add hspki_disable and client logic
parent
522451f45b
commit
6aad159cab
40
grpc.go
40
grpc.go
|
@ -38,6 +38,7 @@ var (
|
||||||
flagCertificatePath string
|
flagCertificatePath string
|
||||||
flagKeyPath string
|
flagKeyPath string
|
||||||
flagPKIRealm string
|
flagPKIRealm string
|
||||||
|
flagPKIDisable bool
|
||||||
|
|
||||||
// Enable logging HSPKI info into traces
|
// Enable logging HSPKI info into traces
|
||||||
Trace = true
|
Trace = true
|
||||||
|
@ -53,6 +54,7 @@ func init() {
|
||||||
flag.StringVar(&flagCertificatePath, "hspki_tls_certificate_path", "pki/service.pem", "Path to PKI service certificate")
|
flag.StringVar(&flagCertificatePath, "hspki_tls_certificate_path", "pki/service.pem", "Path to PKI service certificate")
|
||||||
flag.StringVar(&flagKeyPath, "hspki_tls_key_path", "pki/service-key.pem", "Path to PKI service private key")
|
flag.StringVar(&flagKeyPath, "hspki_tls_key_path", "pki/service-key.pem", "Path to PKI service private key")
|
||||||
flag.StringVar(&flagPKIRealm, "hspki_realm", "svc.cluster.local", "PKI realm")
|
flag.StringVar(&flagPKIRealm, "hspki_realm", "svc.cluster.local", "PKI realm")
|
||||||
|
flag.BoolVar(&flagPKIDisable, "hspki_disable", false, "Disable PKI entirely (insecure!)")
|
||||||
Log.SetHandler(log.DiscardHandler())
|
Log.SetHandler(log.DiscardHandler())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -166,6 +168,9 @@ func WithServerHSPKI() []grpc.ServerOption {
|
||||||
log.Crit("WithServerHSPKI called before flag.Parse!")
|
log.Crit("WithServerHSPKI called before flag.Parse!")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
if flagPKIDisable {
|
||||||
|
return []grpc.ServerOption{}
|
||||||
|
}
|
||||||
serverCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
|
serverCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Crit("WithServerHSPKI: cannot load service certificate/key", "err", err)
|
log.Crit("WithServerHSPKI: cannot load service certificate/key", "err", err)
|
||||||
|
@ -193,3 +198,38 @@ func WithServerHSPKI() []grpc.ServerOption {
|
||||||
|
|
||||||
return []grpc.ServerOption{creds, interceptor}
|
return []grpc.ServerOption{creds, interceptor}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WithClientHSPKI is a grpc.DialOption that ensures that we have the right credentials
|
||||||
|
// loaded when talking to a HSPKI service.
|
||||||
|
func WithClientHSPKI() grpc.DialOption {
|
||||||
|
if !flag.Parsed() {
|
||||||
|
log.Crit("WithServerHSPKI called before flag.Parse!")
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
if flagPKIDisable {
|
||||||
|
return grpc.WithInsecure()
|
||||||
|
}
|
||||||
|
|
||||||
|
certPool := x509.NewCertPool()
|
||||||
|
ca, err := ioutil.ReadFile(flagCAPath)
|
||||||
|
if err != nil {
|
||||||
|
log.Crit("WithClientHSPKI: cannot load CA certificate", "err", err)
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
if ok := certPool.AppendCertsFromPEM(ca); !ok {
|
||||||
|
log.Crit("WithClientHSPKI: cannot use CA certificate", "err", err)
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
|
||||||
|
clientCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
|
||||||
|
if err != nil {
|
||||||
|
log.Crit("WithClientHSPKI: cannot load service certificate/key", "err", err)
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
|
||||||
|
creds := credentials.NewTLS(&tls.Config{
|
||||||
|
Certificates: []tls.Certificate{clientCert},
|
||||||
|
RootCAs: certPool,
|
||||||
|
})
|
||||||
|
return grpc.WithTransportCredentials(creds)
|
||||||
|
}
|
||||||
|
|
Reference in New Issue