Merge pull request #1865 from hashicorp/b-cli-client-tls

Making the cli use TLS if the client has enabled TLS
hashicorp · Oct 26, 2016 · 28b4eef · 28b4eef
2 parents 7eae821 + 722433b
commit 28b4eef
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 20 deletions.
diff --git a/api/allocations.go b/api/allocations.go
@@ -4,8 +4,6 @@ import (
 	"fmt"
 	"sort"
 	"time"
-
-	"github.com/hashicorp/go-cleanhttp"
 )
 
 var (
@@ -60,10 +58,7 @@ func (a *Allocations) Stats(alloc *Allocation, q *QueryOptions) (*AllocResourceU
 	if node.HTTPAddr == "" {
 		return nil, fmt.Errorf("http addr of the node where alloc %q is running is not advertised", alloc.ID)
 	}
-	client, err := NewClient(&Config{
-		Address:    fmt.Sprintf("http://%s", node.HTTPAddr),
-		HttpClient: cleanhttp.DefaultClient(),
-	})
+	client, err := NewClient(a.client.config.CopyConfig(node.HTTPAddr, node.TLSEnabled))
 	if err != nil {
 		return nil, err
 	}

diff --git a/api/api.go b/api/api.go
@@ -110,6 +110,24 @@ type Config struct {
 	TLSConfig *TLSConfig
 }
 
+// CopyConfig copies the configuration with a new address
+func (c *Config) CopyConfig(address string, tlsEnabled bool) *Config {
+	scheme := "http"
+	if tlsEnabled {
+		scheme = "https"
+	}
+	config := &Config{
+		Address:    fmt.Sprintf("%s://%s", scheme, address),
+		Region:     c.Region,
+		HttpClient: c.HttpClient,
+		HttpAuth:   c.HttpAuth,
+		WaitTime:   c.WaitTime,
+		TLSConfig:  c.TLSConfig,
+	}
+
+	return config
+}
+
 // TLSConfig contains the parameters needed to configure TLS on the HTTP client
 // used to communicate with Nomad.
 type TLSConfig struct {

diff --git a/api/fs.go b/api/fs.go
@@ -52,17 +52,13 @@ func (c *Client) AllocFS() *AllocFS {
 // getNodeClient returns a Client that will dial the node. If the QueryOptions
 // is set, the function will ensure that it is initalized and that the Params
 // field is valid.
-func (a *AllocFS) getNodeClient(nodeHTTPAddr, allocID string, q **QueryOptions) (*Client, error) {
-	if nodeHTTPAddr == "" {
+func (a *AllocFS) getNodeClient(node *Node, allocID string, q **QueryOptions) (*Client, error) {
+	if node.HTTPAddr == "" {
 		return nil, fmt.Errorf("http addr of the node where alloc %q is running is not advertised", allocID)
 	}
 
 	// Get an API client for the node
-	nodeClientConfig := &Config{
-		Address: fmt.Sprintf("http://%s", nodeHTTPAddr),
-		Region:  a.client.config.Region,
-	}
-	nodeClient, err := NewClient(nodeClientConfig)
+	nodeClient, err := NewClient(a.client.config.CopyConfig(node.HTTPAddr, node.TLSEnabled))
 	if err != nil {
 		return nil, err
 	}
@@ -87,7 +83,7 @@ func (a *AllocFS) List(alloc *Allocation, path string, q *QueryOptions) ([]*Allo
 	if err != nil {
 		return nil, nil, err
 	}
-	nodeClient, err := a.getNodeClient(node.HTTPAddr, alloc.ID, &q)
+	nodeClient, err := a.getNodeClient(node, alloc.ID, &q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -108,7 +104,7 @@ func (a *AllocFS) Stat(alloc *Allocation, path string, q *QueryOptions) (*AllocF
 	if err != nil {
 		return nil, nil, err
 	}
-	nodeClient, err := a.getNodeClient(node.HTTPAddr, alloc.ID, &q)
+	nodeClient, err := a.getNodeClient(node, alloc.ID, &q)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -130,7 +126,7 @@ func (a *AllocFS) ReadAt(alloc *Allocation, path string, offset int64, limit int
 		return nil, err
 	}
 
-	nodeClient, err := a.getNodeClient(node.HTTPAddr, alloc.ID, &q)
+	nodeClient, err := a.getNodeClient(node, alloc.ID, &q)
 	if err != nil {
 		return nil, err
 	}
@@ -153,7 +149,7 @@ func (a *AllocFS) Cat(alloc *Allocation, path string, q *QueryOptions) (io.ReadC
 		return nil, err
 	}
 
-	nodeClient, err := a.getNodeClient(node.HTTPAddr, alloc.ID, &q)
+	nodeClient, err := a.getNodeClient(node, alloc.ID, &q)
 	if err != nil {
 		return nil, err
 	}
@@ -182,7 +178,7 @@ func (a *AllocFS) Stream(alloc *Allocation, path, origin string, offset int64,
 		return nil, err
 	}
 
-	nodeClient, err := a.getNodeClient(node.HTTPAddr, alloc.ID, &q)
+	nodeClient, err := a.getNodeClient(node, alloc.ID, &q)
 	if err != nil {
 		return nil, err
 	}
@@ -251,7 +247,7 @@ func (a *AllocFS) Logs(alloc *Allocation, follow bool, task, logType, origin str
 		return nil, err
 	}
 
-	nodeClient, err := a.getNodeClient(node.HTTPAddr, alloc.ID, &q)
+	nodeClient, err := a.getNodeClient(node, alloc.ID, &q)
 	if err != nil {
 		return nil, err
 	}

diff --git a/api/nodes.go b/api/nodes.go
@@ -102,6 +102,7 @@ type Node struct {
 	Datacenter        string
 	Name              string
 	HTTPAddr          string
+	TLSEnabled        bool
 	Attributes        map[string]string
 	Resources         *Resources
 	Reserved          *Resources

diff --git a/client/driver/raw_exec.go b/client/driver/raw_exec.go
@@ -95,7 +95,7 @@ func (d *RawExecDriver) Fingerprint(cfg *config.Config, node *structs.Node) (boo
 	// Check that the user has explicitly enabled this executor.
 	enabled := cfg.ReadBoolDefault(rawExecConfigOption, false)
 
-	if enabled {
+	if enabled || cfg.DevMode {
 		if currentlyEnabled {
 			d.logger.Printf("[WARN] driver.raw_exec: raw exec is enabled. Only enable if needed")
 		}

diff --git a/command/agent/agent.go b/command/agent/agent.go
@@ -363,6 +363,7 @@ func (a *Agent) clientConfig() (*clientconfig.Config, error) {
 
 	// Set the TLS related configs
 	conf.TLSConfig = a.config.TLSConfig
+	conf.Node.TLSEnabled = conf.TLSConfig.EnableHTTP
 
 	return conf, nil
 }

diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go
@@ -653,6 +653,9 @@ type Node struct {
 	// requests
 	HTTPAddr string
 
+	// TLSEnabled indicates if the Agent has TLS enabled for the HTTP API
+	TLSEnabled bool
+
 	// Attributes is an arbitrary set of key/value
 	// data that can be used for constraints. Examples
 	// include "kernel.name=linux", "arch=386", "driver.docker=1",