CA Certificate
- fixing the loading of the ca certificate for verification
This commit is contained in:
Rohith
parent
cada0d4ac5
commit
bd252c234a
|
|
@ -14,7 +14,6 @@ go: 1.8.1
|
|||
install: true
|
||||
script:
|
||||
- make test
|
||||
- echo "TRAVIS_PULL_REQUEST: ${TRAVIS_PULL_REQUEST}"
|
||||
- if ([[ ${TRAVIS_BRANCH} == "master" ]] && [[ ${TRAVIS_PULL_REQUEST} == "false" ]]) || [[ -n ${TRAVIS_TAG} ]]; then
|
||||
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-X main.gitsha=${TRAVIS_TAG:-git+${TRAVIS_COMMIT}}" -o bin/vault-sidekick_linux_amd64;
|
||||
GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-X main.gitsha=${TRAVIS_TAG:-git+${TRAVIS_COMMIT}}" -o bin/vault-sidekick_darwin_amd64;
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ type config struct {
|
|||
// switch on dry run
|
||||
dryRun bool
|
||||
// skip tls verify
|
||||
tlsVerify bool
|
||||
skipTLSVerify bool
|
||||
// the resource items to retrieve
|
||||
resources *VaultResources
|
||||
// the interval for producing statistics
|
||||
|
|
@ -61,7 +61,7 @@ func init() {
|
|||
flag.StringVar(&options.vaultAuthFile, "auth", "", "a configuration file in json or yaml containing authentication arguments")
|
||||
flag.StringVar(&options.outputDir, "output", getEnv("VAULT_OUTPUT", "/etc/secrets"), "the full path to write resources or VAULT_OUTPUT")
|
||||
flag.BoolVar(&options.dryRun, "dryrun", false, "perform a dry run, printing the content to screen")
|
||||
flag.BoolVar(&options.tlsVerify, "tls-skip-verify", false, "whether to check and verify the vault service certificate")
|
||||
flag.BoolVar(&options.skipTLSVerify, "tls-skip-verify", false, "whether to check and verify the vault service certificate")
|
||||
flag.StringVar(&options.vaultCaFile, "ca-cert", "", "the path to the file container the CA used to verify the vault service")
|
||||
flag.DurationVar(&options.statsInterval, "stats", time.Duration(1)*time.Hour, "the interval to produce statistics on the accessed resources")
|
||||
flag.DurationVar(&options.execTimeout, "exec-timeout", time.Duration(60)*time.Second, "the timeout applied to commands on the exec option")
|
||||
|
|
@ -99,7 +99,7 @@ func validateOptions(cfg *config) (err error) {
|
|||
}
|
||||
}
|
||||
|
||||
if cfg.tlsVerify == true && cfg.vaultCaFile != "" {
|
||||
if cfg.skipTLSVerify == true && cfg.vaultCaFile != "" {
|
||||
return fmt.Errorf("you are skipping the tls but supplying a CA, doesn't make sense")
|
||||
}
|
||||
|
||||
|
|
|
|||
13
vault.go
13
vault.go
|
|
@ -457,23 +457,22 @@ func buildHTTPTransport(opts *config) (*http.Transport, error) {
|
|||
KeepAlive: 10 * time.Second,
|
||||
}).Dial,
|
||||
TLSHandshakeTimeout: 10 * time.Second,
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: opts.skipTLSVerify,
|
||||
},
|
||||
}
|
||||
// step: are we skip the tls verify?
|
||||
if options.tlsVerify {
|
||||
transport.TLSClientConfig = &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
}
|
||||
if opts.skipTLSVerify {
|
||||
glog.Warning("skipping TLS verification is not recommended")
|
||||
}
|
||||
// step: are we loading a CA file
|
||||
if opts.vaultCaFile != "" {
|
||||
// step: load the ca file
|
||||
glog.V(3).Infof("loading the ca certificate: %s", opts.vaultCaFile)
|
||||
caCert, err := ioutil.ReadFile(opts.vaultCaFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to read in the ca: %s, reason: %s", opts.vaultCaFile, err)
|
||||
}
|
||||
caCertPool := x509.NewCertPool()
|
||||
caCertPool.AppendCertsFromPEM(caCert)
|
||||
// step: add the ca to the root
|
||||
transport.TLSClientConfig.RootCAs = caCertPool
|
||||
}
|
||||
|
||||
|
|
|
|||
Reference in a new issue