management/support cert from file (#122)

* feature: support cert file in management service

* docs: add new management commands

management/cmd/management.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"github.com/wiretrustee/wiretrustee/management/server"
@@ -25,6 +26,8 @@ var (
 	mgmtDataDir           string
 	mgmtConfig            string
 	mgmtLetsencryptDomain string
+	certFile              string
+	certKey               string
 
 	kaep = keepalive.EnforcementPolicy{
 		MinTime:             15 * time.Second,
@@ -71,12 +74,23 @@ var (
 
 			var httpServer *http.Server
 			if config.HttpConfig.LetsEncryptDomain != "" {
+				//automatically generate a new certificate with Let's Encrypt
 				certManager := encryption.CreateCertManager(config.Datadir, config.HttpConfig.LetsEncryptDomain)
 				transportCredentials := credentials.NewTLS(certManager.TLSConfig())
 				opts = append(opts, grpc.Creds(transportCredentials))
 
 				httpServer = http.NewHttpsServer(config.HttpConfig, certManager, accountManager)
+			} else if config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "" {
+				//use provided certificate
+				tlsConfig, err := loadTLSConfig(config.HttpConfig.CertFile, config.HttpConfig.CertKey)
+				if err != nil {
+					log.Fatal("cannot load TLS credentials: ", err)
+				}
+				transportCredentials := credentials.NewTLS(tlsConfig)
+				opts = append(opts, grpc.Creds(transportCredentials))
+				httpServer = http.NewHttpsServerWithTLSConfig(config.HttpConfig, tlsConfig, accountManager)
 			} else {
+				//start server without SSL
 				httpServer = http.NewHttpServer(config.HttpConfig, accountManager)
 			}
 
@@ -136,14 +150,37 @@ func loadConfig() (*server.Config, error) {
 		config.Datadir = mgmtDataDir
 	}
 
+	if certKey != "" && certFile != "" {
+		config.HttpConfig.CertFile = certFile
+		config.HttpConfig.CertKey = certKey
+	}
+
 	return config, err
 }
 
+func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) {
+	// Load server's certificate and private key
+	serverCert, err := tls.LoadX509KeyPair(certFile, certKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create the credentials and return it
+	config := &tls.Config{
+		Certificates: []tls.Certificate{serverCert},
+		ClientAuth:   tls.NoClientCert,
+	}
+
+	return config, nil
+}
+
 func init() {
 	mgmtCmd.Flags().IntVar(&mgmtPort, "port", 33073, "server port to listen on")
 	mgmtCmd.Flags().StringVar(&mgmtDataDir, "datadir", "/var/lib/wiretrustee/", "server data directory location")
 	mgmtCmd.Flags().StringVar(&mgmtConfig, "config", "/etc/wiretrustee/management.json", "Wiretrustee config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
 	mgmtCmd.Flags().StringVar(&mgmtLetsencryptDomain, "letsencrypt-domain", "", "a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS")
+	mgmtCmd.Flags().StringVar(&certFile, "cert-file", "", "Location of your SSL certificate. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect")
+	mgmtCmd.Flags().StringVar(&certKey, "cert-key", "", "Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect")
 
 	rootCmd.MarkFlagRequired("config") //nolint