config/cmd: custom certificate authorities & secure registry (#1803)
* config/cmd: add registry_secure option * config/cmd: tmp load ca * config/cmd: tmp load ca * config/cmd: refactor certificate_authorities setup * config/cmd: improve usage
This commit is contained in:
ben-toogood
GitHub
parent
b37f9c94b8
commit
86f4235aaf
@ -2,7 +2,10 @@
|
|||||||
package cmd
|
package cmd
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
@ -110,6 +113,11 @@ var (
|
|||||||
DefaultCmd = newCmd()
|
DefaultCmd = newCmd()
|
||||||
|
|
||||||
DefaultFlags = []cli.Flag{
|
DefaultFlags = []cli.Flag{
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "certificate_authorities",
|
||||||
|
EnvVars: []string{"MICRO_CERTIFICATE_AUTHORITIES"},
|
||||||
|
Usage: "Commar-seperated list of certificate authorities, e.g. '/certs/ca.crt'",
|
||||||
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "client",
|
Name: "client",
|
||||||
EnvVars: []string{"MICRO_CLIENT"},
|
EnvVars: []string{"MICRO_CLIENT"},
|
||||||
@ -209,6 +217,11 @@ var (
|
|||||||
EnvVars: []string{"MICRO_REGISTRY_ADDRESS"},
|
EnvVars: []string{"MICRO_REGISTRY_ADDRESS"},
|
||||||
Usage: "Comma-separated list of registry addresses",
|
Usage: "Comma-separated list of registry addresses",
|
||||||
},
|
},
|
||||||
|
&cli.BoolFlag{
|
||||||
|
Name: "registry_secure",
|
||||||
|
Usage: "Secure connection to registry",
|
||||||
|
EnvVars: []string{"MICRO_REGISTRY_SECURE"},
|
||||||
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "runtime",
|
Name: "runtime",
|
||||||
Usage: "Runtime for building and running services e.g local, kubernetes",
|
Usage: "Runtime for building and running services e.g local, kubernetes",
|
||||||
@ -497,6 +510,18 @@ func (c *cmd) Options() Options {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (c *cmd) Before(ctx *cli.Context) error {
|
func (c *cmd) Before(ctx *cli.Context) error {
|
||||||
|
// Setup custom certificate authorities
|
||||||
|
caCertPool := x509.NewCertPool()
|
||||||
|
if len(ctx.String("certificate_authorities")) > 0 {
|
||||||
|
for _, ca := range strings.Split(ctx.String("certificate_authorities"), ",") {
|
||||||
|
crt, err := ioutil.ReadFile(ca)
|
||||||
|
if err != nil {
|
||||||
|
logger.Fatalf("Error loading registry certificate authority: %v", err)
|
||||||
|
}
|
||||||
|
caCertPool.AppendCertsFromPEM(crt)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Setup client options
|
// Setup client options
|
||||||
var clientOpts []client.Option
|
var clientOpts []client.Option
|
||||||
|
|
||||||
@ -650,6 +675,18 @@ func (c *cmd) Before(ctx *cli.Context) error {
|
|||||||
|
|
||||||
// Setup registry options
|
// Setup registry options
|
||||||
registryOpts := []registry.Option{registrySrv.WithClient(microClient)}
|
registryOpts := []registry.Option{registrySrv.WithClient(microClient)}
|
||||||
|
|
||||||
|
// Parse registry TLS certs
|
||||||
|
if ctx.Bool("registry_secure") {
|
||||||
|
cert, err := tls.LoadX509KeyPair("/certs/registry/cert.pem", "/certs/registry/key.pem")
|
||||||
|
if err != nil {
|
||||||
|
logger.Fatalf("Error loading x509 key pair: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
cfg := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: caCertPool}
|
||||||
|
registryOpts = append(registryOpts, registry.TLSConfig(cfg))
|
||||||
|
}
|
||||||
|
|
||||||
if len(ctx.String("registry_address")) > 0 {
|
if len(ctx.String("registry_address")) > 0 {
|
||||||
addresses := strings.Split(ctx.String("registry_address"), ",")
|
addresses := strings.Split(ctx.String("registry_address"), ",")
|
||||||
registryOpts = append(registryOpts, registry.Addrs(addresses...))
|
registryOpts = append(registryOpts, registry.Addrs(addresses...))
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user