2021-07-15 12:02:11 +00:00
|
|
|
package consulcatalog
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/agent/connect"
|
2023-02-03 14:24:05 +00:00
|
|
|
"github.com/traefik/traefik/v3/pkg/config/dynamic"
|
|
|
|
traefiktls "github.com/traefik/traefik/v3/pkg/tls"
|
2021-07-15 12:02:11 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// connectCert holds our certificates as a client of the Consul Connect protocol.
|
|
|
|
type connectCert struct {
|
|
|
|
root []string
|
|
|
|
leaf keyPair
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *connectCert) getRoot() []traefiktls.FileOrContent {
|
|
|
|
var result []traefiktls.FileOrContent
|
|
|
|
for _, r := range c.root {
|
|
|
|
result = append(result, traefiktls.FileOrContent(r))
|
|
|
|
}
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *connectCert) getLeaf() traefiktls.Certificate {
|
|
|
|
return traefiktls.Certificate{
|
|
|
|
CertFile: traefiktls.FileOrContent(c.leaf.cert),
|
|
|
|
KeyFile: traefiktls.FileOrContent(c.leaf.key),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *connectCert) isReady() bool {
|
|
|
|
return c != nil && len(c.root) > 0 && c.leaf.cert != "" && c.leaf.key != ""
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *connectCert) equals(other *connectCert) bool {
|
|
|
|
if c == nil && other == nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
if c == nil || other == nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if len(c.root) != len(other.root) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
for i, v := range c.root {
|
|
|
|
if v != other.root[i] {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return c.leaf == other.leaf
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *connectCert) serversTransport(item itemData) *dynamic.ServersTransport {
|
|
|
|
spiffeIDService := connect.SpiffeIDService{
|
|
|
|
Namespace: item.Namespace,
|
|
|
|
Datacenter: item.Datacenter,
|
|
|
|
Service: item.Name,
|
|
|
|
}
|
|
|
|
|
|
|
|
return &dynamic.ServersTransport{
|
|
|
|
// This ensures that the config changes whenever the verifier function changes
|
|
|
|
ServerName: fmt.Sprintf("%s-%s-%s", item.Namespace, item.Datacenter, item.Name),
|
|
|
|
// InsecureSkipVerify is needed because Go wants to verify a hostname otherwise
|
|
|
|
InsecureSkipVerify: true,
|
|
|
|
RootCAs: c.getRoot(),
|
|
|
|
Certificates: traefiktls.Certificates{
|
|
|
|
c.getLeaf(),
|
|
|
|
},
|
|
|
|
PeerCertURI: spiffeIDService.URI().String(),
|
|
|
|
}
|
|
|
|
}
|
2022-12-09 08:58:05 +00:00
|
|
|
|
|
|
|
func (c *connectCert) tcpServersTransport(item itemData) *dynamic.TCPServersTransport {
|
|
|
|
spiffeIDService := connect.SpiffeIDService{
|
|
|
|
Namespace: item.Namespace,
|
|
|
|
Datacenter: item.Datacenter,
|
|
|
|
Service: item.Name,
|
|
|
|
}
|
|
|
|
|
|
|
|
return &dynamic.TCPServersTransport{
|
|
|
|
TLS: &dynamic.TLSClientConfig{
|
|
|
|
// This ensures that the config changes whenever the verifier function changes
|
|
|
|
ServerName: fmt.Sprintf("%s-%s-%s", item.Namespace, item.Datacenter, item.Name),
|
|
|
|
// InsecureSkipVerify is needed because Go wants to verify a hostname otherwise
|
|
|
|
InsecureSkipVerify: true,
|
|
|
|
RootCAs: c.getRoot(),
|
|
|
|
Certificates: traefiktls.Certificates{
|
|
|
|
c.getLeaf(),
|
|
|
|
},
|
|
|
|
PeerCertURI: spiffeIDService.URI().String(),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|