-
Notifications
You must be signed in to change notification settings - Fork 0
/
tls.go
53 lines (44 loc) · 1.34 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
package wkafka
import (
"crypto/tls"
"github.com/twmb/tlscfg"
)
// SecurityConfig contains options for TLS and SASL authentication.
// Zero value is used if the kafka instance has a plaintext listener.
type SecurityConfig struct {
TLS TLSConfig `cfg:"tls"`
SASL SaslConfigs `cfg:"sasl"`
}
// TLSConfig contains options for TLS authentication.
type TLSConfig struct {
// Enabled is whether TLS is enabled.
Enabled bool `cfg:"enabled"`
// CertFile is the path to the client's TLS certificate.
// Should be use with KeyFile.
CertFile string `cfg:"cert_file"`
// KeyFile is the path to the client's TLS key.
// Should be use with CertFile.
KeyFile string `cfg:"key_file"`
// CAFile is the path to the CA certificate.
// If empty, the server's root CA set will be used.
CAFile string `cfg:"ca_file"`
}
// Generate returns a tls.Config based on the TLSConfig.
//
// If the TLSConfig is empty, nil is returned.
func (t TLSConfig) Generate() (*tls.Config, error) {
if !t.Enabled {
return nil, nil
}
opts := []tlscfg.Opt{}
// load client cert
if t.CertFile != "" && t.KeyFile != "" {
opts = append(opts, tlscfg.WithDiskKeyPair(t.CertFile, t.KeyFile))
}
// load CA cert
opts = append(opts, tlscfg.WithSystemCertPool())
if t.CAFile != "" {
opts = append(opts, tlscfg.WithDiskCA(t.CAFile, tlscfg.ForClient))
}
return tlscfg.New(opts...)
}