WIP: Add parsing of VAULT_CACERT_BYTES for custom CA

config/ssl.go

@@ -12,13 +12,14 @@ const (
 
 // SSLConfig is the configuration for SSL.
 type SSLConfig struct {
-	CaCert     *string `mapstructure:"ca_cert"`
-	CaPath     *string `mapstructure:"ca_path"`
-	Cert       *string `mapstructure:"cert"`
-	Enabled    *bool   `mapstructure:"enabled"`
-	Key        *string `mapstructure:"key"`
-	ServerName *string `mapstructure:"server_name"`
-	Verify     *bool   `mapstructure:"verify"`
+	CaCert      *string `mapstructure:"ca_cert"`
+	CaCertBytes *string `mapstructure:"ca_cert_bytes"`
+	CaPath      *string `mapstructure:"ca_path"`
+	Cert        *string `mapstructure:"cert"`
+	Enabled     *bool   `mapstructure:"enabled"`
+	Key         *string `mapstructure:"key"`
+	ServerName  *string `mapstructure:"server_name"`
+	Verify      *bool   `mapstructure:"verify"`
 }
 
 // DefaultSSLConfig returns a configuration that is populated with the
@@ -35,6 +36,7 @@ func (c *SSLConfig) Copy() *SSLConfig {
 
 	var o SSLConfig
 	o.CaCert = c.CaCert
+	o.CaCertBytes = c.CaCertBytes
 	o.CaPath = c.CaPath
 	o.Cert = c.Cert
 	o.Enabled = c.Enabled
@@ -70,6 +72,10 @@ func (c *SSLConfig) Merge(o *SSLConfig) *SSLConfig {
 		r.CaCert = o.CaCert
 	}
 
+	if o.CaCertBytes != nil {
+		r.CaCertBytes = o.CaCertBytes
+	}
+
 	if o.CaPath != nil {
 		r.CaPath = o.CaPath
 	}
@@ -99,6 +105,7 @@ func (c *SSLConfig) Finalize() {
 		c.Enabled = Bool(false ||
 			StringPresent(c.Cert) ||
 			StringPresent(c.CaCert) ||
+			StringPresent(c.CaCertBytes) ||
 			StringPresent(c.CaPath) ||
 			StringPresent(c.Key) ||
 			StringPresent(c.ServerName) ||
@@ -113,6 +120,10 @@ func (c *SSLConfig) Finalize() {
 		c.CaCert = String("")
 	}
 
+	if c.CaCertBytes == nil {
+		c.CaCertBytes = String("")
+	}
+
 	if c.CaPath == nil {
 		c.CaPath = String("")
 	}
@@ -138,6 +149,7 @@ func (c *SSLConfig) GoString() string {
 
 	return fmt.Sprintf("&SSLConfig{"+
 		"CaCert:%s, "+
+		"CaCertBytes:%s, "+
 		"CaPath:%s, "+
 		"Cert:%s, "+
 		"Enabled:%s, "+
@@ -146,6 +158,7 @@ func (c *SSLConfig) GoString() string {
 		"Verify:%s"+
 		"}",
 		StringGoString(c.CaCert),
+		StringGoString(c.CaCertBytes),
 		StringGoString(c.CaPath),
 		StringGoString(c.Cert),
 		BoolGoString(c.Enabled),

config/vault.go

@@ -303,6 +303,9 @@ func (c *VaultConfig) Finalize() {
 	if c.SSL.CaCert == nil {
 		c.SSL.CaCert = stringFromEnv([]string{api.EnvVaultCACert}, "")
 	}
+	if c.SSL.CaCertBytes == nil {
+		c.SSL.CaCertBytes = stringFromEnv([]string{api.EnvVaultCACertBytes}, "")
+	}
 	if c.SSL.CaPath == nil {
 		c.SSL.CaPath = stringFromEnv([]string{api.EnvVaultCAPath}, "")
 	}

dependency/client_set.go

@@ -95,6 +95,7 @@ type CreateVaultClientInput struct {
 	SSLCert         string
 	SSLKey          string
 	SSLCACert       string
+	SSLCACertBytes  string
 	SSLCAPath       string
 	ServerName      string
 	ClientUserAgent string
@@ -302,10 +303,11 @@ func (c *ClientSet) CreateVaultClient(i *CreateVaultClientInput) error {
 		}
 
 		// Custom CA certificate
-		if i.SSLCACert != "" || i.SSLCAPath != "" {
+		if i.SSLCACert != "" || i.SSLCAPath != "" || i.SSLCACertBytes != "" {
 			rootConfig := &rootcerts.Config{
-				CAFile: i.SSLCACert,
-				CAPath: i.SSLCAPath,
+				CAFile:        i.SSLCACert,
+				CACertificate: []byte(i.SSLCACertBytes),
+				CAPath:        i.SSLCAPath,
 			}
 			if err := rootcerts.ConfigureTLS(&tlsConfig, rootConfig); err != nil {
 				return fmt.Errorf("client set: vault configuring TLS failed: %s", err)

manager/runner.go

@@ -1128,6 +1128,10 @@ func (r *Runner) childEnv() []string {
 		m["VAULT_CACERT"] = config.StringVal(r.config.Vault.SSL.CaCert)
 	}
 
+	if config.StringPresent(r.config.Vault.SSL.CaCertBytes) {
+		m["VAULT_CACERT_BYTES"] = config.StringVal(r.config.Vault.SSL.CaCertBytes)
+	}
+
 	if config.StringPresent(r.config.Vault.SSL.ServerName) {
 		m["VAULT_TLS_SERVER_NAME"] = config.StringVal(r.config.Vault.SSL.ServerName)
 	}
@@ -1350,6 +1354,7 @@ func NewClientSet(c *config.Config) (*dep.ClientSet, error) {
 		SSLCert:                      config.StringVal(c.Vault.SSL.Cert),
 		SSLKey:                       config.StringVal(c.Vault.SSL.Key),
 		SSLCACert:                    config.StringVal(c.Vault.SSL.CaCert),
+		SSLCACertBytes:               config.StringVal(c.Vault.SSL.CaCertBytes),
 		SSLCAPath:                    config.StringVal(c.Vault.SSL.CaPath),
 		ServerName:                   config.StringVal(c.Vault.SSL.ServerName),
 		ClientUserAgent:              config.StringVal(c.Vault.ClientUserAgent),