enable webhook server set-up mTLS service to verify client's certificate according to the given CAName

Author: answer1991

pkg/webhook/server.go

@@ -19,7 +19,9 @@ package webhook
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"os"
@@ -57,6 +59,10 @@ type Server struct {
 	// CertName is the server key name. Defaults to tls.key.
 	KeyName string
 
+	// CAName is the CA certificate name which server used to verify remote(client)'s certificate.
+	// Defaults to "", which means server does not verify client's certificate.
+	CAName string
+
 	// WebhookMux is the multiplexer that handles different webhooks.
 	WebhookMux *http.ServeMux
 
@@ -168,6 +174,23 @@ func (s *Server) Start(stop <-chan struct{}) error {
 		GetCertificate: certWatcher.GetCertificate,
 	}
 
+	// load CA to verify client certificate
+	if len(s.CAName) > 0 {
+		certPool := x509.NewCertPool()
+		clientCABytes, err := ioutil.ReadFile(filepath.Join(s.CertDir, s.CAName))
+		if err != nil {
+			return fmt.Errorf("failed to read client CA cert: %v", err)
+		}
+
+		ok := certPool.AppendCertsFromPEM(clientCABytes)
+		if !ok {
+			return fmt.Errorf("failed to append client CA cert to CA pool")
+		}
+
+		cfg.RootCAs = certPool
+		cfg.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
 	listener, err := tls.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(int(s.Port))), cfg)
 	if err != nil {
 		return err