consul/command/resource/client/grpc-config.go
wangxinyi7 013bcefe5c
grpc client in tls mode (#19680)
* client in tls mode
2023-12-19 10:04:55 -08:00

136 lines
3.8 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package client
import (
"fmt"
"os"
"strconv"
"strings"
)
const (
// GRPCAddrEnvName defines an environment variable name which sets the gRPC
// server address for the consul CLI.
GRPCAddrEnvName = "CONSUL_GRPC_ADDR"
// GRPCTLSEnvName defines an environment variable name which sets the gRPC
// communication mode. Default is false in plaintext mode.
GRPCTLSEnvName = "CONSUL_GRPC_TLS"
// GRPCTLSVerifyEnvName defines an environment variable name which sets
// whether to disable certificate checking.
GRPCTLSVerifyEnvName = "CONSUL_GRPC_TLS_VERIFY"
// GRPCClientCertEnvName defines an environment variable name which sets the
// client cert file to use for talking to Consul over TLS.
GRPCClientCertEnvName = "CONSUL_GRPC_CLIENT_CERT"
// GRPCClientKeyEnvName defines an environment variable name which sets the
// client key file to use for talking to Consul over TLS.
GRPCClientKeyEnvName = "CONSUL_GRPC_CLIENT_KEY"
// GRPCCAFileEnvName defines an environment variable name which sets the
// CA file to use for talking to Consul gRPC over TLS.
GRPCCAFileEnvName = "CONSUL_GRPC_CACERT"
// GRPCCAPathEnvName defines an environment variable name which sets the
// path to a directory of CA certs to use for talking to Consul gRPC over TLS.
GRPCCAPathEnvName = "CONSUL_GRPC_CAPATH"
)
type GRPCConfig struct {
// Address is the optional address of the Consul server in format of host:port.
// It doesn't include schema
Address string
// GRPCTLS is the optional boolean flag to determine the communication protocol
GRPCTLS bool
// GRPCTLSVerify is the optional boolean flag to disable certificate checking.
// Set to false only if you want to skip server verification
GRPCTLSVerify bool
// CertFile is the optional path to the certificate for Consul
// communication. If this is set then you need to also set KeyFile.
CertFile string
// KeyFile is the optional path to the private key for Consul communication.
// If this is set then you need to also set CertFile.
KeyFile string
// CAFile is the optional path to the CA certificate used for Consul
// communication, defaults to the system bundle if not specified.
CAFile string
// CAPath is the optional path to a directory of CA certificates to use for
// Consul communication, defaults to the system bundle if not specified.
CAPath string
}
func GetDefaultGRPCConfig() *GRPCConfig {
return &GRPCConfig{
Address: "127.0.0.1:8502",
GRPCTLSVerify: false,
}
}
func LoadGRPCConfig(defaultConfig *GRPCConfig) (*GRPCConfig, error) {
if defaultConfig == nil {
defaultConfig = GetDefaultGRPCConfig()
}
overwrittenConfig, err := loadEnvToDefaultConfig(defaultConfig)
if err != nil {
return nil, err
}
return overwrittenConfig, nil
}
func loadEnvToDefaultConfig(config *GRPCConfig) (*GRPCConfig, error) {
if addr := os.Getenv(GRPCAddrEnvName); addr != "" {
if strings.HasPrefix(strings.ToLower(addr), "https://") {
config.GRPCTLS = true
}
config.Address = removeSchemaFromGRPCAddress(addr)
}
if tlsMode := os.Getenv(GRPCTLSEnvName); tlsMode != "" {
doTLS, err := strconv.ParseBool(tlsMode)
if err != nil {
return nil, fmt.Errorf("failed to parse %s: %w", GRPCTLSEnvName, err)
}
if doTLS {
config.GRPCTLS = true
}
}
if v := os.Getenv(GRPCTLSVerifyEnvName); v != "" {
doVerify, err := strconv.ParseBool(v)
if err != nil {
return nil, fmt.Errorf("failed to parse %s: %w", GRPCTLSVerifyEnvName, err)
}
config.GRPCTLSVerify = doVerify
}
if v := os.Getenv(GRPCClientCertEnvName); v != "" {
config.CertFile = v
}
if v := os.Getenv(GRPCClientKeyEnvName); v != "" {
config.KeyFile = v
}
if caFile := os.Getenv(GRPCCAFileEnvName); caFile != "" {
config.CAFile = caFile
}
if caPath := os.Getenv(GRPCCAPathEnvName); caPath != "" {
config.CAPath = caPath
}
return config, nil
}