Add possibility to skip TLS server certificate verification
This commit is contained in:
parent
698236cdb4
commit
5007077f1d
GPG key ID:
0E496D15096376BE
2 changed files with 34 additions and 13 deletions
|
|
@ -11,6 +11,7 @@ use serde::{Deserialize, Serialize};
|
|||
pub struct ConsulConfig {
|
||||
pub addr: String,
|
||||
pub ca_cert: Option<String>,
|
||||
pub tls_skip_verify: bool,
|
||||
pub client_cert: Option<String>,
|
||||
pub client_key: Option<String>,
|
||||
}
|
||||
|
|
@ -88,26 +89,41 @@ pub struct Consul {
|
|||
|
||||
impl Consul {
|
||||
pub fn new(config: ConsulConfig, kv_prefix: &str, local_node: &str) -> Result<Self> {
|
||||
let client = match (&config.ca_cert, &config.client_cert, &config.client_key) {
|
||||
(Some(ca_cert), Some(client_cert), Some(client_key)) => {
|
||||
let mut ca_cert_buf = vec![];
|
||||
File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
|
||||
|
||||
let client = match (&config.client_cert, &config.client_key) {
|
||||
(Some(client_cert), Some(client_key)) => {
|
||||
let mut client_cert_buf = vec![];
|
||||
File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
|
||||
|
||||
let mut client_key_buf = vec![];
|
||||
File::open(client_key)?.read_to_end(&mut client_key_buf)?;
|
||||
|
||||
reqwest::Client::builder()
|
||||
.use_rustls_tls()
|
||||
.add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
|
||||
.identity(reqwest::Identity::from_pem(
|
||||
&[&client_cert_buf[..], &client_key_buf[..]].concat()[..],
|
||||
)?)
|
||||
.build()?
|
||||
let identity = reqwest::Identity::from_pem(
|
||||
&[&client_cert_buf[..], &client_key_buf[..]].concat()[..],
|
||||
)?;
|
||||
|
||||
if config.tls_skip_verify {
|
||||
reqwest::Client::builder()
|
||||
.use_rustls_tls()
|
||||
.danger_accept_invalid_certs(true)
|
||||
.identity(identity)
|
||||
.build()?
|
||||
} else if let Some(ca_cert) = &config.ca_cert {
|
||||
let mut ca_cert_buf = vec![];
|
||||
File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
|
||||
|
||||
reqwest::Client::builder()
|
||||
.use_rustls_tls()
|
||||
.add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
|
||||
.identity(identity)
|
||||
.build()?
|
||||
} else {
|
||||
reqwest::Client::builder()
|
||||
.use_rustls_tls()
|
||||
.identity(identity)
|
||||
.build()?
|
||||
}
|
||||
}
|
||||
(None, None, None) => reqwest::Client::new(),
|
||||
(None, None) => reqwest::Client::new(),
|
||||
_ => bail!("Incomplete Consul TLS configuration parameters"),
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -40,6 +40,10 @@ struct Opt {
|
|||
#[structopt(long = "consul-ca-cert", env = "TRICOT_CONSUL_CA_CERT")]
|
||||
pub consul_ca_cert: Option<String>,
|
||||
|
||||
/// Skip TLS verification for Consul
|
||||
#[structopt(long = "consul-tls-skip-verify", env = "TRICOT_CONSUL_TLS_SKIP_VERIFY")]
|
||||
pub consul_tls_skip_verify: bool,
|
||||
|
||||
/// Client certificate for Consul server with TLS
|
||||
#[structopt(long = "consul-client-cert", env = "TRICOT_CONSUL_CLIENT_CERT")]
|
||||
pub consul_client_cert: Option<String>,
|
||||
|
|
@ -122,6 +126,7 @@ async fn main() {
|
|||
let consul_config = consul::ConsulConfig {
|
||||
addr: opt.consul_addr.clone(),
|
||||
ca_cert: opt.consul_ca_cert.clone(),
|
||||
tls_skip_verify: opt.consul_tls_skip_verify,
|
||||
client_cert: opt.consul_client_cert.clone(),
|
||||
client_key: opt.consul_client_key.clone(),
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in a new issue