mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
Added custom CA support to fleetctl client (#1931)
This commit is contained in:
adamenger
Zachary Wasserman
parent
85ff9d6cf1
commit
a99313533d
@ -27,7 +27,7 @@ func unauthenticatedClientFromCLI(c *cli.Context) (*service.Client, error) {
|
||||
return nil, errors.New("set the Fleet API address with: fleetctl config set --address https://localhost:8080")
|
||||
}
|
||||
|
||||
fleet, err := service.NewClient(cc.Address, cc.TLSSkipVerify)
|
||||
fleet, err := service.NewClient(cc.Address, cc.TLSSkipVerify, cc.RootCA)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "error creating Fleet API client handler")
|
||||
}
|
||||
|
||||
@ -26,6 +26,7 @@ type Context struct {
|
||||
Email string `json:"email"`
|
||||
Token string `json:"token"`
|
||||
TLSSkipVerify bool `json:"tls-skip-verify"`
|
||||
RootCA string `json:"rootca"`
|
||||
}
|
||||
|
||||
func configFlag() cli.Flag {
|
||||
@ -113,6 +114,8 @@ func getConfigValue(c *cli.Context, key string) (interface{}, error) {
|
||||
return currentContext.Email, nil
|
||||
case "token":
|
||||
return currentContext.Token, nil
|
||||
case "rootca":
|
||||
return currentContext.RootCA, nil
|
||||
case "tls-skip-verify":
|
||||
if currentContext.TLSSkipVerify {
|
||||
return true, nil
|
||||
@ -155,6 +158,8 @@ func setConfigValue(c *cli.Context, key, value string) error {
|
||||
currentContext.Email = value
|
||||
case "token":
|
||||
currentContext.Token = value
|
||||
case "rootca":
|
||||
currentContext.RootCA = value
|
||||
case "tls-skip-verify":
|
||||
boolValue, err := strconv.ParseBool(value)
|
||||
if err != nil {
|
||||
@ -180,6 +185,7 @@ func configSetCommand() cli.Command {
|
||||
flEmail string
|
||||
flToken string
|
||||
flTLSSkipVerify bool
|
||||
flRootCA string
|
||||
)
|
||||
return cli.Command{
|
||||
Name: "set",
|
||||
@ -215,6 +221,13 @@ func configSetCommand() cli.Command {
|
||||
Destination: &flTLSSkipVerify,
|
||||
Usage: "Skip TLS certificate validation",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "rootca",
|
||||
EnvVar: "ROOTCA",
|
||||
Value: "",
|
||||
Destination: &flRootCA,
|
||||
Usage: "Specify RootCA chain used to communicate with fleet",
|
||||
},
|
||||
},
|
||||
Action: func(c *cli.Context) error {
|
||||
set := false
|
||||
@ -251,6 +264,14 @@ func configSetCommand() cli.Command {
|
||||
fmt.Printf("[+] Set the tls-skip-verify config key to \"true\" in the %q context\n", c.String("context"))
|
||||
}
|
||||
|
||||
if flRootCA != "" {
|
||||
set = true
|
||||
if err := setConfigValue(c, "rootca", flRootCA); err != nil {
|
||||
return errors.Wrap(err, "error setting rootca")
|
||||
}
|
||||
fmt.Printf("[+] Set the rootca config key to %q in the %q context\n", flRootCA, c.String("context"))
|
||||
}
|
||||
|
||||
if !set {
|
||||
return cli.ShowCommandHelp(c, "set")
|
||||
}
|
||||
@ -278,7 +299,7 @@ func configGetCommand() cli.Command {
|
||||
|
||||
// validate key
|
||||
switch key {
|
||||
case "address", "email", "token", "tls-skip-verify":
|
||||
case "address", "email", "token", "tls-skip-verify", "rootca":
|
||||
default:
|
||||
return cli.ShowCommandHelp(c, "get")
|
||||
}
|
||||
|
||||
@ -3,8 +3,10 @@ package service
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
@ -20,7 +22,7 @@ type Client struct {
|
||||
insecureSkipVerify bool
|
||||
}
|
||||
|
||||
func NewClient(addr string, insecureSkipVerify bool) (*Client, error) {
|
||||
func NewClient(addr string, insecureSkipVerify bool, rootCA string) (*Client, error) {
|
||||
if !strings.HasPrefix(addr, "https://") {
|
||||
return nil, errors.New("Addrress must start with https://")
|
||||
}
|
||||
@ -30,9 +32,33 @@ func NewClient(addr string, insecureSkipVerify bool) (*Client, error) {
|
||||
return nil, errors.Wrap(err, "parsing URL")
|
||||
}
|
||||
|
||||
rootCAPool, err := x509.SystemCertPool()
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "loading system cert pool")
|
||||
}
|
||||
|
||||
if rootCA != "" {
|
||||
// set up empty cert pool
|
||||
rootCAPool = x509.NewCertPool()
|
||||
|
||||
// read in the root cert file specified in the context
|
||||
certs, err := ioutil.ReadFile(rootCA)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "reading root CA")
|
||||
}
|
||||
|
||||
// add certs to new cert pool
|
||||
if ok := rootCAPool.AppendCertsFromPEM(certs); !ok {
|
||||
return nil, errors.Wrap(err, "adding root CA")
|
||||
}
|
||||
}
|
||||
|
||||
httpClient := &http.Client{
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureSkipVerify},
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: insecureSkipVerify,
|
||||
RootCAs: rootCAPool,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user