[fixes 254] Add mTLS support with client cert and key. #211
Conversation
…nd ca cert to be the data. See also hashicorp/terraform-provider-http#211
… & key, as well as enterprise cacert. (#31699) * Add mTLS support for http backend by way of client cert & key, as well as enterprise cacert. * Fix style. * Skip cert validation to be sure error is related to missing client cert; not untrusted server cert. * Remove misplaced err check. * Fix the size of test using http backend. * Just for correctness, include all certs in the pem encoded cert - sometimes certs come with a chain of their signers. * Adjusted names as recommended in PR comments. * Adjusted names to be full-length and more descriptive. * Added full-fledged testing with mTLS http server * Fix goimports. * Fix the names of the backend config. * Exclusive lock for write and delete. * Revert "Fix goimports." This reverts commit 7d40f60. * goimports just for server test. * Added the go:generation for the mock. * Move the TLS configuration out to make it more readable - don't replace the HTTPClient as the retryablehttp already creates one - just configure its TLS. * Just switch the client/data params - felt more natural this way. * Update internal/backend/remote-state/http/backend.go Co-authored-by: kmoe <5575356+kmoe@users.noreply.github.com> * Update internal/backend/remote-state/http/testdata/gencerts.sh Co-authored-by: kmoe <5575356+kmoe@users.noreply.github.com> * Update internal/backend/remote-state/http/backend.go Co-authored-by: kmoe <5575356+kmoe@users.noreply.github.com> * Update internal/backend/remote-state/http/backend.go Co-authored-by: kmoe <5575356+kmoe@users.noreply.github.com> * Update internal/backend/remote-state/http/backend.go Co-authored-by: kmoe <5575356+kmoe@users.noreply.github.com> * Update internal/backend/remote-state/http/backend.go Co-authored-by: kmoe <5575356+kmoe@users.noreply.github.com> * the location of the file name is not sensitive. * Added error if only one of client_certificate_pem and client_private_key_pem are set. * Remove testify from test cases; use t.Error* for assert and t.Fatal* for require. * Fixed import consistency * Just use default openssl. * Since file(...) is so trivial to use, changed the client cert, key, and ca cert to be the data. See also hashicorp/terraform-provider-http#211 Co-authored-by: Sheridan C Rawlins <scr@ouryahoo.com> Co-authored-by: kmoe <5575356+kmoe@users.noreply.github.com>
|
@kmoe can you help merge this one too? It's for non-backend http to use mTLS as well |
|
Hello. Do you now why this merge request is pending because this is a very usefull feature? |
scr-oath
changed the title
I just ran |
|
@scr-oath I have added this PR to our triage list and will endeavour to discuss this as a team in an upcoming triage meeting. The PR will be considered but it is hard to give a definitive answer on ETA. |
…regex, just add the either|or match.
|
Hi @scr-oath 👋 Thank you for submitting this PR and opening the associated issue. We have just discussed this PR at our triage meeting and have come to the conclusion that we'd like to hold off on reviewing and potentially merging until we have a clearer idea on the level of community interest in these changes. We have to consider each enhancement request (issue) or PR on the basis of community interest alongside the consequences of increasing the surface area of the provider. We will leave the issue and PR open and will revisit if there is community interest signalled by up votes. |
|
+1 that this is needed, definitely situations where you need to connect with client certs. |
This PR is to support mTLS support for the http data source, by allowing the client_cert and client_key to be passed.