Add support for Consul TLS

2 files changed, 55 insertions, 6 deletions

diff --git a/src/consul.rs b/src/consul.rs
index ee1935c..8eafcc2 100644
--- a/src/consul.rs
+++ b/src/consul.rs
@@ -1,4 +1,6 @@
 use std::collections::HashMap;
+use std::fs::File;
+use std::io::Read;
 
 use anyhow::Result;
 use bytes::Bytes;
@@ -6,6 +8,13 @@ use log::*;
 use reqwest::StatusCode;
 use serde::{Deserialize, Serialize};
 
+pub struct ConsulConfig {
+	pub addr: String,
+	pub ca_cert: Option<String>,
+	pub client_cert: Option<String>,
+	pub client_key: Option<String>,
+}
+
 // ---- Watch and retrieve Consul catalog ----
 //
 #[derive(Serialize, Deserialize, Debug)]
@@ -76,13 +85,33 @@ pub struct Consul {
 }
 
 impl Consul {
-	pub fn new(url: &str, kv_prefix: &str, local_node: &str) -> Self {
-		return Self {
-			client: reqwest::Client::new(),
-			url: url.trim_end_matches('/').to_string(),
+	pub fn new(config: ConsulConfig, kv_prefix: &str, local_node: &str) -> Result<Self> {
+		let client = match (&config.ca_cert, &config.client_cert, &config.client_key) {
+			(Some(ca_cert), Some(client_cert), Some(client_key)) => {
+				let mut ca_cert_buf = vec![];
+				File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
+
+				let mut client_cert_buf = vec![];
+				File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
+
+				let mut client_key_buf = vec![];
+				File::open(client_key)?.read_to_end(&mut client_key_buf)?;
+
+				reqwest::Client::builder()
+					.use_rustls_tls()
+					.add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
+					.identity(reqwest::Identity::from_pem(&[&client_cert_buf[..], &client_key_buf[..]].concat()[..])?)
+					.build()?
+			}
+			_ => reqwest::Client::new(),
+		};
+
+		Ok(Self {
+			client,
+			url: config.addr.trim_end_matches('/').to_string(),
 			kv_prefix: kv_prefix.to_string(),
 			local_node: local_node.into(),
-		};
+		})
 	}
 
 	pub async fn list_nodes(&self) -> Result<Vec<String>> {
diff --git a/src/main.rs b/src/main.rs
index 353af66..857d24e 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -27,6 +27,18 @@ struct Opt {
 	)]
 	pub consul_addr: String,
 
+	/// CA certificate for Consul server with TLS
+	#[structopt(long = "consul-ca-cert", env = "TRICOT_CONSUL_CA_CERT")]
+	pub consul_ca_cert: Option<String>,
+
+	/// Client certificate for Consul server with TLS
+	#[structopt(long = "consul-client-cert", env = "TRICOT_CONSUL_CLIENT_CERT")]
+	pub consul_client_cert: Option<String>,
+
+	/// Client key for Consul server with TLS
+	#[structopt(long = "consul-client-key", env = "TRICOT_CONSUL_CLIENT_KEY")]
+	pub consul_client_key: Option<String>,
+
 	/// Prefix of Tricot's entries in Consul KV space
 	#[structopt(
 		long = "consul-kv-prefix",
@@ -89,7 +101,15 @@ async fn main() {
 
 	info!("Starting Tricot");
 
-	let consul = consul::Consul::new(&opt.consul_addr, &opt.consul_kv_prefix, &opt.node_name);
+	let consul_config = consul::ConsulConfig{
+		addr: opt.consul_addr.clone(),
+		ca_cert: opt.consul_ca_cert.clone(),
+		client_cert: opt.consul_client_cert.clone(),
+		client_key: opt.consul_client_key.clone(),
+	};
+
+	let consul = consul::Consul::new(consul_config, &opt.consul_kv_prefix, &opt.node_name)
+		.expect("Error creating Consul client");
 	let mut rx_proxy_config = proxy_config::spawn_proxy_config_task(consul.clone());
 
 	let cert_store = cert_store::CertStore::new(