gered/vault-sidekick
Archived
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

CA Certificate

Browse source 
- fixing the loading of the ca certificate for verification
This commit is contained in:
Rohith 2017-05-24 15:52:54 +01:00
parent cada0d4ac5
commit bd252c234a
3 changed files with 9 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.travis.yml
View file

@ -14,7 +14,6 @@ go: 1.8.1
install: true install: true
script: script:
- make test - make test
- echo "TRAVIS_PULL_REQUEST: ${TRAVIS_PULL_REQUEST}"
- if ([[ ${TRAVIS_BRANCH} == "master" ]] && [[ ${TRAVIS_PULL_REQUEST} == "false" ]]) || [[ -n ${TRAVIS_TAG} ]]; then - if ([[ ${TRAVIS_BRANCH} == "master" ]] && [[ ${TRAVIS_PULL_REQUEST} == "false" ]]) || [[ -n ${TRAVIS_TAG} ]]; then
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-X main.gitsha=${TRAVIS_TAG:-git+${TRAVIS_COMMIT}}" -o bin/vault-sidekick_linux_amd64; GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-X main.gitsha=${TRAVIS_TAG:-git+${TRAVIS_COMMIT}}" -o bin/vault-sidekick_linux_amd64;
GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-X main.gitsha=${TRAVIS_TAG:-git+${TRAVIS_COMMIT}}" -o bin/vault-sidekick_darwin_amd64; GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-X main.gitsha=${TRAVIS_TAG:-git+${TRAVIS_COMMIT}}" -o bin/vault-sidekick_darwin_amd64;

6
config.go
View file

@ -37,7 +37,7 @@ type config struct {
// switch on dry run // switch on dry run
dryRun bool dryRun bool
// skip tls verify // skip tls verify
tlsVerify bool skipTLSVerify bool
// the resource items to retrieve // the resource items to retrieve
resources *VaultResources resources *VaultResources
// the interval for producing statistics // the interval for producing statistics
@ -61,7 +61,7 @@ func init() {
flag.StringVar(&options.vaultAuthFile, "auth", "", "a configuration file in json or yaml containing authentication arguments") flag.StringVar(&options.vaultAuthFile, "auth", "", "a configuration file in json or yaml containing authentication arguments")
flag.StringVar(&options.outputDir, "output", getEnv("VAULT_OUTPUT", "/etc/secrets"), "the full path to write resources or VAULT_OUTPUT") flag.StringVar(&options.outputDir, "output", getEnv("VAULT_OUTPUT", "/etc/secrets"), "the full path to write resources or VAULT_OUTPUT")
flag.BoolVar(&options.dryRun, "dryrun", false, "perform a dry run, printing the content to screen") flag.BoolVar(&options.dryRun, "dryrun", false, "perform a dry run, printing the content to screen")
flag.BoolVar(&options.tlsVerify, "tls-skip-verify", false, "whether to check and verify the vault service certificate") flag.BoolVar(&options.skipTLSVerify, "tls-skip-verify", false, "whether to check and verify the vault service certificate")
flag.StringVar(&options.vaultCaFile, "ca-cert", "", "the path to the file container the CA used to verify the vault service") flag.StringVar(&options.vaultCaFile, "ca-cert", "", "the path to the file container the CA used to verify the vault service")
flag.DurationVar(&options.statsInterval, "stats", time.Duration(1)*time.Hour, "the interval to produce statistics on the accessed resources") flag.DurationVar(&options.statsInterval, "stats", time.Duration(1)*time.Hour, "the interval to produce statistics on the accessed resources")
flag.DurationVar(&options.execTimeout, "exec-timeout", time.Duration(60)*time.Second, "the timeout applied to commands on the exec option") flag.DurationVar(&options.execTimeout, "exec-timeout", time.Duration(60)*time.Second, "the timeout applied to commands on the exec option")
@ -99,7 +99,7 @@ func validateOptions(cfg *config) (err error) {
} }
} }
if cfg.tlsVerify == true && cfg.vaultCaFile != "" { if cfg.skipTLSVerify == true && cfg.vaultCaFile != "" {
return fmt.Errorf("you are skipping the tls but supplying a CA, doesn't make sense") return fmt.Errorf("you are skipping the tls but supplying a CA, doesn't make sense")
} }

13
vault.go
View file

@ -457,23 +457,22 @@ func buildHTTPTransport(opts *config) (*http.Transport, error) {
KeepAlive: 10 * time.Second, KeepAlive: 10 * time.Second,
}).Dial, }).Dial,
TLSHandshakeTimeout: 10 * time.Second, TLSHandshakeTimeout: 10 * time.Second,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: opts.skipTLSVerify,
},
} }
// step: are we skip the tls verify? if opts.skipTLSVerify {
if options.tlsVerify { glog.Warning("skipping TLS verification is not recommended")
transport.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true,
}
} }
// step: are we loading a CA file // step: are we loading a CA file
if opts.vaultCaFile != "" { if opts.vaultCaFile != "" {
// step: load the ca file glog.V(3).Infof("loading the ca certificate: %s", opts.vaultCaFile)
caCert, err := ioutil.ReadFile(opts.vaultCaFile) caCert, err := ioutil.ReadFile(opts.vaultCaFile)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to read in the ca: %s, reason: %s", opts.vaultCaFile, err) return nil, fmt.Errorf("unable to read in the ca: %s, reason: %s", opts.vaultCaFile, err)
} }
caCertPool := x509.NewCertPool() caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert) caCertPool.AppendCertsFromPEM(caCert)
// step: add the ca to the root
transport.TLSClientConfig.RootCAs = caCertPool transport.TLSClientConfig.RootCAs = caCertPool
} }