Add possibility to skip TLS server certificate verification
This commit is contained in:
parent
698236cdb4
commit
5007077f1d
2 changed files with 34 additions and 13 deletions
|
@ -11,6 +11,7 @@ use serde::{Deserialize, Serialize};
|
||||||
pub struct ConsulConfig {
|
pub struct ConsulConfig {
|
||||||
pub addr: String,
|
pub addr: String,
|
||||||
pub ca_cert: Option<String>,
|
pub ca_cert: Option<String>,
|
||||||
|
pub tls_skip_verify: bool,
|
||||||
pub client_cert: Option<String>,
|
pub client_cert: Option<String>,
|
||||||
pub client_key: Option<String>,
|
pub client_key: Option<String>,
|
||||||
}
|
}
|
||||||
|
@ -88,26 +89,41 @@ pub struct Consul {
|
||||||
|
|
||||||
impl Consul {
|
impl Consul {
|
||||||
pub fn new(config: ConsulConfig, kv_prefix: &str, local_node: &str) -> Result<Self> {
|
pub fn new(config: ConsulConfig, kv_prefix: &str, local_node: &str) -> Result<Self> {
|
||||||
let client = match (&config.ca_cert, &config.client_cert, &config.client_key) {
|
let client = match (&config.client_cert, &config.client_key) {
|
||||||
(Some(ca_cert), Some(client_cert), Some(client_key)) => {
|
(Some(client_cert), Some(client_key)) => {
|
||||||
let mut ca_cert_buf = vec![];
|
|
||||||
File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
|
|
||||||
|
|
||||||
let mut client_cert_buf = vec![];
|
let mut client_cert_buf = vec![];
|
||||||
File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
|
File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
|
||||||
|
|
||||||
let mut client_key_buf = vec![];
|
let mut client_key_buf = vec![];
|
||||||
File::open(client_key)?.read_to_end(&mut client_key_buf)?;
|
File::open(client_key)?.read_to_end(&mut client_key_buf)?;
|
||||||
|
|
||||||
reqwest::Client::builder()
|
let identity = reqwest::Identity::from_pem(
|
||||||
.use_rustls_tls()
|
&[&client_cert_buf[..], &client_key_buf[..]].concat()[..],
|
||||||
.add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
|
)?;
|
||||||
.identity(reqwest::Identity::from_pem(
|
|
||||||
&[&client_cert_buf[..], &client_key_buf[..]].concat()[..],
|
if config.tls_skip_verify {
|
||||||
)?)
|
reqwest::Client::builder()
|
||||||
.build()?
|
.use_rustls_tls()
|
||||||
|
.danger_accept_invalid_certs(true)
|
||||||
|
.identity(identity)
|
||||||
|
.build()?
|
||||||
|
} else if let Some(ca_cert) = &config.ca_cert {
|
||||||
|
let mut ca_cert_buf = vec![];
|
||||||
|
File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
|
||||||
|
|
||||||
|
reqwest::Client::builder()
|
||||||
|
.use_rustls_tls()
|
||||||
|
.add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
|
||||||
|
.identity(identity)
|
||||||
|
.build()?
|
||||||
|
} else {
|
||||||
|
reqwest::Client::builder()
|
||||||
|
.use_rustls_tls()
|
||||||
|
.identity(identity)
|
||||||
|
.build()?
|
||||||
|
}
|
||||||
}
|
}
|
||||||
(None, None, None) => reqwest::Client::new(),
|
(None, None) => reqwest::Client::new(),
|
||||||
_ => bail!("Incomplete Consul TLS configuration parameters"),
|
_ => bail!("Incomplete Consul TLS configuration parameters"),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -40,6 +40,10 @@ struct Opt {
|
||||||
#[structopt(long = "consul-ca-cert", env = "TRICOT_CONSUL_CA_CERT")]
|
#[structopt(long = "consul-ca-cert", env = "TRICOT_CONSUL_CA_CERT")]
|
||||||
pub consul_ca_cert: Option<String>,
|
pub consul_ca_cert: Option<String>,
|
||||||
|
|
||||||
|
/// Skip TLS verification for Consul
|
||||||
|
#[structopt(long = "consul-tls-skip-verify", env = "TRICOT_CONSUL_TLS_SKIP_VERIFY")]
|
||||||
|
pub consul_tls_skip_verify: bool,
|
||||||
|
|
||||||
/// Client certificate for Consul server with TLS
|
/// Client certificate for Consul server with TLS
|
||||||
#[structopt(long = "consul-client-cert", env = "TRICOT_CONSUL_CLIENT_CERT")]
|
#[structopt(long = "consul-client-cert", env = "TRICOT_CONSUL_CLIENT_CERT")]
|
||||||
pub consul_client_cert: Option<String>,
|
pub consul_client_cert: Option<String>,
|
||||||
|
@ -122,6 +126,7 @@ async fn main() {
|
||||||
let consul_config = consul::ConsulConfig {
|
let consul_config = consul::ConsulConfig {
|
||||||
addr: opt.consul_addr.clone(),
|
addr: opt.consul_addr.clone(),
|
||||||
ca_cert: opt.consul_ca_cert.clone(),
|
ca_cert: opt.consul_ca_cert.clone(),
|
||||||
|
tls_skip_verify: opt.consul_tls_skip_verify,
|
||||||
client_cert: opt.consul_client_cert.clone(),
|
client_cert: opt.consul_client_cert.clone(),
|
||||||
client_key: opt.consul_client_key.clone(),
|
client_key: opt.consul_client_key.clone(),
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue