Observer pattern for service registration interface (#8123)

* use observer pattern for service discovery * update perf standby method * fix test * revert usersTags to being called serviceTags * use previous consul code * vault isnt a performance standby before starting * log err * changes from feedback * add Run method to interface * changes from feedback * fix core test * update example
2025-11-01 19:17:58 +00:00 · 2020-01-24 09:42:03 -08:00
parent ae0892b3ce
commit d7d4084c86
13 changed files with 480 additions and 378 deletions
--- a/sdk/helper/tlsutil/tlsutil.go
+++ b/sdk/helper/tlsutil/tlsutil.go
@@ -5,7 +5,12 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
+	"io/ioutil"
+	"net"
+	"strings"

+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/sdk/helper/parseutil"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
 )

@@ -110,3 +115,72 @@ func ClientTLSConfig(caCert []byte, clientCert []byte, clientKey []byte) (*tls.C

 	return tlsConfig, nil
 }
+
+func SetupTLSConfig(conf map[string]string, address string) (*tls.Config, error) {
+	serverName, _, err := net.SplitHostPort(address)
+	switch {
+	case err == nil:
+	case strings.Contains(err.Error(), "missing port"):
+		serverName = conf["address"]
+	default:
+		return nil, err
+	}
+
+	insecureSkipVerify := false
+	tlsSkipVerify := conf["tls_skip_verify"]
+
+	if tlsSkipVerify != "" {
+		b, err := parseutil.ParseBool(tlsSkipVerify)
+		if err != nil {
+			return nil, errwrap.Wrapf("failed parsing tls_skip_verify parameter: {{err}}", err)
+		}
+		insecureSkipVerify = b
+	}
+
+	tlsMinVersionStr, ok := conf["tls_min_version"]
+	if !ok {
+		// Set the default value
+		tlsMinVersionStr = "tls12"
+	}
+
+	tlsMinVersion, ok := TLSLookup[tlsMinVersionStr]
+	if !ok {
+		return nil, fmt.Errorf("invalid 'tls_min_version'")
+	}
+
+	tlsClientConfig := &tls.Config{
+		MinVersion:         tlsMinVersion,
+		InsecureSkipVerify: insecureSkipVerify,
+		ServerName:         serverName,
+	}
+
+	_, okCert := conf["tls_cert_file"]
+	_, okKey := conf["tls_key_file"]
+
+	if okCert && okKey {
+		tlsCert, err := tls.LoadX509KeyPair(conf["tls_cert_file"], conf["tls_key_file"])
+		if err != nil {
+			return nil, errwrap.Wrapf("client tls setup failed: {{err}}", err)
+		}
+
+		tlsClientConfig.Certificates = []tls.Certificate{tlsCert}
+	} else if okCert || okKey {
+		return nil, fmt.Errorf("both tls_cert_file and tls_key_file must be provided")
+	}
+
+	if tlsCaFile, ok := conf["tls_ca_file"]; ok {
+		caPool := x509.NewCertPool()
+
+		data, err := ioutil.ReadFile(tlsCaFile)
+		if err != nil {
+			return nil, errwrap.Wrapf("failed to read CA file: {{err}}", err)
+		}
+
+		if !caPool.AppendCertsFromPEM(data) {
+			return nil, fmt.Errorf("failed to parse CA certificate")
+		}
+
+		tlsClientConfig.RootCAs = caPool
+	}
+	return tlsClientConfig, nil
+}