command: add -tls-server-name flag

2019-09-24 07:05:40 -07:00 · 2019-09-24 07:05:40 -07:00 · de133d883f
parent cd9c23617f
commit de133d883f
4 changed files with 26 additions and 11 deletions
--- a/api/api.go
+++ b/api/api.go
@ -257,6 +257,9 @@ func DefaultConfig() *Config {
 	if v := os.Getenv("NOMAD_CLIENT_KEY"); v != "" {
 		config.TLSConfig.ClientKey = v
 	}
+	if v := os.Getenv("NOMAD_TLS_SERVER_NAME"); v != "" {
+		config.TLSConfig.TLSServerName = v
+	}
 	if v := os.Getenv("NOMAD_SKIP_VERIFY"); v != "" {
 		if insecure, err := strconv.ParseBool(v); err == nil {
 			config.TLSConfig.Insecure = insecure
--- a/command/meta.go
+++ b/command/meta.go
@ -54,6 +54,7 @@ type Meta struct {
 	caPath        string
 	clientCert    string
 	clientKey     string
+	tlsServerName string
 	insecure      bool
 }

@ -76,6 +77,7 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
 		f.StringVar(&m.clientCert, "client-cert", "", "")
 		f.StringVar(&m.clientKey, "client-key", "", "")
 		f.BoolVar(&m.insecure, "insecure", false, "")
+		f.StringVar(&m.tlsServerName, "tls-server-name", "", "")
 		f.BoolVar(&m.insecure, "tls-skip-verify", false, "")
 		f.StringVar(&m.token, "token", "", "")

@ -113,6 +115,7 @@ func (m *Meta) AutocompleteFlags(fs FlagSetFlags) complete.Flags {
 		"-client-cert":     complete.PredictFiles("*"),
 		"-client-key":      complete.PredictFiles("*"),
 		"-insecure":        complete.PredictNothing,
+		"-tls-server-name": complete.PredictNothing,
 		"-tls-skip-verify": complete.PredictNothing,
 		"-token":           complete.PredictAnything,
 	}
@ -136,12 +139,13 @@ func (m *Meta) Client() (*api.Client, error) {
 	}

 	// If we need custom TLS configuration, then set it
-	if m.caCert != "" || m.caPath != "" || m.clientCert != "" || m.clientKey != "" || m.insecure {
+	if m.caCert != "" || m.caPath != "" || m.clientCert != "" || m.clientKey != "" || m.tlsServerName != "" || m.insecure {
 		t := &api.TLSConfig{
 			CACert:        m.caCert,
 			CAPath:        m.caPath,
 			ClientCert:    m.clientCert,
 			ClientKey:     m.clientKey,
+			TLSServerName: m.tlsServerName,
 			Insecure:      m.insecure,
 		}
 		config.TLSConfig = t
@ -205,6 +209,10 @@ func generalOptionsUsage() string {
    client certificate from -client-cert. Overrides the
    NOMAD_CLIENT_KEY environment variable if set.
 	
+  -tls-server-name=<value>
+    The server name to use as the SNI host when connecting via 
+    TLS. Overrides the NOMAD_TLS_SERVER_NAME environment variable if set.
+
  -tls-skip-verify
    Do not verify TLS certificate. This is highly not recommended. Verification
    will also be skipped if NOMAD_SKIP_VERIFY is set.
--- a/command/meta_test.go
+++ b/command/meta_test.go
@ -29,6 +29,7 @@ func TestMeta_FlagSet(t *testing.T) {
 				"client-cert",
 				"client-key",
 				"insecure",
+				"tls-server-name",
 				"tls-skip-verify",
 				"token",
 			},
--- a/website/source/docs/commands/_general_options.html.md
+++ b/website/source/docs/commands/_general_options.html.md
@ -25,6 +25,9 @@
  the client certificate from `-client-cert`. Overrides the `NOMAD_CLIENT_KEY`
  environment variable if set.

+- `-tls-server-name=<value>`: The server name to use as the SNI host when connecting 
+  via TLS. Overrides the `NOMAD_TLS_SERVER_NAME` environment variable if set.
+
 - `-tls-skip-verify`: Do not verify TLS certificate. This is highly not
  recommended. Verification will also be skipped if `NOMAD_SKIP_VERIFY` is set.