Merge branch 'consul-tls'

Fixes fabiolb#276, fabiolb#501 (fixes fabiolb#391)
jen20 · Jun 6, 2018 · b0e0f21 · sev3ryn · Aug 2, 2018 · b0e0f21
2 parents 1fb35b1 + 8e58c10
commit b0e0f21
Show file tree

Hide file tree

Showing 14 changed files with 291 additions and 91 deletions.
diff --git a/config/config.go b/config/config.go
@@ -143,4 +143,9 @@ type Consul struct {
 	CheckTLSSkipVerify                  bool
 	CheckDeregisterCriticalServiceAfter string
 	ChecksRequired                      string
+	EnableSSL                           bool
+	VerifySSL                           bool
+	CAFile                              string
+	CertFile                            string
+	KeyFile                             string
 }
diff --git a/config/default.go b/config/default.go
@@ -61,6 +61,8 @@ var defaultConfig = &Config{
 			CheckScheme:                         "http",
 			CheckDeregisterCriticalServiceAfter: "90m",
 			ChecksRequired:                      "one",
+			EnableSSL:                           false,
+			VerifySSL:                           false,
 		},
 		Timeout: 10 * time.Second,
 		Retry:   500 * time.Millisecond,

diff --git a/config/load.go b/config/load.go
@@ -168,6 +168,11 @@ func load(cmdline, environ, envprefix []string, props *properties.Properties) (c
 	f.StringVar(&cfg.Registry.Consul.KVPath, "registry.consul.kvpath", defaultConfig.Registry.Consul.KVPath, "consul KV path for manual overrides")
 	f.StringVar(&cfg.Registry.Consul.NoRouteHTMLPath, "registry.consul.noroutehtmlpath", defaultConfig.Registry.Consul.NoRouteHTMLPath, "consul KV path for HTML returned when no route is found")
 	f.StringVar(&cfg.Registry.Consul.TagPrefix, "registry.consul.tagprefix", defaultConfig.Registry.Consul.TagPrefix, "prefix for consul tags")
+	f.BoolVar(&cfg.Registry.Consul.EnableSSL, "registry.consul.enableSSL", defaultConfig.Registry.Consul.EnableSSL, "enable HTTPS communication with Consul")
+	f.BoolVar(&cfg.Registry.Consul.VerifySSL, "registry.consul.verifySSL", defaultConfig.Registry.Consul.VerifySSL, "enable or disable SSL verification with Consul")
+	f.StringVar(&cfg.Registry.Consul.CAFile, "registry.consul.caFile", defaultConfig.Registry.Consul.CAFile, "the path to the ca certificate used for Consul communication")
+	f.StringVar(&cfg.Registry.Consul.CertFile, "registry.consul.certFile", defaultConfig.Registry.Consul.CertFile, "the path to the certificate for Consul communication")
+	f.StringVar(&cfg.Registry.Consul.KeyFile, "registry.consul.keyFile", defaultConfig.Registry.Consul.KeyFile, "the path to the private key for Consul communication")
 	f.BoolVar(&cfg.Registry.Consul.Register, "registry.consul.register.enabled", defaultConfig.Registry.Consul.Register, "register fabio in consul")
 	f.StringVar(&cfg.Registry.Consul.ServiceAddr, "registry.consul.register.addr", defaultConfig.Registry.Consul.ServiceAddr, "service registration address")
 	f.StringVar(&cfg.Registry.Consul.ServiceName, "registry.consul.register.name", defaultConfig.Registry.Consul.ServiceName, "service registration name")

diff --git a/fabio.properties b/fabio.properties
@@ -626,6 +626,56 @@
 #
 # registry.consul.noroutehtmlpath = /fabio/noroute.html
 
+# registry.consul.enableSSL enables HTTPS communication with Consul.
+#
+# Consul support TLS client communication and this flag is used to
+# enable Fabio to talk to Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.enableSSL = false
+
+
+# registry.consul.verifySSL enable SSL verification with Consul.
+#
+# VerifySSL enables or disables SSL verification when the transport scheme
+#	for the Consul API client is HTTPS
+#
+# The default is
+#
+# registry.consul.verifySSL = false
+
+
+# registry.consul.caFile the path to the ca certificate used for Consul communication.
+#
+# This is the full path to the CA certificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.caFile =
+
+
+# registry.consul.CertFile the path to the TLS certificate used for Consul communication.
+#
+# This is the full path to the TLS certificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.CertFile =
+
+
+# registry.consul.KeyFile the path to the TLS certificate key used for Consul communication.
+#
+# This is the full path to the TLS ckey ertificate to use when communicating
+# with Consul over HTTPS.
+#
+# The default is
+#
+# registry.consul.KeyFile =
+
+
 # registry.consul.service.status configures the valid service status
 # values for services included in the routing table.
 #
@@ -717,7 +767,6 @@
 #
 # registry.consul.register.checkTLSSkipVerify = false
 
-
 # registry.consul.register.checkDeregisterCriticalServiceAfter configures
 # automatic deregistration of a service after the health check is critical for
 # this length of time.

diff --git a/registry/consul/backend.go b/registry/consul/backend.go
@@ -19,8 +19,23 @@ type be struct {
 }
 
 func NewBackend(cfg *config.Consul) (registry.Backend, error) {
+
+	var tls api.TLSConfig
+
+	if cfg.EnableSSL {
+		cfg.Scheme = "https"
+
+		tls := &api.TLSConfig{
+			Address:  cfg.Addr,
+			CAFile:   cfg.CAFile,
+			CertFile: cfg.CertFile,
+			KeyFile:  cfg.KeyFile,
+		}
+		tls.InsecureSkipVerify = !cfg.VerifySSL
+	}
+
 	// create a reusable client
-	c, err := api.NewClient(&api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token})
+	c, err := api.NewClient(&api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token, TLSConfig: tls})
 	if err != nil {
 		return nil, err
 	}

diff --git a/vendor/github.com/hashicorp/consul/api/acl.go b/vendor/github.com/hashicorp/consul/api/acl.go
diff --git a/vendor/github.com/hashicorp/consul/api/agent.go b/vendor/github.com/hashicorp/consul/api/agent.go