config/cmd: custom certificate authorities & secure registry (#1803)

* config/cmd: add registry_secure option

* config/cmd: tmp load ca

* config/cmd: tmp load ca

* config/cmd: refactor certificate_authorities setup

* config/cmd: improve usage
This commit is contained in:
ben-toogood 2020-07-08 08:50:08 +01:00 committed by GitHub
parent b37f9c94b8
commit 86f4235aaf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -2,7 +2,10 @@
package cmd
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"math/rand"
"strings"
"time"
@ -110,6 +113,11 @@ var (
DefaultCmd = newCmd()
DefaultFlags = []cli.Flag{
&cli.StringFlag{
Name: "certificate_authorities",
EnvVars: []string{"MICRO_CERTIFICATE_AUTHORITIES"},
Usage: "Commar-seperated list of certificate authorities, e.g. '/certs/ca.crt'",
},
&cli.StringFlag{
Name: "client",
EnvVars: []string{"MICRO_CLIENT"},
@ -209,6 +217,11 @@ var (
EnvVars: []string{"MICRO_REGISTRY_ADDRESS"},
Usage: "Comma-separated list of registry addresses",
},
&cli.BoolFlag{
Name: "registry_secure",
Usage: "Secure connection to registry",
EnvVars: []string{"MICRO_REGISTRY_SECURE"},
},
&cli.StringFlag{
Name: "runtime",
Usage: "Runtime for building and running services e.g local, kubernetes",
@ -497,6 +510,18 @@ func (c *cmd) Options() Options {
}
func (c *cmd) Before(ctx *cli.Context) error {
// Setup custom certificate authorities
caCertPool := x509.NewCertPool()
if len(ctx.String("certificate_authorities")) > 0 {
for _, ca := range strings.Split(ctx.String("certificate_authorities"), ",") {
crt, err := ioutil.ReadFile(ca)
if err != nil {
logger.Fatalf("Error loading registry certificate authority: %v", err)
}
caCertPool.AppendCertsFromPEM(crt)
}
}
// Setup client options
var clientOpts []client.Option
@ -650,6 +675,18 @@ func (c *cmd) Before(ctx *cli.Context) error {
// Setup registry options
registryOpts := []registry.Option{registrySrv.WithClient(microClient)}
// Parse registry TLS certs
if ctx.Bool("registry_secure") {
cert, err := tls.LoadX509KeyPair("/certs/registry/cert.pem", "/certs/registry/key.pem")
if err != nil {
logger.Fatalf("Error loading x509 key pair: %v", err)
}
cfg := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: caCertPool}
registryOpts = append(registryOpts, registry.TLSConfig(cfg))
}
if len(ctx.String("registry_address")) > 0 {
addresses := strings.Split(ctx.String("registry_address"), ",")
registryOpts = append(registryOpts, registry.Addrs(addresses...))