config/cmd: improve cert loading for infra (#1813)
* config/cmd: improve cert loading for infra * config/cmd: remove certificate_authorities flag * config/cmd: fix caps * config/cmd: fix bug with IsSet * config/cmd: fix bool flags
This commit is contained in:
parent
6d9a38a747
commit
318a80f824
@ -113,11 +113,6 @@ var (
|
|||||||
DefaultCmd = newCmd()
|
DefaultCmd = newCmd()
|
||||||
|
|
||||||
DefaultFlags = []cli.Flag{
|
DefaultFlags = []cli.Flag{
|
||||||
&cli.StringFlag{
|
|
||||||
Name: "certificate_authorities",
|
|
||||||
EnvVars: []string{"MICRO_CERTIFICATE_AUTHORITIES"},
|
|
||||||
Usage: "Commar-seperated list of certificate authorities, e.g. '/certs/ca.crt'",
|
|
||||||
},
|
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "client",
|
Name: "client",
|
||||||
EnvVars: []string{"MICRO_CLIENT"},
|
EnvVars: []string{"MICRO_CLIENT"},
|
||||||
@ -202,10 +197,20 @@ var (
|
|||||||
EnvVars: []string{"MICRO_BROKER_ADDRESS"},
|
EnvVars: []string{"MICRO_BROKER_ADDRESS"},
|
||||||
Usage: "Comma-separated list of broker addresses",
|
Usage: "Comma-separated list of broker addresses",
|
||||||
},
|
},
|
||||||
&cli.BoolFlag{
|
&cli.StringFlag{
|
||||||
Name: "broker_secure",
|
Name: "broker_tls_ca",
|
||||||
Usage: "Secure connection to broker",
|
Usage: "Certificate authority for TLS with broker",
|
||||||
EnvVars: []string{"MICRO_BROKER_SECURE"},
|
EnvVars: []string{"MICRO_BROKER_TLS_CA"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "broker_tls_cert",
|
||||||
|
Usage: "Client cert for TLS with broker",
|
||||||
|
EnvVars: []string{"MICRO_BROKER_TLS_CERT"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "broker_tls_key",
|
||||||
|
Usage: "Client key for TLS with broker",
|
||||||
|
EnvVars: []string{"MICRO_BROKER_TLS_KEY"},
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "profile",
|
Name: "profile",
|
||||||
@ -222,12 +227,21 @@ var (
|
|||||||
EnvVars: []string{"MICRO_REGISTRY_ADDRESS"},
|
EnvVars: []string{"MICRO_REGISTRY_ADDRESS"},
|
||||||
Usage: "Comma-separated list of registry addresses",
|
Usage: "Comma-separated list of registry addresses",
|
||||||
},
|
},
|
||||||
&cli.BoolFlag{
|
&cli.StringFlag{
|
||||||
Name: "registry_secure",
|
Name: "registry_tls_ca",
|
||||||
Usage: "Secure connection to registry",
|
Usage: "Certificate authority for TLS with registry",
|
||||||
EnvVars: []string{"MICRO_REGISTRY_SECURE"},
|
EnvVars: []string{"MICRO_REGISTRY_TLS_CA"},
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
|
Name: "registry_tls_cert",
|
||||||
|
Usage: "Client cert for TLS with registry",
|
||||||
|
EnvVars: []string{"MICRO_REGISTRY_TLS_CERT"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "registry_tls_key",
|
||||||
|
Usage: "Client key for TLS with registry",
|
||||||
|
EnvVars: []string{"MICRO_REGISTRY_TLS_KEY"},
|
||||||
|
}, &cli.StringFlag{
|
||||||
Name: "runtime",
|
Name: "runtime",
|
||||||
Usage: "Runtime for building and running services e.g local, kubernetes",
|
Usage: "Runtime for building and running services e.g local, kubernetes",
|
||||||
EnvVars: []string{"MICRO_RUNTIME"},
|
EnvVars: []string{"MICRO_RUNTIME"},
|
||||||
@ -515,18 +529,6 @@ func (c *cmd) Options() Options {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (c *cmd) Before(ctx *cli.Context) error {
|
func (c *cmd) Before(ctx *cli.Context) error {
|
||||||
// Setup custom certificate authorities
|
|
||||||
caCertPool := x509.NewCertPool()
|
|
||||||
if len(ctx.String("certificate_authorities")) > 0 {
|
|
||||||
for _, ca := range strings.Split(ctx.String("certificate_authorities"), ",") {
|
|
||||||
crt, err := ioutil.ReadFile(ca)
|
|
||||||
if err != nil {
|
|
||||||
logger.Fatalf("Error loading registry certificate authority: %v", err)
|
|
||||||
}
|
|
||||||
caCertPool.AppendCertsFromPEM(crt)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Setup client options
|
// Setup client options
|
||||||
var clientOpts []client.Option
|
var clientOpts []client.Option
|
||||||
|
|
||||||
@ -679,10 +681,20 @@ func (c *cmd) Before(ctx *cli.Context) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Parse broker TLS certs
|
// Parse broker TLS certs
|
||||||
if ctx.Bool("broker_secure") {
|
if ctx.IsSet("broker_tls_cert") || ctx.IsSet("broker_tls_key") {
|
||||||
cert, err := tls.LoadX509KeyPair("/certs/broker/cert.pem", "/certs/broker/key.pem")
|
cert, err := tls.LoadX509KeyPair(ctx.String("broker_tls_cert"), ctx.String("broker_tls_key"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatalf("Error loading broker x509 key pair: %v", err)
|
logger.Fatalf("Error loading broker TLS cert: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// load custom certificate authority
|
||||||
|
caCertPool := x509.NewCertPool()
|
||||||
|
if ctx.IsSet("broker_tls_ca") {
|
||||||
|
crt, err := ioutil.ReadFile(ctx.String("broker_tls_ca"))
|
||||||
|
if err != nil {
|
||||||
|
logger.Fatalf("Error loading broker TLS certificate authority: %v", err)
|
||||||
|
}
|
||||||
|
caCertPool.AppendCertsFromPEM(crt)
|
||||||
}
|
}
|
||||||
|
|
||||||
cfg := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: caCertPool}
|
cfg := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: caCertPool}
|
||||||
@ -693,10 +705,20 @@ func (c *cmd) Before(ctx *cli.Context) error {
|
|||||||
registryOpts := []registry.Option{registrySrv.WithClient(microClient)}
|
registryOpts := []registry.Option{registrySrv.WithClient(microClient)}
|
||||||
|
|
||||||
// Parse registry TLS certs
|
// Parse registry TLS certs
|
||||||
if ctx.Bool("registry_secure") {
|
if ctx.IsSet("registry_tls_cert") || ctx.IsSet("registry_tls_key") {
|
||||||
cert, err := tls.LoadX509KeyPair("/certs/registry/cert.pem", "/certs/registry/key.pem")
|
cert, err := tls.LoadX509KeyPair(ctx.String("registry_tls_cert"), ctx.String("registry_tls_key"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatalf("Error loading registry x509 key pair: %v", err)
|
logger.Fatalf("Error loading registry tls cert: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// load custom certificate authority
|
||||||
|
caCertPool := x509.NewCertPool()
|
||||||
|
if ctx.IsSet("registry_tls_ca") {
|
||||||
|
crt, err := ioutil.ReadFile(ctx.String("registry_tls_ca"))
|
||||||
|
if err != nil {
|
||||||
|
logger.Fatalf("Error loading registry tls certificate authority: %v", err)
|
||||||
|
}
|
||||||
|
caCertPool.AppendCertsFromPEM(crt)
|
||||||
}
|
}
|
||||||
|
|
||||||
cfg := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: caCertPool}
|
cfg := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: caCertPool}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user