Add option to set certificate in-memory via SDK

2026-01-01 16:05:42 +03:00 · 2019-12-16 10:59:27 +01:00
parent 34a5a3a6a6
commit 3d9701f6f1
6 changed files with 41 additions and 8 deletions
--- a/api/api.go
+++ b/api/api.go
@@ -178,6 +178,10 @@ type TLSConfig struct {
 	// the Nomad server SSL certificate.
 	CAPath string

+	// CAInMemCert is the PEM-encoded CA cert to use to verify the Nomad server
+	// SSL certificate.
+	CAInMemCert []byte
+
 	// ClientCert is the path to the certificate for Nomad communication
 	ClientCert string

@@ -348,8 +352,9 @@ func ConfigureTLS(httpClient *http.Client, tlsConfig *TLSConfig) error {

 	clientTLSConfig := httpClient.Transport.(*http.Transport).TLSClientConfig
 	rootConfig := &rootcerts.Config{
-		CAFile: tlsConfig.CACert,
-		CAPath: tlsConfig.CAPath,
+		CAFile:        tlsConfig.CACert,
+		CAPath:        tlsConfig.CAPath,
+		CACertificate: tlsConfig.CAInMemCert,
 	}
 	if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil {
 		return err
--- a/vendor/github.com/hashicorp/go-rootcerts/README.md
+++ b/vendor/github.com/hashicorp/go-rootcerts/README.md
@@ -28,8 +28,9 @@ Here's a snippet demonstrating how this library is meant to be used:
 func httpClient() (*http.Client, error)
 	tlsConfig := &tls.Config{}
 	err := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{
-		CAFile: os.Getenv("MYAPP_CAFILE"),
-		CAPath: os.Getenv("MYAPP_CAPATH"),
+		CAFile:      os.Getenv("MYAPP_CAFILE"),
+		CAPath:      os.Getenv("MYAPP_CAPATH"),
+		Certificate: os.Getenv("MYAPP_CERTIFICATE"),
 	})
 	if err != nil {
 		return nil, err
--- a/vendor/github.com/hashicorp/go-rootcerts/go.mod
+++ b/vendor/github.com/hashicorp/go-rootcerts/go.mod
@@ -0,0 +1,5 @@
+module github.com/hashicorp/go-rootcerts
+
+go 1.12
+
+require github.com/mitchellh/go-homedir v1.1.0
--- a/vendor/github.com/hashicorp/go-rootcerts/go.sum
+++ b/vendor/github.com/hashicorp/go-rootcerts/go.sum
@@ -0,0 +1,2 @@
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
--- a/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go
+++ b/vendor/github.com/hashicorp/go-rootcerts/rootcerts.go
@@ -3,21 +3,26 @@ package rootcerts
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 )

-// Config determines where LoadCACerts will load certificates from. When both
-// CAFile and CAPath are blank, this library's functions will either load
+// Config determines where LoadCACerts will load certificates from. When CAFile,
+// CACertificate and CAPath are blank, this library's functions will either load
 // system roots explicitly and return them, or set the CertPool to nil to allow
 // Go's standard library to load system certs.
 type Config struct {
 	// CAFile is a path to a PEM-encoded certificate file or bundle. Takes
-	// precedence over CAPath.
+	// precedence over CACertificate and CAPath.
 	CAFile string

+	// CACertificate is a PEM-encoded certificate or bundle. Takes precedence
+	// over CAPath.
+	CACertificate []byte
+
 	// CAPath is a path to a directory populated with PEM-encoded certificates.
 	CAPath string
 }
@@ -44,6 +49,9 @@ func LoadCACerts(c *Config) (*x509.CertPool, error) {
 	if c.CAFile != "" {
 		return LoadCAFile(c.CAFile)
 	}
+	if len(c.CACertificate) != 0 {
+		return AppendCertificate(c.CACertificate)
+	}
 	if c.CAPath != "" {
 		return LoadCAPath(c.CAPath)
 	}
@@ -68,6 +76,18 @@ func LoadCAFile(caFile string) (*x509.CertPool, error) {
 	return pool, nil
 }

+// AppendCertificate appends an in-memory PEM-encoded certificate or bundle and returns a pool.
+func AppendCertificate(ca []byte) (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+
+	ok := pool.AppendCertsFromPEM(ca)
+	if !ok {
+		return nil, errors.New("Error appending CA: Couldn't parse PEM")
+	}
+
+	return pool, nil
+}
+
 // LoadCAPath walks the provided path and loads all certificates encounted into
 // a pool.
 func LoadCAPath(caPath string) (*x509.CertPool, error) {
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@@ -241,7 +241,7 @@
 		{"path":"github.com/hashicorp/go-plugin/internal/plugin","checksumSHA1":"uTvnRQ5UWn/bhRxbW/UCfYFseSc=","revision":"809113480b559c989ea9cfcff62e9d387961f60b","revisionTime":"2019-10-04T17:18:45Z"},
 		{"path":"github.com/hashicorp/go-plugin/internal/proto","checksumSHA1":"Ikbb1FngsPR79bHhr2UmKk4CblI=","revision":"f444068e8f5a19853177f7aa0aea7e7d95b5b528","revisionTime":"2018-12-12T15:08:38Z"},
 		{"path":"github.com/hashicorp/go-retryablehttp","checksumSHA1":"9SqwC2BzFbsWulQuBG2+QEliTpo=","revision":"73489d0a1476f0c9e6fb03f9c39241523a496dfd","revisionTime":"2019-01-26T20:33:39Z"},
-		{"path":"github.com/hashicorp/go-rootcerts","checksumSHA1":"A1PcINvF3UiwHRKn8UcgARgvGRs=","revision":"6bb64b370b90e7ef1fa532be9e591a81c3493e00","revisionTime":"2016-05-03T14:34:40Z"},
+		{"path":"github.com/hashicorp/go-rootcerts","checksumSHA1":"hfxPtUTFbsE5C1P6gY/gCb9KmP4=","revision":"98fadc2a5ba2ad2a534a179b352ecdfd1f4259aa","revisionTime":"2019-12-10T09:55:28Z","version":"=v1.0.2","versionExact":"v1.0.2"},
 		{"path":"github.com/hashicorp/go-safetemp","checksumSHA1":"CduvzBFfTv77nhjtXPGdIjQQLMI=","revision":"b1a1dbde6fdc11e3ae79efd9039009e22d4ae240","revisionTime":"2018-03-26T21:11:50Z"},
 		{"path":"github.com/hashicorp/go-sockaddr","checksumSHA1":"J47ySO1q0gcnmoMnir1q1loKzCk=","revision":"6d291a969b86c4b633730bfc6b8b9d64c3aafed9","revisionTime":"2018-03-20T11:50:54Z"},
 		{"path":"github.com/hashicorp/go-sockaddr/template","checksumSHA1":"PDp9DVLvf3KWxhs4G4DpIwauMSU=","revision":"6d291a969b86c4b633730bfc6b8b9d64c3aafed9","revisionTime":"2018-03-20T11:50:54Z"},