feat(router): TLS support

Author: ardatan

Cargo.lock

@@ -66,7 +66,7 @@ tokio = { version = "1.47.1", features = ["full"] }
 tokio-util = { version = "0.7.16" }
 rand = "0.10.0"
 jsonwebtoken = { version = "10.3.0", features = ["rust_crypto"] }
-ntex = { version = "3.4.0", features = ["tokio"] }
+ntex = { version = "3.4.0", features = ["tokio", "rustls"] }
 tonic = { version = "0.14.2", features = ["tls-aws-lc"] }
 reqwest = { version = "0.12.23", default-features = false, features = ["http2", "rustls-tls"] }
 reqwest-retry = "0.8.0"

Cargo.toml

@@ -1,4 +1,5 @@
 use hive_router_config::RouterConfigError;
+use hive_router_plan_executor::executors::error::TlsCertificatesError;
 
 use crate::{
     jwt::jwks_manager::JwksSourceError, pipeline::usage_reporting::UsageReportingError,
@@ -32,4 +33,6 @@ pub enum RouterInitError {
         endpoint_name_two: String,
         endpoint: String,
     },
+    #[error(transparent)]
+    TlsCertificatesError(#[from] TlsCertificatesError),
 }

bin/router/src/error.rs

@@ -70,6 +70,7 @@ pub use sonic_rs;
 pub use tokio;
 pub use tracing;
 use tracing::{info, warn, Instrument};
+pub mod tls;
 
 static GRAPHIQL_HTML: &str = include_str!("../static/graphiql.html");
 
@@ -188,7 +189,7 @@ pub async fn router_entrypoint(plugin_registry: PluginRegistry) -> Result<(), Ro
     paths.detect_conflicts(&prometheus)?;
 
     let graphql_path = graphql_path.to_string();
-    let maybe_error = web::HttpServer::new(async move || {
+    let server = web::HttpServer::new(async move || {
         let landing_page_path = graphql_path.clone();
         let prometheus = prometheus.clone();
         web::App::new()
@@ -199,9 +200,22 @@ pub async fn router_entrypoint(plugin_registry: PluginRegistry) -> Result<(), Ro
             .default_service(web::to(move || {
                 landing_page_handler(landing_page_path.clone())
             }))
-    })
-    .bind(&addr)
-    .map_err(|err| RouterInitError::HttpServerBindError(addr, err))?
+    });
+
+    let tls_config = shared_state_clone
+        .router_config
+        .traffic_shaping
+        .router
+        .tls
+        .as_ref();
+
+    let maybe_error = if let Some(tls_config) = tls_config {
+        let rustls_config = tls::build_rustls_config(tls_config)?;
+        server.bind_rustls(&addr, &rustls_config)
+    } else {
+        server.bind(&addr)
+    }
+    .map_err(|err| RouterInitError::HttpServerBindError(addr.to_string(), err))?
     .run()
     .await
     .map_err(RouterInitError::HttpServerStartError);

bin/router/src/lib.rs

@@ -0,0 +1,30 @@
+use std::sync::Arc;
+
+use hive_router_config::traffic_shaping::ServerTLSConfig;
+use hive_router_plan_executor::executors::{
+    error::TlsCertificatesError, map::from_cert_file_config_to_certificate_der,
+};
+use rustls::{
+    pki_types::{pem::PemObject, PrivateKeyDer},
+    server::{NoClientAuth, WebPkiClientVerifier},
+    RootCertStore, ServerConfig,
+};
+
+pub fn build_rustls_config(
+    tls_config: &ServerTLSConfig,
+) -> Result<ServerConfig, TlsCertificatesError> {
+    let client_auth = if let Some(client_auth_config) = tls_config.client_auth.as_ref() {
+        let certs = from_cert_file_config_to_certificate_der(&client_auth_config.cert_file)?;
+        let mut roots = RootCertStore::empty();
+        roots.add_parsable_certificates(certs);
+        WebPkiClientVerifier::builder(roots.into()).build()?
+    } else {
+        Arc::new(NoClientAuth)
+    };
+    let certs = from_cert_file_config_to_certificate_der(&tls_config.cert_file)?;
+    let key = PrivateKeyDer::from_pem_file(&tls_config.key_file.absolute)
+        .map_err(|err| TlsCertificatesError::CustomTlsCertificatesError("key_file", err))?;
+    Ok(ServerConfig::builder()
+        .with_client_cert_verifier(client_auth)
+        .with_single_cert(certs, key)?)
+}