add TLS flags for TCP tunnel (#1725)

2025-05-05 21:36:02 +02:00 · 2020-12-29 14:36:52 -07:00 · 2020-12-29 14:36:52 -07:00 · ea4e9fa3aa
commit ea4e9fa3aa
parent 73f4ee26fc
3 changed files with 24 additions and 23 deletions
--- a/cmd/pomerium-cli/kubernetes.go
+++ b/cmd/pomerium-cli/kubernetes.go
@ -15,20 +15,8 @@ import (
 	"github.com/pomerium/pomerium/internal/authclient"
 )

-var kubernetesExecCredentialOption struct {
-	disableTLSVerification bool
-	alternateCAPath        string
-	caCert                 string
-}
-
 func init() {
-	flags := kubernetesExecCredentialCmd.Flags()
-	flags.BoolVar(&kubernetesExecCredentialOption.disableTLSVerification, "disable-tls-verification", false,
-		"disables TLS verification")
-	flags.StringVar(&kubernetesExecCredentialOption.alternateCAPath, "alternate-ca-path", "",
-		"path to CA certificate to use for HTTP requests")
-	flags.StringVar(&kubernetesExecCredentialOption.caCert, "ca-cert", "",
-		"base64-encoded CA TLS certificate to use for HTTP requests")
+	addTLSFlags(kubernetesExecCredentialCmd)
 	kubernetesCmd.AddCommand(kubernetesExecCredentialCmd)
 	rootCmd.AddCommand(kubernetesCmd)
 }
@ -57,11 +45,7 @@ var kubernetesExecCredentialCmd = &cobra.Command{

 		var tlsConfig *tls.Config
 		if serverURL.Scheme == "https" {
-			tlsConfig = getTLSConfig(
-				kubernetesExecCredentialOption.disableTLSVerification,
-				kubernetesExecCredentialOption.caCert,
-				kubernetesExecCredentialOption.alternateCAPath,
-			)
+			tlsConfig = getTLSConfig()
 		}

 		ac := authclient.New(authclient.WithTLSConfig(tlsConfig))
--- a/cmd/pomerium-cli/main.go
+++ b/cmd/pomerium-cli/main.go
@ -26,14 +26,30 @@ func fatalf(msg string, args ...interface{}) {
 	os.Exit(1)
 }

-func getTLSConfig(insecureSkipVerify bool, caCert, alternateCAPath string) *tls.Config {
+var tlsOptions struct {
+	disableTLSVerification bool
+	alternateCAPath        string
+	caCert                 string
+}
+
+func addTLSFlags(cmd *cobra.Command) {
+	flags := cmd.Flags()
+	flags.BoolVar(&tlsOptions.disableTLSVerification, "disable-tls-verification", false,
+		"disables TLS verification")
+	flags.StringVar(&tlsOptions.alternateCAPath, "alternate-ca-path", "",
+		"path to CA certificate to use for HTTP requests")
+	flags.StringVar(&tlsOptions.caCert, "ca-cert", "",
+		"base64-encoded CA TLS certificate to use for HTTP requests")
+}
+
+func getTLSConfig() *tls.Config {
 	cfg := new(tls.Config)
-	if insecureSkipVerify {
+	if tlsOptions.disableTLSVerification {
 		cfg.InsecureSkipVerify = true
 	}
-	if caCert != "" {
+	if tlsOptions.caCert != "" {
 		var err error
-		cfg.RootCAs, err = cryptutil.GetCertPool(caCert, alternateCAPath)
+		cfg.RootCAs, err = cryptutil.GetCertPool(tlsOptions.caCert, tlsOptions.alternateCAPath)
 		if err != nil {
 			fatalf("%s", err)
 		}
--- a/cmd/pomerium-cli/tcp.go
+++ b/cmd/pomerium-cli/tcp.go
@ -25,6 +25,7 @@ var tcpCmdOptions struct {
 }

 func init() {
+	addTLSFlags(tcpCmd)
 	flags := tcpCmd.Flags()
 	flags.StringVar(&tcpCmdOptions.listen, "listen", "127.0.0.1:0",
 		"local address to start a listener on")
@ -63,7 +64,7 @@ var tcpCmd = &cobra.Command{

 		var tlsConfig *tls.Config
 		if pomeriumURL.Scheme == "https" {
-			tlsConfig = getTLSConfig(false, "", "")
+			tlsConfig = getTLSConfig()
 		}

 		l := zerolog.New(zerolog.NewConsoleWriter(func(w *zerolog.ConsoleWriter) {