Merge pull request #1309 from hashicorp/b-fix-consul-tls

Teach config.ConsulConfig how to construct a consulapi TLS client.

command/agent/consul/syncer.go

@@ -25,10 +25,8 @@
 package consul
 
 import (
-	"crypto/tls"
 	"fmt"
 	"log"
-	"net/http"
 	"net/url"
 	"strings"
 	"sync"
@@ -152,66 +150,19 @@ type Syncer struct {
 
 // NewSyncer returns a new consul.Syncer
 func NewSyncer(consulConfig *config.ConsulConfig, shutdownCh chan struct{}, logger *log.Logger) (*Syncer, error) {
+	var consulClientConfig *consul.Config
 	var err error
-	var c *consul.Client
-
-	cfg := consul.DefaultConfig()
-
-	// If a nil consulConfig was provided, fall back to the default config
-	if consulConfig == nil {
-		consulConfig = config.DefaultConsulConfig()
+	consulClientConfig, err = consulConfig.ApiConfig()
+	if err != nil {
+		return nil, err
 	}
 
-	if consulConfig.Addr != "" {
-		cfg.Address = consulConfig.Addr
-	}
-	if consulConfig.Token != "" {
-		cfg.Token = consulConfig.Token
-	}
-	if consulConfig.Auth != "" {
-		var username, password string
-		if strings.Contains(consulConfig.Auth, ":") {
-			split := strings.SplitN(consulConfig.Auth, ":", 2)
-			username = split[0]
-			password = split[1]
-		} else {
-			username = consulConfig.Auth
-		}
-
-		cfg.HttpAuth = &consul.HttpBasicAuth{
-			Username: username,
-			Password: password,
-		}
-	}
-	if consulConfig.EnableSSL {
-		cfg.Scheme = "https"
-		tlsCfg := consul.TLSConfig{
-			Address:            cfg.Address,
-			CAFile:             consulConfig.CAFile,
-			CertFile:           consulConfig.CertFile,
-			KeyFile:            consulConfig.KeyFile,
-			InsecureSkipVerify: !consulConfig.VerifySSL,
-		}
-		tlsClientCfg, err := consul.SetupTLSConfig(&tlsCfg)
-		if err != nil {
-			return nil, fmt.Errorf("error creating tls client config for consul: %v", err)
-		}
-		cfg.HttpClient.Transport = &http.Transport{
-			TLSClientConfig: tlsClientCfg,
-		}
-	}
-	if consulConfig.EnableSSL && !consulConfig.VerifySSL {
-		cfg.HttpClient.Transport = &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-		}
-	}
-	if c, err = consul.NewClient(cfg); err != nil {
+	var consulClient *consul.Client
+	if consulClient, err = consul.NewClient(consulClientConfig); err != nil {
 		return nil, err
 	}
 	consulSyncer := Syncer{
-		client:            c,
+		client:            consulClient,
 		logger:            logger,
 		consulAvailable:   true,
 		shutdownCh:        shutdownCh,

nomad/structs/config/consul.go

@@ -1,6 +1,10 @@
 package config
 
 import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+	"strings"
 	"time"
 
 	consul "github.com/hashicorp/consul/api"
@@ -139,10 +143,48 @@ func (c *ConsulConfig) ApiConfig() (*consul.Config, error) {
 	if c.Token != "" {
 		config.Token = c.Token
 	}
-
 	if c.Timeout != 0 {
 		config.HttpClient.Timeout = c.Timeout
 	}
+	if c.Auth != "" {
+		var username, password string
+		if strings.Contains(c.Auth, ":") {
+			split := strings.SplitN(c.Auth, ":", 2)
+			username = split[0]
+			password = split[1]
+		} else {
+			username = c.Auth
+		}
+
+		config.HttpAuth = &consul.HttpBasicAuth{
+			Username: username,
+			Password: password,
+		}
+	}
+	if c.EnableSSL {
+		config.Scheme = "https"
+		tlsConfig := consul.TLSConfig{
+			Address:            config.Address,
+			CAFile:             c.CAFile,
+			CertFile:           c.CertFile,
+			KeyFile:            c.KeyFile,
+			InsecureSkipVerify: !c.VerifySSL,
+		}
+		tlsClientCfg, err := consul.SetupTLSConfig(&tlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("error creating tls client config for consul: %v", err)
+		}
+		config.HttpClient.Transport = &http.Transport{
+			TLSClientConfig: tlsClientCfg,
+		}
+	}
+	if c.EnableSSL && !c.VerifySSL {
+		config.HttpClient.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+	}
 
 	return config, nil
 }