Merge pull request #1 from radenui/feat/add-mtls-capabilities

Feat/add mtls capabilities

Author: rockyluke

README.md

@@ -143,6 +143,9 @@ specifying flags is:
 --consul-url=
 --consul-acl=
 --consul-base-path=
+--ca-file=
+--key-file=
+--cert-file=
 --log-level=
 --expand-json=
 --secrets-file=
@@ -328,6 +331,27 @@ automatically appended.
 This is useful when the Consul cluster as all the KV paths segregated (namespaced) by teams or
 projects.
 
+### `--ca-file`
+
+> `require:` **no**
+> `example:` **`--ca-file=/path/my_ca.crt`**
+
+This is the path for ca certfile for mTLS connection.
+
+### `--cert-file`
+
+> `require:` **no**
+> `example:` **`--cert-file=/path/my_cert.crt`**
+
+This is the path for cert certfile mTLS connection.
+
+### `--key-file`
+
+> `require:` **no**
+> `example:` **`--key-file=/path/my_key.crt`**
+
+This is the path for key certfile mTLS connection.
+
 ### `--log-level`
 
 > `require:` **no**

app/app_test.go

@@ -4,9 +4,10 @@ import (
 	"github.com/miniclip/gonsul/internal/config"
 	"github.com/miniclip/gonsul/tests/mocks"
 
-	. "github.com/onsi/gomega"
 	"os"
 	"testing"
+
+	. "github.com/onsi/gomega"
 )
 
 func getCommonMocks() (cfg *mocks.IConfig, log *mocks.ILogger, exp *mocks.IExporter, imp *mocks.IImporter) {

cmd/gonsul.go

@@ -1,16 +1,20 @@
 package main
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"time"
+
 	"github.com/miniclip/gonsul/app"
 	"github.com/miniclip/gonsul/internal/config"
 	"github.com/miniclip/gonsul/internal/exporter"
 	"github.com/miniclip/gonsul/internal/importer"
 	"github.com/miniclip/gonsul/internal/util"
-
-	"fmt"
-	"net/http"
-	"os"
-	"time"
 )
 
 func main() {
@@ -41,9 +45,31 @@ func start() {
 		return
 	}
 
+	var certificate tls.Certificate
+	var caCertPool *x509.CertPool
+	if len(cfg.GetKeyFile()) != 0 && len(cfg.GetCaFile()) != 0 && len(cfg.GetCertFile()) != 0 {
+		cert, err := ioutil.ReadFile(cfg.GetCaFile())
+		if err != nil {
+			log.Fatalf("could not open certificate file: %v", err)
+		}
+		caCertPool = x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(cert)
+
+		certificate, err = tls.LoadX509KeyPair(cfg.GetCertFile(), cfg.GetKeyFile())
+		if err != nil {
+			log.Fatalf("could not load certificate: %v", err)
+		}
+	}
+
 	// Build all dependencies for our application
 	hookHttpServer := app.NewHookHttp(cfg, logger)
-	httpClient := &http.Client{Timeout: time.Second * time.Duration(cfg.GetTimeout())}
+	httpClient := &http.Client{Transport: &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs:      caCertPool,
+			Certificates: []tls.Certificate{certificate},
+		},
+	}, Timeout: time.Second * time.Duration(cfg.GetTimeout())}
+
 	exp := exporter.NewExporter(cfg, logger)
 	imp := importer.NewImporter(cfg, logger, httpClient)
 	sigChannel := make(chan os.Signal)

internal/config/config.go

@@ -9,6 +9,7 @@ import (
 	"io/ioutil"
 	"os"
 	"strings"
+
 	"github.com/namsral/flag"
 )
 
@@ -31,6 +32,9 @@ type config struct {
 	consulURL       string
 	consulACL       string
 	consulBasePath  string
+	keyFile         string
+	certFile        string
+	caFile          string
 	expandJSON      bool
 	expandYAML      bool
 	doSecrets       bool
@@ -60,6 +64,9 @@ type IConfig interface {
 	GetConsulURL() string
 	GetConsulACL() string
 	GetConsulBasePath() string
+	GetKeyFile() string
+	GetCaFile() string
+	GetCertFile() string
 	ShouldExpandJSON() bool
 	ShouldExpandYAML() bool
 	DoSecrets() bool
@@ -155,6 +162,9 @@ func buildConfig(flags ConfigFlags) (*config, error) {
 		consulURL:       *flags.ConsulURL,
 		consulACL:       *flags.ConsulACL,
 		consulBasePath:  *flags.ConsulBasePath,
+		keyFile:         *flags.KeyFile,
+		caFile:          *flags.CaFile,
+		certFile:        *flags.CertFile,
 		expandJSON:      *flags.ExpandJSON,
 		expandYAML:      *flags.ExpandYAML,
 		doSecrets:       doSecrets,
@@ -205,6 +215,18 @@ func (config *config) GetRepoBasePath() string {
 	return config.repoBasePath
 }
 
+func (config *config) GetKeyFile() string {
+	return config.keyFile
+}
+
+func (config *config) GetCaFile() string {
+	return config.caFile
+}
+
+func (config *config) GetCertFile() string {
+	return config.certFile
+}
+
 func (config *config) GetRepoRootDir() string {
 	return config.repoRootDir
 }

internal/config/flags_parser.go

@@ -3,6 +3,7 @@ package config
 import (
 	"fmt"
 	"os"
+
 	"github.com/miniclip/gonsul/internal/util"
 	"github.com/namsral/flag"
 )
@@ -20,6 +21,9 @@ type ConfigFlags struct {
 	ConsulURL       *string
 	ConsulACL       *string
 	ConsulBasePath  *string
+	KeyFile         *string
+	CaFile          *string
+	CertFile        *string
 	ExpandJSON      *bool
 	ExpandYAML      *bool
 	SecretsFile     *string
@@ -50,6 +54,9 @@ func parseFlags() ConfigFlags {
 	flags.ConsulURL = flag.String("consul-url", "", "(REQUIRED) The Consul URL REST API endpoint (Full URL with scheme)")
 	flags.ConsulACL = flag.String("consul-acl", "", "The Consul ACL to use (Must have write on the KV following --consul-base path)")
 	flags.ConsulBasePath = flag.String("consul-base-path", "", "The base KV path will be prefixed to dir path")
+	flags.KeyFile = flag.String("key-file", "", "The key path for mTls")
+	flags.CaFile = flag.String("ca-file", "", "The ca certificate path for mTLS")
+	flags.CertFile = flag.String("cert-file", "", "The certificate path for mTLS")
 	flags.ExpandJSON = flag.Bool("expand-json", false, "Expand and parse JSON files as full paths? (Default false)")
 	flags.ExpandYAML = flag.Bool("expand-yaml", false, "Expand and parse YAML files as full paths? (Default false)")
 	flags.SecretsFile = flag.String("secrets-file", "", "A key value json file with placeholders->secrets mapping, in order to do on the fly replace")