aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-08-24 18:22:00 +0200
committerAlex Auvolat <alex@adnab.me>2022-08-24 18:22:00 +0200
commite7f6c15bc11ce04fdc3444f7bd1a588516e92dd9 (patch)
treea2e0a9c8c6652e170ef4aadc3d5b3953e58a7181 /src
parent730c9049ad79b15c3372cbd3737c5e90b311bd62 (diff)
downloaddiplonat-e7f6c15bc11ce04fdc3444f7bd1a588516e92dd9.tar.gz
diplonat-e7f6c15bc11ce04fdc3444f7bd1a588516e92dd9.zip
Add possibility to skip tls verification for consulconsul-tls
Diffstat (limited to 'src')
-rw-r--r--src/config/options.rs2
-rw-r--r--src/config/runtime.rs21
-rw-r--r--src/consul.rs29
3 files changed, 37 insertions, 15 deletions
diff --git a/src/config/options.rs b/src/config/options.rs
index 7334083..28b3379 100644
--- a/src/config/options.rs
+++ b/src/config/options.rs
@@ -39,6 +39,8 @@ pub struct ConfigOptsConsul {
pub url: Option<String>,
/// Consul's CA certificate [default: None]
pub ca_cert: Option<String>,
+ /// Skip TLS verification for Consul server
+ pub tls_skip_verify: bool,
/// Consul's client certificate [default: None]
pub client_cert: Option<String>,
/// Consul's client key [default: None]
diff --git a/src/config/runtime.rs b/src/config/runtime.rs
index cc80b0d..2e7b573 100644
--- a/src/config/runtime.rs
+++ b/src/config/runtime.rs
@@ -20,7 +20,7 @@ pub struct RuntimeConfigAcme {
pub struct RuntimeConfigConsul {
pub node_name: String,
pub url: String,
- pub tls: Option<(reqwest::Certificate, reqwest::Identity)>,
+ pub tls: Option<(Option<reqwest::Certificate>, bool, reqwest::Identity)>,
}
#[derive(Debug)]
@@ -80,11 +80,16 @@ impl RuntimeConfigConsul {
.expect("'DIPLONAT_CONSUL_NODE_NAME' environment variable is required");
let url = opts.url.unwrap_or(super::CONSUL_URL.to_string());
- let tls = match (&opts.ca_cert, &opts.client_cert, &opts.client_key) {
- (Some(ca_cert), Some(client_cert), Some(client_key)) => {
- let mut ca_cert_buf = vec![];
- File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
- let cert = reqwest::Certificate::from_pem(&ca_cert_buf[..])?;
+ let tls = match (&opts.client_cert, &opts.client_key) {
+ (Some(client_cert), Some(client_key)) => {
+ let cert = match &opts.ca_cert {
+ Some(ca_cert) => {
+ let mut ca_cert_buf = vec![];
+ File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
+ Some(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
+ }
+ None => None,
+ };
let mut client_cert_buf = vec![];
File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
@@ -95,9 +100,9 @@ impl RuntimeConfigConsul {
let ident =
reqwest::Identity::from_pem(&[&client_cert_buf[..], &client_key_buf[..]].concat()[..])?;
- Some((cert, ident))
+ Some((cert, opts.tls_skip_verify, ident))
}
- (None, None, None) => None,
+ (None, None) => None,
_ => bail!("Incomplete TLS configuration parameters"),
};
diff --git a/src/consul.rs b/src/consul.rs
index 4677931..c7ac2b6 100644
--- a/src/consul.rs
+++ b/src/consul.rs
@@ -23,13 +23,28 @@ pub struct Consul {
impl Consul {
pub fn new(config: &RuntimeConfigConsul) -> Self {
- let client = if let Some((ca, ident)) = config.tls.clone() {
- reqwest::Client::builder()
- .use_rustls_tls()
- .add_root_certificate(ca)
- .identity(ident)
- .build()
- .expect("Unable to build reqwest client")
+ let client = if let Some((ca, skip_verify, ident)) = config.tls.clone() {
+ if skip_verify {
+ reqwest::Client::builder()
+ .use_rustls_tls()
+ .danger_accept_invalid_certs(true)
+ .identity(ident)
+ .build()
+ .expect("Unable to build reqwest client")
+ } else if let Some(ca) = ca {
+ reqwest::Client::builder()
+ .use_rustls_tls()
+ .add_root_certificate(ca)
+ .identity(ident)
+ .build()
+ .expect("Unable to build reqwest client")
+ } else {
+ reqwest::Client::builder()
+ .use_rustls_tls()
+ .identity(ident)
+ .build()
+ .expect("Unable to build reqwest client")
+ }
} else {
reqwest::Client::new()
};