Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add ca, cert and key options to support mTLS #46

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,9 @@ specifying flags is:
--consul-url=
--consul-acl=
--consul-base-path=
--ca-file=
--key-file=
--cert-file=
--log-level=
--expand-json=
--secrets-file=
Expand Down Expand Up @@ -328,6 +331,27 @@ automatically appended.
This is useful when the Consul cluster as all the KV paths segregated (namespaced) by teams or
projects.

### `--ca-file`

> `require:` **no**
> `example:` **`--ca-file=/path/my_ca.crt`**

This is the path for ca certfile for mTLS connection.

### `--cert-file`

> `require:` **no**
> `example:` **`--cert-file=/path/my_cert.crt`**

This is the path for cert certfile mTLS connection.

### `--key-file`

> `require:` **no**
> `example:` **`--key-file=/path/my_key.crt`**

This is the path for key certfile mTLS connection.

### `--log-level`

> `require:` **no**
Expand Down
3 changes: 2 additions & 1 deletion app/app_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,10 @@ import (
"github.com/miniclip/gonsul/internal/config"
"github.com/miniclip/gonsul/tests/mocks"

. "github.com/onsi/gomega"
"os"
"testing"

. "github.com/onsi/gomega"
)

func getCommonMocks() (cfg *mocks.IConfig, log *mocks.ILogger, exp *mocks.IExporter, imp *mocks.IImporter) {
Expand Down
38 changes: 32 additions & 6 deletions cmd/gonsul.go
Original file line number Diff line number Diff line change
@@ -1,16 +1,20 @@
package main

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
"time"

"github.com/miniclip/gonsul/app"
"github.com/miniclip/gonsul/internal/config"
"github.com/miniclip/gonsul/internal/exporter"
"github.com/miniclip/gonsul/internal/importer"
"github.com/miniclip/gonsul/internal/util"

"fmt"
"net/http"
"os"
"time"
)

func main() {
Expand Down Expand Up @@ -41,9 +45,31 @@ func start() {
return
}

var certificate tls.Certificate
var caCertPool *x509.CertPool
if len(cfg.GetKeyFile()) != 0 && len(cfg.GetCaFile()) != 0 && len(cfg.GetCertFile()) != 0 {
cert, err := ioutil.ReadFile(cfg.GetCaFile())
if err != nil {
log.Fatalf("could not open certificate file: %v", err)
}
caCertPool = x509.NewCertPool()
caCertPool.AppendCertsFromPEM(cert)

certificate, err = tls.LoadX509KeyPair(cfg.GetCertFile(), cfg.GetKeyFile())
if err != nil {
log.Fatalf("could not load certificate: %v", err)
}
}

// Build all dependencies for our application
hookHttpServer := app.NewHookHttp(cfg, logger)
httpClient := &http.Client{Timeout: time.Second * time.Duration(cfg.GetTimeout())}
httpClient := &http.Client{Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{certificate},
},
}, Timeout: time.Second * time.Duration(cfg.GetTimeout())}

exp := exporter.NewExporter(cfg, logger)
imp := importer.NewImporter(cfg, logger, httpClient)
sigChannel := make(chan os.Signal)
Expand Down
22 changes: 22 additions & 0 deletions internal/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"io/ioutil"
"os"
"strings"

"github.com/namsral/flag"
)

Expand All @@ -31,6 +32,9 @@ type config struct {
consulURL string
consulACL string
consulBasePath string
keyFile string
certFile string
caFile string
expandJSON bool
expandYAML bool
doSecrets bool
Expand Down Expand Up @@ -60,6 +64,9 @@ type IConfig interface {
GetConsulURL() string
GetConsulACL() string
GetConsulBasePath() string
GetKeyFile() string
GetCaFile() string
GetCertFile() string
ShouldExpandJSON() bool
ShouldExpandYAML() bool
DoSecrets() bool
Expand Down Expand Up @@ -155,6 +162,9 @@ func buildConfig(flags ConfigFlags) (*config, error) {
consulURL: *flags.ConsulURL,
consulACL: *flags.ConsulACL,
consulBasePath: *flags.ConsulBasePath,
keyFile: *flags.KeyFile,
caFile: *flags.CaFile,
certFile: *flags.CertFile,
expandJSON: *flags.ExpandJSON,
expandYAML: *flags.ExpandYAML,
doSecrets: doSecrets,
Expand Down Expand Up @@ -205,6 +215,18 @@ func (config *config) GetRepoBasePath() string {
return config.repoBasePath
}

func (config *config) GetKeyFile() string {
return config.keyFile
}

func (config *config) GetCaFile() string {
return config.caFile
}

func (config *config) GetCertFile() string {
return config.certFile
}

func (config *config) GetRepoRootDir() string {
return config.repoRootDir
}
Expand Down
7 changes: 7 additions & 0 deletions internal/config/flags_parser.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package config
import (
"fmt"
"os"

"github.com/miniclip/gonsul/internal/util"
"github.com/namsral/flag"
)
Expand All @@ -20,6 +21,9 @@ type ConfigFlags struct {
ConsulURL *string
ConsulACL *string
ConsulBasePath *string
KeyFile *string
CaFile *string
CertFile *string
ExpandJSON *bool
ExpandYAML *bool
SecretsFile *string
Expand Down Expand Up @@ -50,6 +54,9 @@ func parseFlags() ConfigFlags {
flags.ConsulURL = flag.String("consul-url", "", "(REQUIRED) The Consul URL REST API endpoint (Full URL with scheme)")
flags.ConsulACL = flag.String("consul-acl", "", "The Consul ACL to use (Must have write on the KV following --consul-base path)")
flags.ConsulBasePath = flag.String("consul-base-path", "", "The base KV path will be prefixed to dir path")
flags.KeyFile = flag.String("key-file", "", "The key path for mTls")
flags.CaFile = flag.String("ca-file", "", "The ca certificate path for mTLS")
flags.CertFile = flag.String("cert-file", "", "The certificate path for mTLS")
flags.ExpandJSON = flag.Bool("expand-json", false, "Expand and parse JSON files as full paths? (Default false)")
flags.ExpandYAML = flag.Bool("expand-yaml", false, "Expand and parse YAML files as full paths? (Default false)")
flags.SecretsFile = flag.String("secrets-file", "", "A key value json file with placeholders->secrets mapping, in order to do on the fly replace")
Expand Down