Skip to content

Commit fb697ce

Browse files
mac641mac641
committed
support tls certificates when connecting to metal-api
1 parent 2fe9f76 commit fb697ce

File tree

4 files changed

+59
-14
lines changed

4 files changed

+59
-14
lines changed

cmd/root.go

+47-5
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,13 @@
11
package cmd
22

33
import (
4+
"crypto/tls"
5+
"crypto/x509"
6+
"encoding/hex"
47
"fmt"
58
"io"
69
"log/slog"
10+
"net/http"
711
"os"
812
"strings"
913

@@ -220,14 +224,31 @@ func initConfigWithViperCtx(c *config) error {
220224
}
221225
}
222226

227+
certificateAuthorityData := viper.GetString("certificate-authority-data")
228+
223229
var (
224-
client metalgo.Client
225-
err error
230+
client metalgo.Client
231+
err error
232+
transport *http.Transport
226233
)
227-
if hmacAuthType != "" {
228-
client, err = metalgo.NewDriver(driverURL, apiToken, hmacKey, metalgo.AuthType(hmacAuthType))
234+
235+
if certificateAuthorityData == "" {
236+
if hmacAuthType == "" {
237+
client, err = metalgo.NewClient(driverURL, metalgo.BearerToken(apiToken), metalgo.HMACAuth(hmacKey, "Metal-Admin"))
238+
} else {
239+
client, err = metalgo.NewClient(driverURL, metalgo.BearerToken(apiToken), metalgo.HMACAuth(hmacKey, hmacAuthType))
240+
}
229241
} else {
230-
client, err = metalgo.NewDriver(driverURL, apiToken, hmacKey)
242+
transport, err = createTLSTransport(certificateAuthorityData)
243+
if err != nil {
244+
return err
245+
}
246+
247+
if hmacAuthType == "" {
248+
client, err = metalgo.NewClient(driverURL, metalgo.BearerToken(apiToken), metalgo.HMACAuth(hmacKey, "Metal-Admin"), metalgo.Transport(transport))
249+
} else {
250+
client, err = metalgo.NewClient(driverURL, metalgo.BearerToken(apiToken), metalgo.HMACAuth(hmacKey, hmacAuthType), metalgo.Transport(transport))
251+
}
231252
}
232253
if err != nil {
233254
return err
@@ -240,6 +261,27 @@ func initConfigWithViperCtx(c *config) error {
240261
return nil
241262
}
242263

264+
func createTLSTransport(certificateAuthorityData string) (transport *http.Transport, err error) {
265+
var (
266+
certificateAuthorityDataHex []byte
267+
caCertPool x509.CertPool
268+
)
269+
270+
certificateAuthorityDataHex, err = hex.DecodeString(certificateAuthorityData)
271+
if err != nil {
272+
return nil, err
273+
}
274+
275+
caCertPool.AppendCertsFromPEM(certificateAuthorityDataHex)
276+
transport = &http.Transport{
277+
TLSClientConfig: &tls.Config{
278+
RootCAs: &caCertPool,
279+
},
280+
}
281+
282+
return transport, nil
283+
}
284+
243285
func recursiveAutoGenDisable(cmd *cobra.Command) {
244286
cmd.DisableAutoGenTag = true
245287
for _, child := range cmd.Commands() {

go.mod

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ require (
1010
github.com/go-openapi/strfmt v0.23.0
1111
github.com/google/go-cmp v0.6.0
1212
github.com/google/uuid v1.6.0
13-
github.com/metal-stack/metal-go v0.40.3
13+
github.com/metal-stack/metal-go v0.40.5-0.20250307164026-7ca4478eda1e
1414
github.com/metal-stack/metal-lib v0.20.1
1515
github.com/metal-stack/updater v1.2.2
1616
github.com/metal-stack/v v1.0.3

go.sum

+2
Original file line numberDiff line numberDiff line change
@@ -246,6 +246,8 @@ github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos
246246
github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
247247
github.com/metal-stack/metal-go v0.40.3 h1:ekgdTY23zHs/XGOg8bUJQFYPTX1GnaqgaT/lgVxS3JI=
248248
github.com/metal-stack/metal-go v0.40.3/go.mod h1:ltItf/Md/z588c7Dr3X6iemCeOFh3rJ8nDL5Dpb9zFQ=
249+
github.com/metal-stack/metal-go v0.40.5-0.20250307164026-7ca4478eda1e h1:m13vaYr/nv/QxIa7G2V3jr1qqLQ/xACNCTR40cEmz5A=
250+
github.com/metal-stack/metal-go v0.40.5-0.20250307164026-7ca4478eda1e/go.mod h1:ltItf/Md/z588c7Dr3X6iemCeOFh3rJ8nDL5Dpb9zFQ=
249251
github.com/metal-stack/metal-lib v0.20.1 h1:gxNg512dS5yzDebELtPZjmoWond0Gw0HHEkSVIAOWRE=
250252
github.com/metal-stack/metal-lib v0.20.1/go.mod h1:zYzXYpNA4nQ+ANx19s/+1Yb/Q6xhS1nQK2yK2/ryXZM=
251253
github.com/metal-stack/security v0.9.3 h1:ZF5rGeZ4fIFe0DFFQWkXsUDCzODyjdrpvKmeaLOz9lo=

pkg/api/context.go

+9-8
Original file line numberDiff line numberDiff line change
@@ -18,14 +18,15 @@ type Contexts struct {
1818

1919
// Context configure metalctl behaviour
2020
type Context struct {
21-
ApiURL string `yaml:"url"`
22-
IssuerURL string `yaml:"issuer_url"`
23-
IssuerType string `yaml:"issuer_type"`
24-
CustomScopes string `yaml:"custom_scopes"`
25-
ClientID string `yaml:"client_id"`
26-
ClientSecret string `yaml:"client_secret"`
27-
HMAC *string `yaml:"hmac"`
28-
HMACAuthType string `yaml:"hmac_auth_type,omitempty"`
21+
ApiURL string `yaml:"url"`
22+
IssuerURL string `yaml:"issuer_url"`
23+
IssuerType string `yaml:"issuer_type"`
24+
CustomScopes string `yaml:"custom_scopes"`
25+
ClientID string `yaml:"client_id"`
26+
ClientSecret string `yaml:"client_secret"`
27+
HMAC *string `yaml:"hmac"`
28+
HMACAuthType string `yaml:"hmac_auth_type,omitempty"`
29+
CertificateAuthorityData string `yaml:"certificate_authority_data,omitempty"`
2930
}
3031

3132
var defaultCtx = Context{

0 commit comments

Comments
 (0)