// ConfigureTLS applies a set of TLS configurations to the the HTTP client.
func (c *Config) ConfigureTLS() error {
if c.HttpClient == nil {
return fmt.Errorf("config HTTP Client must be set")
}
var clientCert tls.Certificate
foundClientCert := false
if c.TLSConfig.ClientCert != "" || c.TLSConfig.ClientKey != "" {
if c.TLSConfig.ClientCert != "" && c.TLSConfig.ClientKey != "" {
var err error
clientCert, err = tls.LoadX509KeyPair(c.TLSConfig.ClientCert, c.TLSConfig.ClientKey)
if err != nil {
return err
}
foundClientCert = true
} else if c.TLSConfig.ClientCert != "" || c.TLSConfig.ClientKey != "" {
return fmt.Errorf("Both client cert and client key must be provided")
}
}
clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig
rootConfig := &rootcerts.Config{
CAFile: c.TLSConfig.CACert,
CAPath: c.TLSConfig.CAPath,
}
if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil {
return err
}
clientTLSConfig.InsecureSkipVerify = c.TLSConfig.Insecure
if foundClientCert {
clientTLSConfig.Certificates = []tls.Certificate{clientCert}
}
if c.TLSConfig.TLSServerName != "" {
clientTLSConfig.ServerName = c.TLSConfig.TLSServerName
}
return nil
}
// CreateConsulClient creates a new Consul API client from the given input.
func (c *ClientSet) CreateConsulClient(i *CreateConsulClientInput) error {
consulConfig := consulapi.DefaultConfig()
if i.Address != "" {
consulConfig.Address = i.Address
}
if i.Token != "" {
consulConfig.Token = i.Token
}
if i.AuthEnabled {
consulConfig.HttpAuth = &consulapi.HttpBasicAuth{
Username: i.AuthUsername,
Password: i.AuthPassword,
}
}
// This transport will attempt to keep connections open to the Consul server.
transport := cleanhttp.DefaultPooledTransport()
// Configure SSL
if i.SSLEnabled {
consulConfig.Scheme = "https"
var tlsConfig tls.Config
// Custom certificate or certificate and key
if i.SSLCert != "" && i.SSLKey != "" {
cert, err := tls.LoadX509KeyPair(i.SSLCert, i.SSLKey)
if err != nil {
return fmt.Errorf("client set: consul: %s", err)
}
tlsConfig.Certificates = []tls.Certificate{cert}
} else if i.SSLCert != "" {
cert, err := tls.LoadX509KeyPair(i.SSLCert, i.SSLCert)
if err != nil {
return fmt.Errorf("client set: consul: %s", err)
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
// Custom CA certificate
if i.SSLCACert != "" || i.SSLCAPath != "" {
rootConfig := &rootcerts.Config{
CAFile: i.SSLCACert,
CAPath: i.SSLCAPath,
}
if err := rootcerts.ConfigureTLS(&tlsConfig, rootConfig); err != nil {
return fmt.Errorf("client set: consul configuring TLS failed: %s", err)
}
}
// Construct all the certificates now
tlsConfig.BuildNameToCertificate()
// SSL verification
if i.ServerName != "" {
tlsConfig.ServerName = i.ServerName
tlsConfig.InsecureSkipVerify = false
}
if !i.SSLVerify {
log.Printf("[WARN] (clients) disabling consul SSL verification")
tlsConfig.InsecureSkipVerify = true
}
// Save the TLS config on our transport
transport.TLSClientConfig = &tlsConfig
}
// Setup the new transport
consulConfig.HttpClient.Transport = transport
// Create the API client
client, err := consulapi.NewClient(consulConfig)
if err != nil {
return fmt.Errorf("client set: consul: %s", err)
}
// Save the data on ourselves
c.Lock()
c.consul = &consulClient{
client: client,
httpClient: consulConfig.HttpClient,
}
c.Unlock()
return nil
}
func (c *ClientSet) CreateVaultClient(i *CreateVaultClientInput) error {
vaultConfig := vaultapi.DefaultConfig()
if i.Address != "" {
vaultConfig.Address = i.Address
}
// This transport will attempt to keep connections open to the Vault server.
transport := cleanhttp.DefaultPooledTransport()
// Configure SSL
if i.SSLEnabled {
var tlsConfig tls.Config
// Custom certificate or certificate and key
if i.SSLCert != "" && i.SSLKey != "" {
cert, err := tls.LoadX509KeyPair(i.SSLCert, i.SSLKey)
if err != nil {
return fmt.Errorf("client set: vault: %s", err)
}
tlsConfig.Certificates = []tls.Certificate{cert}
} else if i.SSLCert != "" {
cert, err := tls.LoadX509KeyPair(i.SSLCert, i.SSLCert)
if err != nil {
return fmt.Errorf("client set: vault: %s", err)
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
// Custom CA certificate
if i.SSLCACert != "" || i.SSLCAPath != "" {
rootConfig := &rootcerts.Config{
CAFile: i.SSLCACert,
CAPath: i.SSLCAPath,
}
if err := rootcerts.ConfigureTLS(&tlsConfig, rootConfig); err != nil {
return fmt.Errorf("client set: vault configuring TLS failed: %s", err)
}
}
// Construct all the certificates now
tlsConfig.BuildNameToCertificate()
// SSL verification
if i.ServerName != "" {
tlsConfig.ServerName = i.ServerName
tlsConfig.InsecureSkipVerify = false
}
if !i.SSLVerify {
log.Printf("[WARN] (clients) disabling vault SSL verification")
tlsConfig.InsecureSkipVerify = true
}
// Save the TLS config on our transport
transport.TLSClientConfig = &tlsConfig
}
// Setup the new transport
vaultConfig.HttpClient.Transport = transport
// Create the client
client, err := vaultapi.NewClient(vaultConfig)
if err != nil {
return fmt.Errorf("client set: vault: %s", err)
}
// Set the token if given
if i.Token != "" {
client.SetToken(i.Token)
}
// Check if we are unwrapping
if i.UnwrapToken {
secret, err := client.Logical().Unwrap(i.Token)
if err != nil {
return fmt.Errorf("client set: vault unwrap: %s", err)
}
if secret == nil {
return fmt.Errorf("client set: vault unwrap: no secret")
}
if secret.Auth == nil {
return fmt.Errorf("client set: vault unwrap: no secret auth")
}
if secret.Auth.ClientToken == "" {
return fmt.Errorf("client set: vault unwrap: no token returned")
}
client.SetToken(secret.Auth.ClientToken)
}
// Save the data on ourselves
c.Lock()
c.vault = &vaultClient{
client: client,
httpClient: vaultConfig.HttpClient,
}
c.Unlock()
return nil
}