3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-06 05:46:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

add TLS flags for TCP tunnel (#1725)

Browse source
This commit is contained in:
Caleb Doxsey 2020-12-29 14:36:52 -07:00 committed by GitHub
parent 73f4ee26fc
commit ea4e9fa3aa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
cmd/pomerium-cli/kubernetes.go
View file

@ -15,20 +15,8 @@ import (
"github.com/pomerium/pomerium/internal/authclient" "github.com/pomerium/pomerium/internal/authclient"
) )
var kubernetesExecCredentialOption struct {
disableTLSVerification bool
alternateCAPath string
caCert string
}
func init() { func init() {
flags := kubernetesExecCredentialCmd.Flags() addTLSFlags(kubernetesExecCredentialCmd)
flags.BoolVar(&kubernetesExecCredentialOption.disableTLSVerification, "disable-tls-verification", false,
"disables TLS verification")
flags.StringVar(&kubernetesExecCredentialOption.alternateCAPath, "alternate-ca-path", "",
"path to CA certificate to use for HTTP requests")
flags.StringVar(&kubernetesExecCredentialOption.caCert, "ca-cert", "",
"base64-encoded CA TLS certificate to use for HTTP requests")
kubernetesCmd.AddCommand(kubernetesExecCredentialCmd) kubernetesCmd.AddCommand(kubernetesExecCredentialCmd)
rootCmd.AddCommand(kubernetesCmd) rootCmd.AddCommand(kubernetesCmd)
} }
@ -57,11 +45,7 @@ var kubernetesExecCredentialCmd = &cobra.Command{
var tlsConfig *tls.Config var tlsConfig *tls.Config
if serverURL.Scheme == "https" { if serverURL.Scheme == "https" {
tlsConfig = getTLSConfig( tlsConfig = getTLSConfig()
kubernetesExecCredentialOption.disableTLSVerification,
kubernetesExecCredentialOption.caCert,
kubernetesExecCredentialOption.alternateCAPath,
)
} }
ac := authclient.New(authclient.WithTLSConfig(tlsConfig)) ac := authclient.New(authclient.WithTLSConfig(tlsConfig))

24
cmd/pomerium-cli/main.go
View file

@ -26,14 +26,30 @@ func fatalf(msg string, args ...interface{}) {
os.Exit(1) os.Exit(1)
} }
func getTLSConfig(insecureSkipVerify bool, caCert, alternateCAPath string) *tls.Config { var tlsOptions struct {
disableTLSVerification bool
alternateCAPath string
caCert string
}
func addTLSFlags(cmd *cobra.Command) {
flags := cmd.Flags()
flags.BoolVar(&tlsOptions.disableTLSVerification, "disable-tls-verification", false,
"disables TLS verification")
flags.StringVar(&tlsOptions.alternateCAPath, "alternate-ca-path", "",
"path to CA certificate to use for HTTP requests")
flags.StringVar(&tlsOptions.caCert, "ca-cert", "",
"base64-encoded CA TLS certificate to use for HTTP requests")
}
func getTLSConfig() *tls.Config {
cfg := new(tls.Config) cfg := new(tls.Config)
if insecureSkipVerify { if tlsOptions.disableTLSVerification {
cfg.InsecureSkipVerify = true cfg.InsecureSkipVerify = true
} }
if caCert != "" { if tlsOptions.caCert != "" {
var err error var err error
cfg.RootCAs, err = cryptutil.GetCertPool(caCert, alternateCAPath) cfg.RootCAs, err = cryptutil.GetCertPool(tlsOptions.caCert, tlsOptions.alternateCAPath)
if err != nil { if err != nil {
fatalf("%s", err) fatalf("%s", err)
} }

3
cmd/pomerium-cli/tcp.go
View file

@ -25,6 +25,7 @@ var tcpCmdOptions struct {
} }
func init() { func init() {
addTLSFlags(tcpCmd)
flags := tcpCmd.Flags() flags := tcpCmd.Flags()
flags.StringVar(&tcpCmdOptions.listen, "listen", "127.0.0.1:0", flags.StringVar(&tcpCmdOptions.listen, "listen", "127.0.0.1:0",
"local address to start a listener on") "local address to start a listener on")
@ -63,7 +64,7 @@ var tcpCmd = &cobra.Command{
var tlsConfig *tls.Config var tlsConfig *tls.Config
if pomeriumURL.Scheme == "https" { if pomeriumURL.Scheme == "https" {
tlsConfig = getTLSConfig(false, "", "") tlsConfig = getTLSConfig()
} }
l := zerolog.New(zerolog.NewConsoleWriter(func(w *zerolog.ConsoleWriter) { l := zerolog.New(zerolog.NewConsoleWriter(func(w *zerolog.ConsoleWriter) {