mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-30 02:02:43 +00:00
Add ability to pass certificate PEM bytes to vault/api (#14753)
This commit is contained in:
Anton Averchenkov
committed by
GitHub
GitHub
parent
7d520d4022
commit
18ee7d90be
@@ -36,6 +36,7 @@ const (
|
||||
EnvVaultAddress = "VAULT_ADDR"
|
||||
EnvVaultAgentAddr = "VAULT_AGENT_ADDR"
|
||||
EnvVaultCACert = "VAULT_CACERT"
|
||||
EnvVaultCACertBytes = "VAULT_CACERT_BYTES"
|
||||
EnvVaultCAPath = "VAULT_CAPATH"
|
||||
EnvVaultClientCert = "VAULT_CLIENT_CERT"
|
||||
EnvVaultClientKey = "VAULT_CLIENT_KEY"
|
||||
@@ -172,9 +173,14 @@ type Config struct {
|
||||
// used to communicate with Vault.
|
||||
type TLSConfig struct {
|
||||
// CACert is the path to a PEM-encoded CA cert file to use to verify the
|
||||
// Vault server SSL certificate.
|
||||
// Vault server SSL certificate. It takes precedence over CACertBytes
|
||||
// and CAPath.
|
||||
CACert string
|
||||
|
||||
// CACertBytes is a PEM-encoded certificate or bundle. It takes precedence
|
||||
// over CAPath.
|
||||
CACertBytes []byte
|
||||
|
||||
// CAPath is the path to a directory of PEM-encoded CA cert files to verify
|
||||
// the Vault server SSL certificate.
|
||||
CAPath string
|
||||
@@ -266,12 +272,13 @@ func (c *Config) configureTLS(t *TLSConfig) error {
|
||||
return fmt.Errorf("both client cert and client key must be provided")
|
||||
}
|
||||
|
||||
if t.CACert != "" || t.CAPath != "" {
|
||||
if t.CACert != "" || len(t.CACertBytes) != 0 || t.CAPath != "" {
|
||||
c.curlCACert = t.CACert
|
||||
c.curlCAPath = t.CAPath
|
||||
rootConfig := &rootcerts.Config{
|
||||
CAFile: t.CACert,
|
||||
CAPath: t.CAPath,
|
||||
CAFile: t.CACert,
|
||||
CACertificate: t.CACertBytes,
|
||||
CAPath: t.CAPath,
|
||||
}
|
||||
if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil {
|
||||
return err
|
||||
@@ -313,6 +320,7 @@ func (c *Config) ReadEnvironment() error {
|
||||
var envAddress string
|
||||
var envAgentAddress string
|
||||
var envCACert string
|
||||
var envCACertBytes []byte
|
||||
var envCAPath string
|
||||
var envClientCert string
|
||||
var envClientKey string
|
||||
@@ -343,6 +351,9 @@ func (c *Config) ReadEnvironment() error {
|
||||
if v := os.Getenv(EnvVaultCACert); v != "" {
|
||||
envCACert = v
|
||||
}
|
||||
if v := os.Getenv(EnvVaultCACertBytes); v != "" {
|
||||
envCACertBytes = []byte(v)
|
||||
}
|
||||
if v := os.Getenv(EnvVaultCAPath); v != "" {
|
||||
envCAPath = v
|
||||
}
|
||||
@@ -398,6 +409,7 @@ func (c *Config) ReadEnvironment() error {
|
||||
// Configure the HTTP clients TLS configuration.
|
||||
t := &TLSConfig{
|
||||
CACert: envCACert,
|
||||
CACertBytes: envCACertBytes,
|
||||
CAPath: envCAPath,
|
||||
ClientCert: envClientCert,
|
||||
ClientKey: envClientKey,
|
||||
|
||||
Reference in New Issue
Block a user