command: add -tls-server-name flag

hashicorp · Sep 24, 2019 · 006570a · 006570a
1 parent 4f687cf
commit 006570a
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 11 deletions.
diff --git a/api/api.go b/api/api.go
@@ -257,6 +257,9 @@ func DefaultConfig() *Config {
 	if v := os.Getenv("NOMAD_CLIENT_KEY"); v != "" {
 		config.TLSConfig.ClientKey = v
 	}
+	if v := os.Getenv("NOMAD_TLS_SERVER_NAME"); v != "" {
+		config.TLSConfig.TLSServerName = v
+	}
 	if v := os.Getenv("NOMAD_SKIP_VERIFY"); v != "" {
 		if insecure, err := strconv.ParseBool(v); err == nil {
 			config.TLSConfig.Insecure = insecure

diff --git a/command/meta.go b/command/meta.go
@@ -50,11 +50,12 @@ type Meta struct {
 	// token is used for ACLs to access privileged information
 	token string
 
-	caCert     string
-	caPath     string
-	clientCert string
-	clientKey  string
-	insecure   bool
+	caCert        string
+	caPath        string
+	clientCert    string
+	clientKey     string
+	tlsServerName string
+	insecure      bool
 }
 
 // FlagSet returns a FlagSet with the common flags that every
@@ -76,6 +77,7 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
 		f.StringVar(&m.clientCert, "client-cert", "", "")
 		f.StringVar(&m.clientKey, "client-key", "", "")
 		f.BoolVar(&m.insecure, "insecure", false, "")
+		f.StringVar(&m.tlsServerName, "tls-server-name", "", "")
 		f.BoolVar(&m.insecure, "tls-skip-verify", false, "")
 		f.StringVar(&m.token, "token", "", "")
 
@@ -113,6 +115,7 @@ func (m *Meta) AutocompleteFlags(fs FlagSetFlags) complete.Flags {
 		"-client-cert":     complete.PredictFiles("*"),
 		"-client-key":      complete.PredictFiles("*"),
 		"-insecure":        complete.PredictNothing,
+		"-tls-server-name": complete.PredictNothing,
 		"-tls-skip-verify": complete.PredictNothing,
 		"-token":           complete.PredictAnything,
 	}
@@ -136,13 +139,14 @@ func (m *Meta) Client() (*api.Client, error) {
 	}
 
 	// If we need custom TLS configuration, then set it
-	if m.caCert != "" || m.caPath != "" || m.clientCert != "" || m.clientKey != "" || m.insecure {
+	if m.caCert != "" || m.caPath != "" || m.clientCert != "" || m.clientKey != "" || m.tlsServerName != "" || m.insecure {
 		t := &api.TLSConfig{
-			CACert:     m.caCert,
-			CAPath:     m.caPath,
-			ClientCert: m.clientCert,
-			ClientKey:  m.clientKey,
-			Insecure:   m.insecure,
+			CACert:        m.caCert,
+			CAPath:        m.caPath,
+			ClientCert:    m.clientCert,
+			ClientKey:     m.clientKey,
+			TLSServerName: m.tlsServerName,
+			Insecure:      m.insecure,
 		}
 		config.TLSConfig = t
 	}
@@ -204,6 +208,10 @@ func generalOptionsUsage() string {
     Path to an unencrypted PEM encoded private key matching the
     client certificate from -client-cert. Overrides the
     NOMAD_CLIENT_KEY environment variable if set.
+	
+  -tls-server-name=<value>
+    The server name to use as the SNI host when connecting via 
+    TLS. Overrides the NOMAD_TLS_SERVER_NAME environment variable if set.
 
   -tls-skip-verify
     Do not verify TLS certificate. This is highly not recommended. Verification

diff --git a/website/source/docs/commands/_general_options.html.md b/website/source/docs/commands/_general_options.html.md
@@ -25,6 +25,9 @@
   the client certificate from `-client-cert`. Overrides the `NOMAD_CLIENT_KEY`
   environment variable if set.
 
+- `-tls-server-name=<value>`: The server name to use as the SNI host when connecting 
+  via TLS. Overrides the `NOMAD_TLS_SERVER_NAME` environment variable if set.
+
 - `-tls-skip-verify`: Do not verify TLS certificate. This is highly not
   recommended. Verification will also be skipped if `NOMAD_SKIP_VERIFY` is set.