Integrated TLS auth for etcd and consul

2016-02-19 17:10:48 +01:00 · 2016-02-19 17:10:48 +01:00 · dc10c56b35
commit dc10c56b35
parent 331cd173ce
5 changed files with 129 additions and 11 deletions
--- a/provider/kv.go
+++ b/provider/kv.go
@ -2,6 +2,10 @@
 package provider

 import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
 	"strings"
 	"text/template"
 	"time"
@ -18,18 +22,55 @@ type Kv struct {
 	BaseProvider `mapstructure:",squash"`
 	Endpoint     string
 	Prefix       string
+	TLS          *KvTLS
 	storeType    store.Backend
 	kvclient     store.Store
 }

+// KvTLS holds TLS specific configurations
+type KvTLS struct {
+	CA                 string
+	Cert               string
+	Key                string
+	InsecureSkipVerify bool
+}
+
 func (provider *Kv) provide(configurationChan chan<- types.ConfigMessage) error {
+	storeConfig := &store.Config{
+		ConnectionTimeout: 30 * time.Second,
+		Bucket:            "traefik",
+	}
+
+	if provider.TLS != nil {
+		caPool := x509.NewCertPool()
+
+		if provider.TLS.CA != "" {
+			ca, err := ioutil.ReadFile(provider.TLS.CA)
+
+			if err != nil {
+				return fmt.Errorf("Failed to read CA. %s", err)
+			}
+
+			caPool.AppendCertsFromPEM(ca)
+		}
+
+		cert, err := tls.LoadX509KeyPair(provider.TLS.Cert, provider.TLS.Key)
+
+		if err != nil {
+			return fmt.Errorf("Failed to load keypair. %s", err)
+		}
+
+		storeConfig.TLS = &tls.Config{
+			Certificates:       []tls.Certificate{cert},
+			RootCAs:            caPool,
+			InsecureSkipVerify: provider.TLS.InsecureSkipVerify,
+		}
+	}
+
 	kv, err := libkv.NewStore(
 		provider.storeType,
 		[]string{provider.Endpoint},
-		&store.Config{
-			ConnectionTimeout: 30 * time.Second,
-			Bucket:            "traefik",
-		},
+		storeConfig,
 	)
 	if err != nil {
 		return err