Add possibility to skip tls verification for consul

This commit is contained in:
Alex 2022-08-24 18:22:00 +02:00
parent 730c9049ad
commit e7f6c15bc1
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
3 changed files with 37 additions and 15 deletions

View file

@ -39,6 +39,8 @@ pub struct ConfigOptsConsul {
pub url: Option<String>, pub url: Option<String>,
/// Consul's CA certificate [default: None] /// Consul's CA certificate [default: None]
pub ca_cert: Option<String>, pub ca_cert: Option<String>,
/// Skip TLS verification for Consul server
pub tls_skip_verify: bool,
/// Consul's client certificate [default: None] /// Consul's client certificate [default: None]
pub client_cert: Option<String>, pub client_cert: Option<String>,
/// Consul's client key [default: None] /// Consul's client key [default: None]

View file

@ -20,7 +20,7 @@ pub struct RuntimeConfigAcme {
pub struct RuntimeConfigConsul { pub struct RuntimeConfigConsul {
pub node_name: String, pub node_name: String,
pub url: String, pub url: String,
pub tls: Option<(reqwest::Certificate, reqwest::Identity)>, pub tls: Option<(Option<reqwest::Certificate>, bool, reqwest::Identity)>,
} }
#[derive(Debug)] #[derive(Debug)]
@ -80,11 +80,16 @@ impl RuntimeConfigConsul {
.expect("'DIPLONAT_CONSUL_NODE_NAME' environment variable is required"); .expect("'DIPLONAT_CONSUL_NODE_NAME' environment variable is required");
let url = opts.url.unwrap_or(super::CONSUL_URL.to_string()); let url = opts.url.unwrap_or(super::CONSUL_URL.to_string());
let tls = match (&opts.ca_cert, &opts.client_cert, &opts.client_key) { let tls = match (&opts.client_cert, &opts.client_key) {
(Some(ca_cert), Some(client_cert), Some(client_key)) => { (Some(client_cert), Some(client_key)) => {
let cert = match &opts.ca_cert {
Some(ca_cert) => {
let mut ca_cert_buf = vec![]; let mut ca_cert_buf = vec![];
File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?; File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
let cert = reqwest::Certificate::from_pem(&ca_cert_buf[..])?; Some(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
}
None => None,
};
let mut client_cert_buf = vec![]; let mut client_cert_buf = vec![];
File::open(client_cert)?.read_to_end(&mut client_cert_buf)?; File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
@ -95,9 +100,9 @@ impl RuntimeConfigConsul {
let ident = let ident =
reqwest::Identity::from_pem(&[&client_cert_buf[..], &client_key_buf[..]].concat()[..])?; reqwest::Identity::from_pem(&[&client_cert_buf[..], &client_key_buf[..]].concat()[..])?;
Some((cert, ident)) Some((cert, opts.tls_skip_verify, ident))
} }
(None, None, None) => None, (None, None) => None,
_ => bail!("Incomplete TLS configuration parameters"), _ => bail!("Incomplete TLS configuration parameters"),
}; };

View file

@ -23,13 +23,28 @@ pub struct Consul {
impl Consul { impl Consul {
pub fn new(config: &RuntimeConfigConsul) -> Self { pub fn new(config: &RuntimeConfigConsul) -> Self {
let client = if let Some((ca, ident)) = config.tls.clone() { let client = if let Some((ca, skip_verify, ident)) = config.tls.clone() {
if skip_verify {
reqwest::Client::builder()
.use_rustls_tls()
.danger_accept_invalid_certs(true)
.identity(ident)
.build()
.expect("Unable to build reqwest client")
} else if let Some(ca) = ca {
reqwest::Client::builder() reqwest::Client::builder()
.use_rustls_tls() .use_rustls_tls()
.add_root_certificate(ca) .add_root_certificate(ca)
.identity(ident) .identity(ident)
.build() .build()
.expect("Unable to build reqwest client") .expect("Unable to build reqwest client")
} else {
reqwest::Client::builder()
.use_rustls_tls()
.identity(ident)
.build()
.expect("Unable to build reqwest client")
}
} else { } else {
reqwest::Client::new() reqwest::Client::new()
}; };