Add Support for Consul Connect
Co-authored-by: Florian Apolloner <apollo13@users.noreply.github.com>
This commit is contained in:
Mohammad Gufran
GitHub
parent
3a180e2afc
commit
7e43e5615e
36 changed files with 2118 additions and 644 deletions
74
pkg/provider/consulcatalog/connect_tls.go
Normal file
74
pkg/provider/consulcatalog/connect_tls.go
Normal file
|
|
@ -0,0 +1,74 @@
|
|||
package consulcatalog
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/hashicorp/consul/agent/connect"
|
||||
"github.com/traefik/traefik/v2/pkg/config/dynamic"
|
||||
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
|
||||
)
|
||||
|
||||
// connectCert holds our certificates as a client of the Consul Connect protocol.
|
||||
type connectCert struct {
|
||||
root []string
|
||||
leaf keyPair
|
||||
// err is used to propagate to the caller (Provide) any error occurring within the certificate watcher goroutines.
|
||||
err error
|
||||
}
|
||||
|
||||
func (c *connectCert) getRoot() []traefiktls.FileOrContent {
|
||||
var result []traefiktls.FileOrContent
|
||||
for _, r := range c.root {
|
||||
result = append(result, traefiktls.FileOrContent(r))
|
||||
}
|
||||
return result
|
||||
}
|
||||
|
||||
func (c *connectCert) getLeaf() traefiktls.Certificate {
|
||||
return traefiktls.Certificate{
|
||||
CertFile: traefiktls.FileOrContent(c.leaf.cert),
|
||||
KeyFile: traefiktls.FileOrContent(c.leaf.key),
|
||||
}
|
||||
}
|
||||
|
||||
func (c *connectCert) isReady() bool {
|
||||
return c != nil && len(c.root) > 0 && c.leaf.cert != "" && c.leaf.key != ""
|
||||
}
|
||||
|
||||
func (c *connectCert) equals(other *connectCert) bool {
|
||||
if c == nil && other == nil {
|
||||
return true
|
||||
}
|
||||
if c == nil || other == nil {
|
||||
return false
|
||||
}
|
||||
if len(c.root) != len(other.root) {
|
||||
return false
|
||||
}
|
||||
for i, v := range c.root {
|
||||
if v != other.root[i] {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return c.leaf == other.leaf
|
||||
}
|
||||
|
||||
func (c *connectCert) serversTransport(item itemData) *dynamic.ServersTransport {
|
||||
spiffeIDService := connect.SpiffeIDService{
|
||||
Namespace: item.Namespace,
|
||||
Datacenter: item.Datacenter,
|
||||
Service: item.Name,
|
||||
}
|
||||
|
||||
return &dynamic.ServersTransport{
|
||||
// This ensures that the config changes whenever the verifier function changes
|
||||
ServerName: fmt.Sprintf("%s-%s-%s", item.Namespace, item.Datacenter, item.Name),
|
||||
// InsecureSkipVerify is needed because Go wants to verify a hostname otherwise
|
||||
InsecureSkipVerify: true,
|
||||
RootCAs: c.getRoot(),
|
||||
Certificates: traefiktls.Certificates{
|
||||
c.getLeaf(),
|
||||
},
|
||||
PeerCertURI: spiffeIDService.URI().String(),
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue