diff --git a/config/config.go b/config/config.go index 8e95ed24e..59fce39c0 100644 --- a/config/config.go +++ b/config/config.go @@ -152,6 +152,7 @@ type Consul struct { CheckDeregisterCriticalServiceAfter string ChecksRequired string ServiceMonitors int + TLS ConsulTlS } type Custom struct { @@ -187,3 +188,11 @@ type BasicAuth struct { Refresh time.Duration ModTime time.Time // the htpasswd file last modification time } + +type ConsulTlS struct { + KeyFile string + CertFile string + CAFile string + CAPath string + InsecureSkipVerify bool +} diff --git a/config/load.go b/config/load.go index ba700947a..8382c050a 100644 --- a/config/load.go +++ b/config/load.go @@ -172,6 +172,11 @@ func load(cmdline, environ, envprefix []string, props *properties.Properties) (c f.StringVar(&cfg.Registry.Consul.KVPath, "registry.consul.kvpath", defaultConfig.Registry.Consul.KVPath, "consul KV path for manual overrides") f.StringVar(&cfg.Registry.Consul.NoRouteHTMLPath, "registry.consul.noroutehtmlpath", defaultConfig.Registry.Consul.NoRouteHTMLPath, "consul KV path for HTML returned when no route is found") f.StringVar(&cfg.Registry.Consul.TagPrefix, "registry.consul.tagprefix", defaultConfig.Registry.Consul.TagPrefix, "prefix for consul tags") + f.StringVar(&cfg.Registry.Consul.TLS.KeyFile, "registry.consul.tls.keyfile", defaultConfig.Registry.Consul.TLS.KeyFile, "path to consul key file") + f.StringVar(&cfg.Registry.Consul.TLS.CertFile, "registry.consul.tls.certfile", defaultConfig.Registry.Consul.TLS.CertFile, "path to consul cert file") + f.StringVar(&cfg.Registry.Consul.TLS.CAFile, "registry.consul.tls.cafile", defaultConfig.Registry.Consul.TLS.CAFile, "path to consul CA file") + f.StringVar(&cfg.Registry.Consul.TLS.CAPath, "registry.consul.tls.capath", defaultConfig.Registry.Consul.TLS.CAPath, "path to consul CA directory") + f.BoolVar(&cfg.Registry.Consul.TLS.InsecureSkipVerify, "registry.consul.tls.insecureskipverify", defaultConfig.Registry.Consul.TLS.InsecureSkipVerify, "is tls check enabled") f.BoolVar(&cfg.Registry.Consul.Register, "registry.consul.register.enabled", defaultConfig.Registry.Consul.Register, "register fabio in consul") f.StringVar(&cfg.Registry.Consul.ServiceAddr, "registry.consul.register.addr", defaultConfig.Registry.Consul.ServiceAddr, "service registration address") f.StringVar(&cfg.Registry.Consul.ServiceName, "registry.consul.register.name", defaultConfig.Registry.Consul.ServiceName, "service registration name") diff --git a/fabio.properties b/fabio.properties index 3ec4c04c2..e007b15e4 100644 --- a/fabio.properties +++ b/fabio.properties @@ -678,6 +678,54 @@ # registry.consul.token = +# registry.consul.tls.keyfile the path to the TLS certificate private key used for Consul communication. +# +# This is the full path to the TLS private key while using TLS transport to +# communicate with Consul +# +# The default is +# +# registry.consul.tls.keyfile = + +# registry.consul.tls.certfile the path to the TLS certificate used for Consul communication. +# +# This is the full path to the TLS certificate while using TLS transport to +# communicate with Consul +# +# The default is +# +# registry.consul.tls.certfile = + + +# registry.consul.tls.cafile the path to the ca certificate used for Consul communication. +# +# This is the full path to the CA certificate while using TLS transport to +# communicate with Consul +# +# The default is +# +# registry.consul.tls.cafile = + +# registry.consul.tls.capath the path to the folder containing CA certificates. +# +# This is the full path to the folder with CA certificates while using TLS transport to +# communicate with Consul +# +# The default is +# +# registry.consul.tls.capath = + + +# registry.consul.tls.insecureskipverify enable SSL verification with Consul. +# +# registry.consul.tls.insecureskipverify enables or disables SSL verification while using TLS transport to +# communicate with Consul +# +# The default is +# +# registry.consul.tls.insecureskipverify = false + + # registry.consul.kvpath configures the KV path for manual routes. # # The consul KV path is watched for changes which get appended to diff --git a/registry/consul/backend.go b/registry/consul/backend.go index 629bd925d..26dc8852b 100644 --- a/registry/consul/backend.go +++ b/registry/consul/backend.go @@ -19,8 +19,18 @@ type be struct { } func NewBackend(cfg *config.Consul) (registry.Backend, error) { + + consulCfg := &api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token} + if cfg.Scheme == "https" { + consulCfg.TLSConfig.KeyFile = cfg.TLS.KeyFile + consulCfg.TLSConfig.CertFile = cfg.TLS.CertFile + consulCfg.TLSConfig.CAFile = cfg.TLS.CAFile + consulCfg.TLSConfig.CAPath = cfg.TLS.CAPath + consulCfg.TLSConfig.InsecureSkipVerify = cfg.TLS.InsecureSkipVerify + } + // create a reusable client - c, err := api.NewClient(&api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token}) + c, err := api.NewClient(consulCfg) if err != nil { return nil, err }