diff --git a/api/api.go b/api/api.go index bacb7c3c9..a427b949f 100644 --- a/api/api.go +++ b/api/api.go @@ -257,6 +257,9 @@ func DefaultConfig() *Config { if v := os.Getenv("NOMAD_CLIENT_KEY"); v != "" { config.TLSConfig.ClientKey = v } + if v := os.Getenv("NOMAD_TLS_SERVER_NAME"); v != "" { + config.TLSConfig.TLSServerName = v + } if v := os.Getenv("NOMAD_SKIP_VERIFY"); v != "" { if insecure, err := strconv.ParseBool(v); err == nil { config.TLSConfig.Insecure = insecure diff --git a/command/meta.go b/command/meta.go index 8dc96e933..6e6f0e1e8 100644 --- a/command/meta.go +++ b/command/meta.go @@ -50,11 +50,12 @@ type Meta struct { // token is used for ACLs to access privileged information token string - caCert string - caPath string - clientCert string - clientKey string - insecure bool + caCert string + caPath string + clientCert string + clientKey string + tlsServerName string + insecure bool } // FlagSet returns a FlagSet with the common flags that every @@ -76,6 +77,7 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet { f.StringVar(&m.clientCert, "client-cert", "", "") f.StringVar(&m.clientKey, "client-key", "", "") f.BoolVar(&m.insecure, "insecure", false, "") + f.StringVar(&m.tlsServerName, "tls-server-name", "", "") f.BoolVar(&m.insecure, "tls-skip-verify", false, "") f.StringVar(&m.token, "token", "", "") @@ -113,6 +115,7 @@ func (m *Meta) AutocompleteFlags(fs FlagSetFlags) complete.Flags { "-client-cert": complete.PredictFiles("*"), "-client-key": complete.PredictFiles("*"), "-insecure": complete.PredictNothing, + "-tls-server-name": complete.PredictNothing, "-tls-skip-verify": complete.PredictNothing, "-token": complete.PredictAnything, } @@ -136,13 +139,14 @@ func (m *Meta) Client() (*api.Client, error) { } // If we need custom TLS configuration, then set it - if m.caCert != "" || m.caPath != "" || m.clientCert != "" || m.clientKey != "" || m.insecure { + if m.caCert != "" || m.caPath != "" || m.clientCert != "" || m.clientKey != "" || m.tlsServerName != "" || m.insecure { t := &api.TLSConfig{ - CACert: m.caCert, - CAPath: m.caPath, - ClientCert: m.clientCert, - ClientKey: m.clientKey, - Insecure: m.insecure, + CACert: m.caCert, + CAPath: m.caPath, + ClientCert: m.clientCert, + ClientKey: m.clientKey, + TLSServerName: m.tlsServerName, + Insecure: m.insecure, } config.TLSConfig = t } @@ -204,6 +208,10 @@ func generalOptionsUsage() string { Path to an unencrypted PEM encoded private key matching the client certificate from -client-cert. Overrides the NOMAD_CLIENT_KEY environment variable if set. + + -tls-server-name= + The server name to use as the SNI host when connecting via + TLS. Overrides the NOMAD_TLS_SERVER_NAME environment variable if set. -tls-skip-verify Do not verify TLS certificate. This is highly not recommended. Verification diff --git a/command/meta_test.go b/command/meta_test.go index da20d37aa..c44a21be5 100644 --- a/command/meta_test.go +++ b/command/meta_test.go @@ -29,6 +29,7 @@ func TestMeta_FlagSet(t *testing.T) { "client-cert", "client-key", "insecure", + "tls-server-name", "tls-skip-verify", "token", }, diff --git a/website/source/docs/commands/_general_options.html.md b/website/source/docs/commands/_general_options.html.md index 86cba60fa..f1c4022e6 100644 --- a/website/source/docs/commands/_general_options.html.md +++ b/website/source/docs/commands/_general_options.html.md @@ -25,6 +25,9 @@ the client certificate from `-client-cert`. Overrides the `NOMAD_CLIENT_KEY` environment variable if set. +- `-tls-server-name=`: The server name to use as the SNI host when connecting + via TLS. Overrides the `NOMAD_TLS_SERVER_NAME` environment variable if set. + - `-tls-skip-verify`: Do not verify TLS certificate. This is highly not recommended. Verification will also be skipped if `NOMAD_SKIP_VERIFY` is set.