Pipe TLS to DERP mesh

kylecarbs · kylecarbs · commit c1aa3d230740 · 2022-10-15T00:36:24.000Z
diff --git a/cli/server.go b/cli/server.go
@@ -322,6 +322,9 @@ func Server(dflags *codersdk.DeploymentFlags, newAPI func(context.Context, *code
 				Experimental:                ExperimentalEnabled(cmd),
 				DeploymentFlags:             dflags,
 			}
+			if tlsConfig != nil {
+				options.TLSCertificates = tlsConfig.Certificates
+			}
 
 			if dflags.OAuth2GithubClientSecret.Value != "" {
 				options.GithubOAuth2Config, err = configureGithubOAuth2(accessURLParsed,
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -1,6 +1,7 @@
 package coderd
 
 import (
+	"crypto/tls"
 	"crypto/x509"
 	"io"
 	"net/http"
@@ -76,6 +77,8 @@ type Options struct {
 	TracerProvider       trace.TracerProvider
 	AutoImportTemplates  []AutoImportTemplate
 
+	// TLSCertificates is used to mesh DERP servers securely.
+	TLSCertificates    []tls.Certificate
 	TailnetCoordinator tailnet.Coordinator
 	DERPServer         *derp.Server
 	DERPMap            *tailcfg.DERPMap
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -3,6 +3,7 @@ package coderd
 import (
 	"context"
 	"crypto/ed25519"
+	"crypto/tls"
 	"net/http"
 	"sync"
 	"time"
@@ -137,7 +138,11 @@ func New(ctx context.Context, options *Options) (*API, error) {
 	if err != nil {
 		return nil, xerrors.Errorf("initialize replica: %w", err)
 	}
-	api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer, nil)
+	// nolint:gosec
+	api.derpMesh = derpmesh.New(options.Logger.Named("derpmesh"), api.DERPServer, &tls.Config{
+		Certificates: options.TLSCertificates,
+		ServerName:   options.AccessURL.Host,
+	})
 
 	err = api.updateEntitlements(ctx)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -322,6 +322,9 @@ func Server(dflags codersdk.DeploymentFlags, newAPI func(context.Context, code`
`322`	`322`	`Experimental: ExperimentalEnabled(cmd),`
`323`	`323`	`DeploymentFlags: dflags,`
`324`	`324`	`}`
	`325`	`+ if tlsConfig != nil {`
	`326`	`+ options.TLSCertificates = tlsConfig.Certificates`
	`327`	`+ }`
`325`	`328`
`326`	`329`	`if dflags.OAuth2GithubClientSecret.Value != "" {`
`327`	`330`	`options.GithubOAuth2Config, err = configureGithubOAuth2(accessURLParsed,`