Merge pull request gliderlabs#394 from wixyvir/add_consul_tls

adding TLS support for consul backend
olafnorge · Jul 13, 2016 · 7d92084 · 7d92084
2 parents 6f4147f + 8e57bf0
commit 7d92084
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/consul/consul.go b/consul/consul.go
@@ -5,16 +5,18 @@ import (
 	"log"
 	"net/url"
 	"strings"
-
+	"os"
 	"github.com/gliderlabs/registrator/bridge"
 	consulapi "github.com/hashicorp/consul/api"
+	"github.com/hashicorp/go-cleanhttp"
 )
 
 const DefaultInterval = "10s"
 
 func init() {
 	f := new(Factory)
 	bridge.Register(f, "consul")
+	bridge.Register(f, "consul-tls")
 	bridge.Register(f, "consul-unix")
 }
 
@@ -30,6 +32,23 @@ func (f *Factory) New(uri *url.URL) bridge.RegistryAdapter {
 	config := consulapi.DefaultConfig()
 	if uri.Scheme == "consul-unix" {
 		config.Address = strings.TrimPrefix(uri.String(), "consul-")
+	} else if uri.Scheme == "consul-tls" {
+	        tlsConfigDesc := &consulapi.TLSConfig {
+			  Address: uri.Host,
+			  CAFile: os.Getenv("CONSUL_CACERT"),
+  			  CertFile: os.Getenv("CONSUL_TLSCERT"),
+  			  KeyFile: os.Getenv("CONSUL_TLSKEY"),
+			  InsecureSkipVerify: false,
+		}
+		tlsConfig, err := consulapi.SetupTLSConfig(tlsConfigDesc)
+		if err != nil {
+		   log.Fatal("Cannot set up Consul TLSConfig", err)
+		}
+		config.Scheme = "https"
+		transport := cleanhttp.DefaultPooledTransport()
+		transport.TLSClientConfig = tlsConfig
+		config.HttpClient.Transport = transport
+		config.Address = uri.Host
 	} else if uri.Host != "" {
 		config.Address = uri.Host
 	}

diff --git a/docs/user/backends.md b/docs/user/backends.md
@@ -10,6 +10,7 @@ See also [Contributing Backends](../dev/backends.md).
 
 	consul://<address>:<port>
 	consul-unix://<filepath>
+	consul-tls://<address>:<port>
 
 Consul is the recommended registry since it specifically models services for
 service discovery with health checks.
@@ -18,6 +19,11 @@ If no address and port is specified, it will default to `127.0.0.1:8500`.
 
 Consul supports tags but no arbitrary service attributes.
 
+When using the `consul-tls` scheme, registrator communicates with Consul through TLS. You must set the following environment variables:
+ * `CONSUL_CACERT` : CA file location
+ * `CONSUL_TLSCERT` : Certificate file location
+ * `CONSUL_TLSKEY` : Key location
+
 ### Consul HTTP Check
 
 This feature is only available when using Consul 0.5 or newer. Containers