From 04bdd029fefbce08184c12809b5d6e4bf2a12fa1 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Thu, 30 Dec 2021 20:42:56 +0100
Subject: Add TLS support for Consul

---
 src/config/options.rs |  6 ++++++
 src/config/runtime.rs | 32 ++++++++++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)

(limited to 'src/config')

diff --git a/src/config/options.rs b/src/config/options.rs
index f62d14c..7334083 100644
--- a/src/config/options.rs
+++ b/src/config/options.rs
@@ -37,6 +37,12 @@ pub struct ConfigOptsConsul {
   pub node_name: Option<String>,
   /// Consul's REST URL [default: "http://127.0.0.1:8500"]
   pub url: Option<String>,
+  /// Consul's CA certificate [default: None]
+  pub ca_cert: Option<String>,
+  /// Consul's client certificate [default: None]
+  pub client_cert: Option<String>,
+  /// Consul's client key [default: None]
+  pub client_key: Option<String>,
 }
 
 /// Model of all potential configuration options
diff --git a/src/config/runtime.rs b/src/config/runtime.rs
index a1582e4..cc80b0d 100644
--- a/src/config/runtime.rs
+++ b/src/config/runtime.rs
@@ -1,6 +1,8 @@
+use std::fs::File;
+use std::io::Read;
 use std::time::Duration;
 
-use anyhow::{anyhow, Result};
+use anyhow::{anyhow, bail, Result};
 
 use crate::config::{ConfigOpts, ConfigOptsAcme, ConfigOptsBase, ConfigOptsConsul};
 
@@ -18,6 +20,7 @@ pub struct RuntimeConfigAcme {
 pub struct RuntimeConfigConsul {
   pub node_name: String,
   pub url: String,
+  pub tls: Option<(reqwest::Certificate, reqwest::Identity)>,
 }
 
 #[derive(Debug)]
@@ -77,7 +80,32 @@ impl RuntimeConfigConsul {
       .expect("'DIPLONAT_CONSUL_NODE_NAME' environment variable is required");
     let url = opts.url.unwrap_or(super::CONSUL_URL.to_string());
 
-    Ok(Self { node_name, url })
+    let tls = match (&opts.ca_cert, &opts.client_cert, &opts.client_key) {
+      (Some(ca_cert), Some(client_cert), Some(client_key)) => {
+        let mut ca_cert_buf = vec![];
+        File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
+        let cert = reqwest::Certificate::from_pem(&ca_cert_buf[..])?;
+
+        let mut client_cert_buf = vec![];
+        File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
+
+        let mut client_key_buf = vec![];
+        File::open(client_key)?.read_to_end(&mut client_key_buf)?;
+
+        let ident =
+          reqwest::Identity::from_pem(&[&client_cert_buf[..], &client_key_buf[..]].concat()[..])?;
+
+        Some((cert, ident))
+      }
+      (None, None, None) => None,
+      _ => bail!("Incomplete TLS configuration parameters"),
+    };
+
+    Ok(Self {
+      node_name,
+      url,
+      tls,
+    })
   }
 }
 
-- 
cgit v1.2.3