From 318a80f824c29e0d7c6d9e030cef960c21709c36 Mon Sep 17 00:00:00 2001
From: ben-toogood <bentoogood@gmail.com>
Date: Thu, 9 Jul 2020 18:02:24 +0100
Subject: [PATCH] config/cmd: improve cert loading for infra (#1813)

* config/cmd: improve cert loading for infra

* config/cmd: remove certificate_authorities flag

* config/cmd: fix caps

* config/cmd: fix bug with IsSet

* config/cmd: fix bool flags
---
 config/cmd/cmd.go | 84 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 53 insertions(+), 31 deletions(-)

diff --git a/config/cmd/cmd.go b/config/cmd/cmd.go
index c03a9e86..070a5f9e 100644
--- a/config/cmd/cmd.go
+++ b/config/cmd/cmd.go
@@ -113,11 +113,6 @@ var (
 	DefaultCmd = newCmd()
 
 	DefaultFlags = []cli.Flag{
-		&cli.StringFlag{
-			Name:    "certificate_authorities",
-			EnvVars: []string{"MICRO_CERTIFICATE_AUTHORITIES"},
-			Usage:   "Commar-seperated list of certificate authorities, e.g. '/certs/ca.crt'",
-		},
 		&cli.StringFlag{
 			Name:    "client",
 			EnvVars: []string{"MICRO_CLIENT"},
@@ -202,10 +197,20 @@ var (
 			EnvVars: []string{"MICRO_BROKER_ADDRESS"},
 			Usage:   "Comma-separated list of broker addresses",
 		},
-		&cli.BoolFlag{
-			Name:    "broker_secure",
-			Usage:   "Secure connection to broker",
-			EnvVars: []string{"MICRO_BROKER_SECURE"},
+		&cli.StringFlag{
+			Name:    "broker_tls_ca",
+			Usage:   "Certificate authority for TLS with broker",
+			EnvVars: []string{"MICRO_BROKER_TLS_CA"},
+		},
+		&cli.StringFlag{
+			Name:    "broker_tls_cert",
+			Usage:   "Client cert for TLS with broker",
+			EnvVars: []string{"MICRO_BROKER_TLS_CERT"},
+		},
+		&cli.StringFlag{
+			Name:    "broker_tls_key",
+			Usage:   "Client key for TLS with broker",
+			EnvVars: []string{"MICRO_BROKER_TLS_KEY"},
 		},
 		&cli.StringFlag{
 			Name:    "profile",
@@ -222,12 +227,21 @@ var (
 			EnvVars: []string{"MICRO_REGISTRY_ADDRESS"},
 			Usage:   "Comma-separated list of registry addresses",
 		},
-		&cli.BoolFlag{
-			Name:    "registry_secure",
-			Usage:   "Secure connection to registry",
-			EnvVars: []string{"MICRO_REGISTRY_SECURE"},
+		&cli.StringFlag{
+			Name:    "registry_tls_ca",
+			Usage:   "Certificate authority for TLS with registry",
+			EnvVars: []string{"MICRO_REGISTRY_TLS_CA"},
 		},
 		&cli.StringFlag{
+			Name:    "registry_tls_cert",
+			Usage:   "Client cert for TLS with registry",
+			EnvVars: []string{"MICRO_REGISTRY_TLS_CERT"},
+		},
+		&cli.StringFlag{
+			Name:    "registry_tls_key",
+			Usage:   "Client key for TLS with registry",
+			EnvVars: []string{"MICRO_REGISTRY_TLS_KEY"},
+		}, &cli.StringFlag{
 			Name:    "runtime",
 			Usage:   "Runtime for building and running services e.g local, kubernetes",
 			EnvVars: []string{"MICRO_RUNTIME"},
@@ -515,18 +529,6 @@ func (c *cmd) Options() Options {
 }
 
 func (c *cmd) Before(ctx *cli.Context) error {
-	// Setup custom certificate authorities
-	caCertPool := x509.NewCertPool()
-	if len(ctx.String("certificate_authorities")) > 0 {
-		for _, ca := range strings.Split(ctx.String("certificate_authorities"), ",") {
-			crt, err := ioutil.ReadFile(ca)
-			if err != nil {
-				logger.Fatalf("Error loading registry certificate authority: %v", err)
-			}
-			caCertPool.AppendCertsFromPEM(crt)
-		}
-	}
-
 	// Setup client options
 	var clientOpts []client.Option
 
@@ -679,10 +681,20 @@ func (c *cmd) Before(ctx *cli.Context) error {
 	}
 
 	// Parse broker TLS certs
-	if ctx.Bool("broker_secure") {
-		cert, err := tls.LoadX509KeyPair("/certs/broker/cert.pem", "/certs/broker/key.pem")
+	if ctx.IsSet("broker_tls_cert") || ctx.IsSet("broker_tls_key") {
+		cert, err := tls.LoadX509KeyPair(ctx.String("broker_tls_cert"), ctx.String("broker_tls_key"))
 		if err != nil {
-			logger.Fatalf("Error loading broker x509 key pair: %v", err)
+			logger.Fatalf("Error loading broker TLS cert: %v", err)
+		}
+
+		// load custom certificate authority
+		caCertPool := x509.NewCertPool()
+		if ctx.IsSet("broker_tls_ca") {
+			crt, err := ioutil.ReadFile(ctx.String("broker_tls_ca"))
+			if err != nil {
+				logger.Fatalf("Error loading broker TLS certificate authority: %v", err)
+			}
+			caCertPool.AppendCertsFromPEM(crt)
 		}
 
 		cfg := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: caCertPool}
@@ -693,10 +705,20 @@ func (c *cmd) Before(ctx *cli.Context) error {
 	registryOpts := []registry.Option{registrySrv.WithClient(microClient)}
 
 	// Parse registry TLS certs
-	if ctx.Bool("registry_secure") {
-		cert, err := tls.LoadX509KeyPair("/certs/registry/cert.pem", "/certs/registry/key.pem")
+	if ctx.IsSet("registry_tls_cert") || ctx.IsSet("registry_tls_key") {
+		cert, err := tls.LoadX509KeyPair(ctx.String("registry_tls_cert"), ctx.String("registry_tls_key"))
 		if err != nil {
-			logger.Fatalf("Error loading registry x509 key pair: %v", err)
+			logger.Fatalf("Error loading registry tls cert: %v", err)
+		}
+
+		// load custom certificate authority
+		caCertPool := x509.NewCertPool()
+		if ctx.IsSet("registry_tls_ca") {
+			crt, err := ioutil.ReadFile(ctx.String("registry_tls_ca"))
+			if err != nil {
+				logger.Fatalf("Error loading registry tls certificate authority: %v", err)
+			}
+			caCertPool.AppendCertsFromPEM(crt)
 		}
 
 		cfg := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: caCertPool}