNvewKCAQEAwQqLSfWy3zPd3AX7obWNacxZ+lwtKKG0tnBcJ3t65Q4kCceaaDyP
+E7YDMIuV4hFqYfq06+nwtQyxsPkHEKVKyY50wWr3L9vViYS8E6xeMwQTUfYltdnx
+xTggkDh0n9yR1d2/Q8MDXi1EFGkYI2K+0TQOKaHaO+jk42wdMAGD9ZJYo+CrJuSd
+L5odOHXssZzFOoTxtL1VujRlBlwPwq2BH0vYobsbfbWf8c6ivLOrvsGeSqhmh2kh
+ZJX6gdN7HOtvWvKF+NL7SCvnFjYc9KXRDniE9RGh3qx9jVprzew7qejQc0pc055b
+b8HPK5WPpeyZnAxDmIVURy9EU0+lKJeuwQKCAQBWtlQNdCfpOCSBDCZQ7y2Igbv9
+hYCK4+1KaqnGVCvd1XrVLzykCIlyCbMDum3Aiv4jMPFg+jtbEE8q5L6OD6bRIbdU
+l7jQdGiCPcfp/aezb71scMC/YdYwDAuYkfDKylxfdvalqepvQ952HzbFv6qSW0nU
+NpVwrgE3ZkFYzu2fV9u4mubkxb4FOYAlVyOnX+VVjUwBFD6MpUG3sTPjfj0Tgd1m
+BKueLwgfbQJa6i+TnCq+PEAFXlYfkC/gyuXbCgynFao2tBpJzIXPJj+lNascXeNT
+6PahNZ1mElSNYyEA4INVDjUGpGPVnkBRkmUIodfwzGrIheRR3khOl2MPf+8z
+-----END RSA PRIVATE KEY-----
diff --git a/certs/ca.pem b/certs/ca.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE+jCCAuICCQD4067NpJ3JHjANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCVFgxIzAhBgNVBAoMGk1haWxndW4gVGVjaG5vbG9naWVzLCBJ
+bmMuMB4XDTIwMTAyNjIxMjkwMloXDTMwMTAyNDIxMjkwMlowPzELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgMAlRYMSMwIQYDVQQKDBpNYWlsZ3VuIFRlY2hub2xvZ2llcywg
+SW5jLjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7+JR4iDea/g+SI
+eoNBEBKN2Qdz/xj3V2QiZcm64F7LG5/jg5nFONiKtuSMxfg6uuUkWb4PmRiOfbl5
+oeE9HssgWNSY0AG/uz6V1lPhmHBSBDjA0eiBzhtii1EWIJhi/QHIBT9/GTmERXM2
+TMKSuyXyw2xT42ZI4XBoZ8wSzxeMt8QO+RNHLHiejgPK3hCs4cVV6BAqpy55XGU2
+5bZS5nOBCO7RNnQIL2aCMeiubaUfumjnptIM/2MJ4iXY+Zh5zS+WxDLZREsxRJ/L
+cafIk4LCoH0iPtiEZFQPs4O4aaudPpuA7z+qpmfnvdqLzAogvPcuTrmtdZ+QyUHn
+qNMH/wfAU5KYSfU2DXL2ScmwfmBnpgU+xgMMsTNJHDtgZfEh+hQ64JV4EKWAiRlX
+Tpxgan0Iq9vPEb7d0OOt7+oJz66CS5AjzHjgyknYj259rW1MKNYX+H1B4kOdm0Bx
+9eXHxOaxtJaJJHamI91kT0NWJGLgy2PeSjKABMfrcmlYSEck3P71Dgon+EDhv6NS
+DHMn49eWeDQRywTZ1Lkd7guGL9bauvGZiGcWU40rQqIHe7ACTnnySgPwIR3WEpcH
+1u9LVUstsPfsvEJTxK0+AuN/OilcltY1ISV2/L6Uc4qce2f970J3hRhHn9ldeiOh
+FpuFBCRqF90BiBe2VnduZq3RBWXzAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAGU4
+V3YItAgFN8hp+ipVBmwz2Fi/ui+/RBuz11zhpYg3V1BZIcsHt1QaWhwfOydipeiW
+jScQ2fu0nawJlpM275R63xeJcNlp1qR0cbKFP5u7V5EOLIcwpOACKZ9rJUS3IrQ1
+yxdaM/jlh4y3wckiCC4+vnXtWa4EX5/euDlBU9hEJxHhwojEbgd1W91tGjkzv/t8
+UzIuxjWLMBfcVaKSiFOg8fBZttDiI578/rTz560+wtxwxgriK0ZZU01W9do9x+Yl
+tHToZvIB6vwfALWGhiVSNv5X5l40akRFRHuIOZqrRrP+3Avhq6QReYeaeI4C7eCw
+aNaDIEj9+5b/N7CkHwgI5gaogQtx4brgDOF+bw1+1bvQ3LCG1f12AKX2E+YEpr/w
+/lv96VFPnmktadnCGgzwiN3poEBz6seEtRWqFWD2yBySy5CSuhmo0MOGuYgyn2/2
+nYjB0oWyT7dlanqtv+N4xdV+0EqqQANfnHBd4AUOZiDcQPXpygn1JsGr29VxTxh4
+xN8rgcHEiDYRw78MHLxAXM5C8mhqLeQxGYHsILwAGeFFGmFMontiEnrKdSUqEgZ2
+W1yl0ZPehOLoen1aheAem5gvFV5AMB6iQqiG+CGUFeLxtHz1odpYHpR54NKKh0tj
+6pitN2Yt2GIiW4REmWP91B9ngWhSXpGHlB48mbgO
+-----END CERTIFICATE-----
diff --git a/certs/ca.srl b/certs/ca.srl
@@ -0,0 +1 @@
+A12D63448A5A6809
diff --git a/certs/client-auth-ca.key b/certs/client-auth-ca.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIJCKFdsqSX+sCAggA
+MB0GCWCGSAFlAwQBKgQQhfE6viFG/7MEMoDHe0N5agSCBNAv5UKv5KIAbN7bu+3Q
+vQaSQqFtEjWHZ0op7MtwtYrZdRMU3RYGkaXEqBNPImD5Z7tP7qPIDDh9VRVgHk6K
+tQFRmr/xqsUTmsz74VGfieyxl92+IEhUaIaBgIcW7TStoQpVV+mHBi1hfvGpecmU
+VbEwM8ToYlqHxGvoK6AAANP3bOezGlv4DqNI87gVlp2ujctnKZ8dY007WrsiUCVI
+GjT179kN6oiRxKKRehsrVgY9WusM5sM2lNTbwY+G7r/u3Hk8wkfIB0Iin3k8QwV7
+OpYaWkbxrRCDsAOvmc6xQhUjJjjtAn/EKcpstvfxpXyTSJHpK76GoHkBN2WOvgcf
+LinOYkld+Zx/fOVDjuESqMCvPypPb3n2i45rZ8pVCc6jk2/JaZWE8ldFDmxvp04A
+NX3sb0+THMOfejgSNBPeNUXcqjI2vbY3thdkzf+IvxOk2LIj1mHGratAcBW9MPqE
+nUKkY4OApt8fKb27xL5g6YXf5HoMHckEcB9krmDfWte/qtXmHl6ZUv/EqpQsrIvz
+yTpTJ4DxlnalWv9Wp65juZxAJbaDYArqTyttnDIvNbTQ5Bm3l1iGa2CJnEITUbF1
+huQ4lxJmyrZnS+5ki76McTCo6ND/3vqeyCbc/uIftbCxefoUxFA0O3ZGwK7EZUOH
+d3nVT/+XH8ivmZ5MDPA9qiqAtUdvPh87QPzeIGgw91xiHcjOnEcJlnxPaFqLWx2F
+Me0UwAXjmQgmjegL23+NQLPRh5mXwmgawAbyH0Cm0WhCumBeEmonXlmm37OXz0GX
+zi3uLmxvY0jnk37+oqUDbKw0v5xI3tar2BDl/+/Q4PgC4mLWFFWrGT4Fho4yYSr6
+7eKLahPl1a1jk+7OvWivct8QkbXVXDZHz6/HVbIi+OwwVeyEexH0DCzIvgqXSHSJ
+pkEQCHoyP+vYcpLeRbT37OLuPY9MQckW8a+EcGUDn5dJxsHKTUSdn05ILk8g71t2
+qag6BO0P6XJvPAJo4QyB2Om2PpoeEjbaT6rtjoT4tkYbD3/v59UNEYpnJR3knYTw
+HEsieTXTGLV0D3iojiwU2G5dcndJUxmRMexCwPgMJw0spb35mUbuKKqYcSrZ1K0m
+RSFeT9/RCVVzbul91IUARPVaUyE1FzyN1RALgL84HKVPwMsfOjaXkvAIvvNYT1Ag
+sFRYRYpu/aEClZNGaRrbu1jmbew1wHeD70b1iy8GjRhFz70igT+H3i0bVHEM/6uq
+VRMLR7LsfXlVgelyvWrI3p6yjKEGwgVNdWQM7FbbPGZOUcwFDlgTqzr551szQm4Z
+eRUN5KMcxMlmkIL1enMsVMG0MVi6o1ecF7qoJY+GSgoVEVYyYMFj+FBq0+jZfQPK
+YQsFB4hyQgUQiZE8fkOXjXVp+cdZtLcehHSfHtiJruPcWPDhijs1A9VD2vIDRgfv
+VU75JTWc/S/FwwfmhYE1R59XZd5avhUETq7uY16fhYROYVKSPUStPHDnjOL4vJag
+KBtObke1WbprPMINj9qxTSRddVRp15BlDSry492k/fMdcaxnpPQ5LTm4dkx4hkKc
+G3iPHtTMc5rtzdCzuaDZKYuCqK5xAHXLLUXJyN/44jWaS470c7FCzwGlfGmYbgYo
+PeD0sov0pRLf1E9XTqzqfu8sYg==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/certs/client-auth-ca.pem b/certs/client-auth-ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDajCCAlICCQD4bLevNK0t4TANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJU
+WDELMAkGA1UECAwCVFgxIzAhBgNVBAoMGk1haWxndW4gVGVjaG5vbG9naWVzLCBJ
+bmMuMRQwEgYDVQQDDAttYWlsZ3VuLmNvbTEgMB4GCSqGSIb3DQEJARYRYWRtaW5A
+bWFpbGd1bi5jb20wHhcNMjAxMDI5MTY1OTA1WhcNMzAxMDI3MTY1OTA1WjB3MQsw
+CQYDVQQGEwJUWDELMAkGA1UECAwCVFgxIzAhBgNVBAoMGk1haWxndW4gVGVjaG5v
+bG9naWVzLCBJbmMuMRQwEgYDVQQDDAttYWlsZ3VuLmNvbTEgMB4GCSqGSIb3DQEJ
+ARYRYWRtaW5AbWFpbGd1bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDFC/R6UkS7kZhOHevochs6pLrCcfsF/fPXc9HESlLbBlrJRvM3snvAKaO0
+GDZwrwRjvcV4RQDnblDuWRTLMODFfQVT95Y0M5vRd/mwj6AIlMjP0+RkWXXyzeYm
+V1hU/I3OlIWfzLQ3JistIHQ9Yai8x0GnXsM70nRQlgE8+582FKaUzyBARXDS2N45
++Nck+7TyHKhxE/1Qpcj1r/Y3mUScDGEUZWhMAYI5mpoaZ9tVIGODsZeIj01PGQMg
+xkWYrI+l/+fIUZF1kZOMOvBg/Zq4/zIkjBKYm+UlmJ4sev8AwIlxmYT4UsI9O05k
+gBsLg0mNji14wYkFIFjqCHJ7LAVbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEdf
+AGOHroICT4b0bPDK2XZTtl6wbCvrPeuwCCJho6ODi19we2FOIbPwoGeJAE40L0S/
+fJP+GBg22uUtF4nvEXrRhIKhQeQx7a6dg0ovVfmhTbVJEhCxfaY7mp9sCqEPV1Up
+NqHYFp9dgBho7kakTODSfqw2WCyl1E3zOAa9ALOF/ynSor9IZeaD/ZrHe3kyYqwY
+Hanzq/MXIztBNBSZE1xf18DVPDDw9vfSS9KY3RKw8bHRczpd2CMNZ/Ma5cbgwehv
+gRdbBWum36a9SDUiK2LnjgJ8a2GWg+FuE2Mdzo2xoIr+Ennj9F6E5ZfZs5sueiSO
+H8l75DteSnn4+9lbPCE=
+-----END CERTIFICATE-----
diff --git a/certs/client-auth-ca.srl b/certs/client-auth-ca.srl
@@ -0,0 +1 @@
+02
diff --git a/certs/client-auth.conf b/certs/client-auth.conf
@@ -0,0 +1,2 @@
+[ ssl_client ]
+extendedKeyUsage = clientAuth
diff --git a/certs/client-auth.key b/certs/client-auth.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuFF5DAhUZG0SGRkn4Mp2JmQRD670Fxoo41lHfG8LlxymuXAi
+LKux/vblNd6DA4SF+tZ4nje00wSO0rlAM0OF4zoiz3bBSTw2XVsXkaW0GsWuCyEj
+1UvRmWoKScANKchOuHmiLgQkoOkGs47iGv6Lsl+ffBKe3TRLqu4iT7uXRYYtbDVd
+CTd9dCRu29+XMGKJ1ns2L6IH/KCenK1kIzBDWGvA4XcHFrjdm0zFr936wPbN6aRI
+/RTlZEhuuMRYU5r37I4Mabe/IfG0GTaihSwD3pasKbxlrivha/g50jmQDoueyWsN
+qgcKdCiu8fqWOS2XdPxQBgqA+WyPqq+Mb24ZCwIDAQABAoIBAElo+aMXNjWBU3H3
+mPBo8sG7nSf38HO7EYnrJxOiTqVy3dyBkrrj71KzFvtrkha2k34iKYwqd7SL3i6D
+ZdSFEjA8GV0z2SvH9YcdHrf9nUwEa5s3KcRsHCDUISDaguOfSesjVrqpH8WOygJ9
+6AQEWbNDbovGBsvnZjPAAJ5tAoTHi/R3N1koRlqTfGnsVouQLq5YsFQxqs5/V7dH
+s/F2hIn5021IVrWs4Olt+94Oavs6JBIMPm0PdmixikkhUF9Y3J58yd3/tkCHJpx/
+GymgMj0sl7KmNF+Jbk0iXEJiG3abuYvqHqCjZs40vgMZW4IvOFDddGgw0ve76S2V
+j1T7rhECgYEA8wH2VFM1wGDf1p3iwiIKBNAhW4J3IuTVD0CstaPPksekNdnHz3kd
+vT5N1845XuEa3UlNcCFgeV8D/+lHxc0mrilb9+FZzl4MK3h0oLsb8sLueQeotK3f
+pd/rQsw15mBkXpFQlefUrzgstXpNdEfAZaKd70Lqypq7AOWPJkWM5T8CgYEAwiw7
+CMknsvcLA5BEREuyCq28KOTQ/OeFMpeeksABegy0qMuV1cYsr6uG4+CPtVayk/ss
+xHwUvRHXXKPdsV+pn2PP3NZDfxyLVMS3LsKYeSx1kF9RJ+l3qZ92noL/7/mGAtij
+g9WOiM38XVm10PSs8IqAEI75ZGlWCwnK7Q2VnTUCgYACuLzniN8LPoqDPtVxUyxF
+jYcyHS30aBeyygilKCaFAFNofv3r5vFcUzxP9HFUDLVeURna7aTE9zl2PkidgIS0
+YqYzCoUU+JyuR/UWb8IKYACHvnw3OdNNakqaPutDn0TAgmQiqawKIljt12bSrJMN
+EFsweNFkX4NEqU2HIjRHxQKBgGo9bSeHeFMxXDNc8h00FXxGRtdRKw/VVUmzL643
+pBc1cHuSuK64uaZ8gVeZfMfJYfgZzArNoUM5yc4EUr5ECzkMkaTRDykzYwDEiT3q
+dyaFruWJYYwm77Q9bdeY8ZRJwIs6IW12oYA0xEoHVbW4yg7qmNt2fvnzsIJln0RI
+1H2pAoGBAIKTBFfvLKGg/YnLnJ30vVYaMW6vAHkIAueFWW1j9do1qkZG2dN9ucLF
+JG6KOCprReJpAHut/VLFnxdsCSmy1simhe2oWZYQTi0UiWf/E5aSJnHhXu6eTizk
+ERRq8Ewf2HL5fs4dk7qQLJNdQCR74FyEJNuoWmWlsLBdM4SSXCxo
+-----END RSA PRIVATE KEY-----
diff --git a/certs/client-auth.pem b/certs/client-auth.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIBAjANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJUWDEL
+MAkGA1UECAwCVFgxIzAhBgNVBAoMGk1haWxndW4gVGVjaG5vbG9naWVzLCBJbmMu
+MRQwEgYDVQQDDAttYWlsZ3VuLmNvbTEgMB4GCSqGSIb3DQEJARYRYWRtaW5AbWFp
+bGd1bi5jb20wHhcNMjAxMDI5MTY1OTA1WhcNMzAxMDI3MTY1OTA1WjB2MQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCVFgxIzAhBgNVBAoMGk1haWxndW4gVGVjaG5vbG9n
+aWVzLCBJbmMuMRMwEQYDVQQDDApjbGllbnQuY29tMSAwHgYJKoZIhvcNAQkBFhFh
+ZG1pbkBtYWlsZ3VuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALhReQwIVGRtEhkZJ+DKdiZkEQ+u9BcaKONZR3xvC5ccprlwIiyrsf725TXegwOE
+hfrWeJ43tNMEjtK5QDNDheM6Is92wUk8Nl1bF5GltBrFrgshI9VL0ZlqCknADSnI
+Trh5oi4EJKDpBrOO4hr+i7Jfn3wSnt00S6ruIk+7l0WGLWw1XQk3fXQkbtvflzBi
+idZ7Ni+iB/ygnpytZCMwQ1hrwOF3Bxa43ZtMxa/d+sD2zemkSP0U5WRIbrjEWFOa
+9+yODGm3vyHxtBk2ooUsA96WrCm8Za4r4Wv4OdI5kA6LnslrDaoHCnQorvH6ljkt
+l3T8UAYKgPlsj6qvjG9uGQsCAwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
+DQYJKoZIhvcNAQEFBQADggEBAEj2iWqIEP14MGqh9jaTIeg9OVEd1b+Df6jKTtSJ
+BdfhTozT8hM5bUQxKzsE58twuTmH9M6VQViEBhBQ8zk7pWlIZe/qHM5qbDFytULR
+JNLhLukCR+kabw2lHL+MRiljzcwQMrOV+uPgI2XFgRe+ow18nfeEIK2tzclx9y1H
+TYtqCc3ndjK8ZHh5pKRd4GBMkXgN+QeETj3Pr8+jTFLlMynpwKJMwi/uAAkagfFO
+PPVBvIMwnYhV9bPF/AsOs4B+DYkK+eY/RM6POuzGeIs9g3SCVYc7lrYKBMcVfuZI
+LZAV5B5E5XKePXe3cVgfgEto7OSL1hjiMWZev98baEA6LU8=
+-----END CERTIFICATE-----
diff --git a/certs/client-auth.req b/certs/client-auth.req
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICuzCCAaMCAQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlRYMSMwIQYDVQQK
+DBpNYWlsZ3VuIFRlY2hub2xvZ2llcywgSW5jLjETMBEGA1UEAwwKY2xpZW50LmNv
+bTEgMB4GCSqGSIb3DQEJARYRYWRtaW5AbWFpbGd1bi5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC4UXkMCFRkbRIZGSfgynYmZBEPrvQXGijjWUd8
+bwuXHKa5cCIsq7H+9uU13oMDhIX61nieN7TTBI7SuUAzQ4XjOiLPdsFJPDZdWxeR
+pbQaxa4LISPVS9GZagpJwA0pyE64eaIuBCSg6QazjuIa/ouyX598Ep7dNEuq7iJP
+u5dFhi1sNV0JN310JG7b35cwYonWezYvogf8oJ6crWQjMENYa8DhdwcWuN2bTMWv
+3frA9s3ppEj9FOVkSG64xFhTmvfsjgxpt78h8bQZNqKFLAPelqwpvGWuK+Fr+DnS
+OZAOi57Jaw2qBwp0KK7x+pY5LZd0/FAGCoD5bI+qr4xvbhkLAgMBAAGgADANBgkq
+hkiG9w0BAQUFAAOCAQEAhrHrhsYmeCpMUSqrgYcEo3swwb4EvdcmZESzTsSnePt8
+21FGoY7ccXr5itUbH2VeFz02u171L+14wfQ3zjsgZt7orMC6qsCt84nYnXJ8mjMP
+aQ5GprB4aXSgsdMZk1YtSrTa094SlcSuLRLnH/xtIa2RiLr06zQZZWVljwDvL8nZ
+D/gFrC8nmtcW1J/0RXfDxdzpdAgwhiMg9Pwqqntz4IO0eTFma/Vq3MdWff+Hee0W
++j0eaqvkX+dBlYPOKg3lpN8ZFbw3pUWC9yKT4hRjaa8JczyCxZsG4MsMv88xa7rm
+pjNlSwggbr7ZI4/XST5fdKlSylg1Py72HLuz7L7h6g==
+-----END CERTIFICATE REQUEST-----
diff --git a/certs/gubernator.conf b/certs/gubernator.conf
@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+[dn]
+C = US
+ST = TX
+O = Mailgun Technologies, Inc.
+CN = localhost
+[req_ext]
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = localhost
+IP.1 = ::1
+IP.2 = 127.0.0.1