remove client pool and add tls client auth support

Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>

service/flags.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"
 
-	env "github.com/caitlinelfring/go-env-default"
+	"github.com/caitlinelfring/go-env-default"
 	"github.com/spf13/pflag"
 )
 
@@ -17,6 +17,10 @@ const (
 	caCert     = "ca-cert"
 	serverCert = "server-cert"
 	serverKey  = "server-key"
+
+	clientCACert = "client-ca-cert"
+	clientCert   = "client-cert"
+	clientKey    = "client-key"
 )
 
 var u = strings.ToUpper
@@ -37,6 +41,9 @@ func NewFlagSet() (*pflag.FlagSet, Option) {
 	flags.StringVar(&optCACert, caCert, "", "Path to Root CA certificate"+flagEnv(caCert))
 	flags.StringVar(&optCert, serverCert, "", "Path to Server certificate"+flagEnv(serverCert))
 	flags.StringVar(&optKey, serverKey, "", "Path to Server key"+flagEnv(serverKey))
+	flags.StringVar(&optCACert, clientCACert, "", "Path to Root CA certificate"+flagEnv(clientCACert))
+	flags.StringVar(&optCert, clientCert, "", "Path to Client certificate"+flagEnv(clientCert))
+	flags.StringVar(&optKey, clientKey, "", "Path to Client key"+flagEnv(clientKey))
 	return flags, func(o *options) {
 		o.address = optAddress
 		o.secure = !optInsecure
@@ -44,6 +51,9 @@ func NewFlagSet() (*pflag.FlagSet, Option) {
 		o.caCert = optCACert
 		o.cert = optCert
 		o.key = optKey
+		o.clientCACert = optCACert
+		o.clientCert = optCert
+		o.clientKey = optKey
 	}
 }
 

service/options.go

@@ -38,6 +38,9 @@ type Options interface {
 	CACert() string
 	Cert() string
 	Key() string
+	ClientCACert() string
+	ClientCert() string
+	ClientKey() string
 	TLSConfig() *tls.Config
 	Secure() bool
 
@@ -180,6 +183,24 @@ func WithKey(path string) Option {
 	}
 }
 
+func WithClientCACert(path string) Option {
+	return func(o *options) {
+		o.clientCACert = path
+	}
+}
+
+func WithClientCert(path string) Option {
+	return func(o *options) {
+		o.clientCert = path
+	}
+}
+
+func WithClientKey(path string) Option {
+	return func(o *options) {
+		o.clientKey = path
+	}
+}
+
 func WithTLSConfig(conf *tls.Config) Option {
 	return func(o *options) {
 		o.tlsConfig = conf
@@ -360,11 +381,14 @@ type options struct {
 	reflection bool
 	health     bool
 
-	secure    bool
-	caCert    string
-	cert      string
-	key       string
-	tlsConfig *tls.Config
+	secure       bool
+	caCert       string
+	cert         string
+	key          string
+	clientCACert string
+	clientCert   string
+	clientKey    string
+	tlsConfig    *tls.Config
 
 	transport transport.Transport
 	registry  registry.Registry
@@ -442,6 +466,18 @@ func (o *options) Key() string {
 	return o.key
 }
 
+func (o *options) ClientCACert() string {
+	return o.clientCACert
+}
+
+func (o *options) ClientCert() string {
+	return o.clientCert
+}
+
+func (o *options) ClientKey() string {
+	return o.clientKey
+}
+
 func (o *options) TLSConfig() *tls.Config {
 	return o.tlsConfig
 }
@@ -577,9 +613,32 @@ func (o *options) parseTLSConfig() error {
 		Certificates: []tls.Certificate{cert},
 		RootCAs:      caCertPool,
 	}
+	if !o.hasClientTLSConfig() {
+		return nil
+	}
+	clientCACert, err := os.ReadFile(o.clientCACert)
+	if err != nil {
+		return err
+	}
+	clientCACertPool := x509.NewCertPool()
+	ok = clientCACertPool.AppendCertsFromPEM(clientCACert)
+	if !ok {
+		return fmt.Errorf("failed to load Client CA Cert from %s", o.clientCACert)
+	}
+	clientCert, err := tls.LoadX509KeyPair(o.clientCert, o.clientKey)
+	if err != nil {
+		return err
+	}
+	o.tlsConfig.ClientCAs = clientCACertPool
+	o.tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	o.tlsConfig.Certificates = append(o.tlsConfig.Certificates, clientCert)
 	return nil
 }
 
 func (o *options) hasTLSConfig() bool {
-	return o.caCert != "" && o.cert != "" && o.key != "" && o.tlsConfig == nil
+	return o.caCert != "" && o.cert != "" && o.tlsConfig == nil
+}
+
+func (o *options) hasClientTLSConfig() bool {
+	return o.clientCACert != "" && o.clientCert != "" && o.clientKey != ""
 }