From 592953309e743a7bd4ad8a56040a52a04e3acbeb Mon Sep 17 00:00:00 2001 From: Armon Dadgar Date: Fri, 4 Apr 2014 16:52:39 -0700 Subject: [PATCH] agent: Passthrough of TLS configurations --- command/agent/agent.go | 7 +++++++ command/agent/config.go | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/command/agent/agent.go b/command/agent/agent.go index c456f1bd98..80bd701ca1 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -169,6 +169,13 @@ func (a *Agent) consulConfig() *consul.Config { base.ProtocolVersion = uint8(a.config.Protocol) } + // Copy the TLS configuration + base.VerifyIncoming = a.config.VerifyIncoming + base.VerifyOutgoing = a.config.VerifyOutgoing + base.CAFile = a.config.CAFile + base.CertFile = a.config.CertFile + base.KeyFile = a.config.KeyFile + // Setup the ServerUp callback base.ServerUp = a.state.ConsulServerUp diff --git a/command/agent/config.go b/command/agent/config.go index a2e83740b9..18edee0d53 100644 --- a/command/agent/config.go +++ b/command/agent/config.go @@ -103,6 +103,28 @@ type Config struct { // EnableDebug is used to enable various debugging features EnableDebug bool `mapstructure:"enable_debug"` + // VerifyIncoming is used to verify the authenticity of incoming connections. + // This means that TCP requests are forbidden, only allowing for TLS. TLS connections + // must match a provided certificate authority. This can be used to force client auth. + VerifyIncoming bool `mapstructure:"verify_incoming"` + + // VerifyOutgoing is used to verify the authenticity of outgoing connections. + // This means that TLS requests are used. TLS connections must match a provided + // certificate authority. This is used to verify authenticity of server nodes. + VerifyOutgoing bool `mapstructure:"verify_outgoing"` + + // CAFile is a path to a certificate authority file. This is used with VerifyIncoming + // or VerifyOutgoing to verify the TLS connection. + CAFile string `mapstructure:"ca_file"` + + // CertFile is used to provide a TLS certificate that is used for serving TLS connections. + // Must be provided to serve TLS connections. + CertFile string `mapstructure:"cert_file"` + + // KeyFile is used to provide a TLS key that is used for serving TLS connections. + // Must be provided to serve TLS connections. + KeyFile string `mapstructure:"key_file"` + // Checks holds the provided check definitions Checks []*CheckDefinition `mapstructure:"-"` @@ -335,6 +357,21 @@ func MergeConfig(a, b *Config) *Config { if b.EnableDebug { result.EnableDebug = true } + if b.VerifyIncoming { + result.VerifyIncoming = true + } + if b.VerifyOutgoing { + result.VerifyOutgoing = true + } + if b.CAFile != "" { + result.CAFile = b.CAFile + } + if b.CertFile != "" { + result.CertFile = b.CertFile + } + if b.KeyFile != "" { + result.KeyFile = b.KeyFile + } if b.Checks != nil { result.Checks = append(result.Checks, b.Checks...) }