command: add -tls-server-name flag

2019-09-24 07:05:40 -07:00 · 2019-09-24 07:05:40 -07:00 · de133d883f
parent cd9c23617f
commit de133d883f
4 changed files with 26 additions and 11 deletions
--- a/api/api.go
+++ b/api/api.go
@ -257,6 +257,9 @@ func DefaultConfig() *Config {
 	if v := os.Getenv("NOMAD_CLIENT_KEY"); v != "" {
 		config.TLSConfig.ClientKey = v
 	}
+	if v := os.Getenv("NOMAD_TLS_SERVER_NAME"); v != "" {
+		config.TLSConfig.TLSServerName = v
+	}
 	if v := os.Getenv("NOMAD_SKIP_VERIFY"); v != "" {
 		if insecure, err := strconv.ParseBool(v); err == nil {
 			config.TLSConfig.Insecure = insecure
--- a/command/meta.go
+++ b/command/meta.go
@ -50,11 +50,12 @@ type Meta struct {
 	// token is used for ACLs to access privileged information
 	token string

-	caCert     string
-	caPath     string
-	clientCert string
-	clientKey  string
-	insecure   bool
+	caCert        string
+	caPath        string
+	clientCert    string
+	clientKey     string
+	tlsServerName string
+	insecure      bool
 }

 // FlagSet returns a FlagSet with the common flags that every
@ -76,6 +77,7 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
 		f.StringVar(&m.clientCert, "client-cert", "", "")
 		f.StringVar(&m.clientKey, "client-key", "", "")
 		f.BoolVar(&m.insecure, "insecure", false, "")
+		f.StringVar(&m.tlsServerName, "tls-server-name", "", "")
 		f.BoolVar(&m.insecure, "tls-skip-verify", false, "")
 		f.StringVar(&m.token, "token", "", "")

@ -113,6 +115,7 @@ func (m *Meta) AutocompleteFlags(fs FlagSetFlags) complete.Flags {
 		"-client-cert":     complete.PredictFiles("*"),
 		"-client-key":      complete.PredictFiles("*"),
 		"-insecure":        complete.PredictNothing,
+		"-tls-server-name": complete.PredictNothing,
 		"-tls-skip-verify": complete.PredictNothing,
 		"-token":           complete.PredictAnything,
 	}
@ -136,13 +139,14 @@ func (m *Meta) Client() (*api.Client, error) {
 	}

 	// If we need custom TLS configuration, then set it
-	if m.caCert != "" || m.caPath != "" || m.clientCert != "" || m.clientKey != "" || m.insecure {
+	if m.caCert != "" || m.caPath != "" || m.clientCert != "" || m.clientKey != "" || m.tlsServerName != "" || m.insecure {
 		t := &api.TLSConfig{
-			CACert:     m.caCert,
-			CAPath:     m.caPath,
-			ClientCert: m.clientCert,
-			ClientKey:  m.clientKey,
-			Insecure:   m.insecure,
+			CACert:        m.caCert,
+			CAPath:        m.caPath,
+			ClientCert:    m.clientCert,
+			ClientKey:     m.clientKey,
+			TLSServerName: m.tlsServerName,
+			Insecure:      m.insecure,
 		}
 		config.TLSConfig = t
 	}
@ -204,6 +208,10 @@ func generalOptionsUsage() string {
    Path to an unencrypted PEM encoded private key matching the
    client certificate from -client-cert. Overrides the
    NOMAD_CLIENT_KEY environment variable if set.
+	
+  -tls-server-name=<value>
+    The server name to use as the SNI host when connecting via 
+    TLS. Overrides the NOMAD_TLS_SERVER_NAME environment variable if set.

  -tls-skip-verify
    Do not verify TLS certificate. This is highly not recommended. Verification
--- a/command/meta_test.go
+++ b/command/meta_test.go
@ -29,6 +29,7 @@ func TestMeta_FlagSet(t *testing.T) {
 				"client-cert",
 				"client-key",
 				"insecure",
+				"tls-server-name",
 				"tls-skip-verify",
 				"token",
 			},
--- a/website/source/docs/commands/_general_options.html.md
+++ b/website/source/docs/commands/_general_options.html.md
@ -25,6 +25,9 @@
  the client certificate from `-client-cert`. Overrides the `NOMAD_CLIENT_KEY`
  environment variable if set.

+- `-tls-server-name=<value>`: The server name to use as the SNI host when connecting 
+  via TLS. Overrides the `NOMAD_TLS_SERVER_NAME` environment variable if set.
+
 - `-tls-skip-verify`: Do not verify TLS certificate. This is highly not
  recommended. Verification will also be skipped if `NOMAD_SKIP_VERIFY` is set.