Add support to load certificates from swagger tls flags (#672)

- Add support to load certificates via `--tls-certificate`, `--tls-key` and `--tls-ca` flags (standard TLS flags for the swagger server) - Certificate keypair will be added to the certificate pool used by the Console server
2021-03-27 12:21:59 -07:00
parent 23b3283014
commit 5155aef802
12 changed files with 62 additions and 20 deletions
--- a/cmd/console/server.go
+++ b/cmd/console/server.go
@@ -18,11 +18,14 @@ package main

 import (
 	"fmt"
+	"io/ioutil"
 	"log"
 	"os"
 	"path/filepath"
 	"time"

+	"github.com/minio/minio/cmd/config"
+
 	"github.com/go-openapi/loads"
 	"github.com/jessevdk/go-flags"
 	"github.com/minio/cli"
@@ -68,6 +71,21 @@ var serverCmd = cli.Command{
 			Value: certs.GlobalCertsCADir.Get(),
 			Usage: "path to certs directory",
 		},
+		cli.StringFlag{
+			Name:  "tls-certificate",
+			Value: "",
+			Usage: "path tls certificate",
+		},
+		cli.StringFlag{
+			Name:  "tls-key",
+			Value: "",
+			Usage: "path tls key",
+		},
+		cli.StringFlag{
+			Name:  "tls-ca",
+			Value: "",
+			Usage: "path tls ca",
+		},
 	},
 }

@@ -122,6 +140,30 @@ func startServer(ctx *cli.Context) error {
 	// load the certificates and the CAs
 	restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = certs.GetAllCertificatesAndCAs()

+	// TLS flags from swagger server, used to support older versions of minio-operator
+	swaggerServerCertificate := ctx.String("tls-certificate")
+	swaggerServerCertificateKey := ctx.String("tls-key")
+	SwaggerServerCACertificate := ctx.String("tls-ca")
+	// load tls cert and key from swagger server tls-certificate and tls-key flags
+	if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
+		if errAddCert := restapi.GlobalTLSCertsManager.AddCertificate(swaggerServerCertificate, swaggerServerCertificateKey); errAddCert == nil {
+			if x509Certs, errParseCert := config.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil && len(x509Certs) > 0 {
+				restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs[0])
+			} else {
+				log.Println(errParseCert)
+			}
+		} else {
+			log.Println(errAddCert)
+		}
+	}
+	// load ca cert from swagger server tls-ca flag
+	if SwaggerServerCACertificate != "" {
+		caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
+		if caCertErr == nil {
+			restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
+		}
+	}
+
 	if len(restapi.GlobalPublicCerts) > 0 {
 		// If TLS certificates are provided enforce the HTTPS schema, meaning console will redirect
 		// plain HTTP connections to HTTPS server