Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Add support for static client certificates defined in fastly.toml. #306

Merged
merged 10 commits into from
Jul 12, 2024

Conversation

acw
Copy link
Contributor

@acw acw commented Aug 28, 2023

As it says in the CHANGELOG entry:

Add support for supplying client certificates in fastly.toml, through the use of the
client_cert_info table, which must have one of a "certificate" or "certificate_file"
key, as well as one of a "key" and "key_file" key. The "_file" variants can be used to
point to certificate/key files on disk, whereas the non-"_file" variants should be
multi-line string constants in the toml. In all cases, they should be in PEM format.

Comment on lines 303 to 331
key = """
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAz27x1GpD46K6b9/3PNyZYKgTL9GBbpLAVF8Uebd34ftUfnWZ
3ER+x6A1YbacHnL112diPPevyYkpXuiujwCeswYNrZHEtiRfAvrzBRhnhL8owQTx
jOcG4EOzR7Je556FTq8kNth5iHckORjmXiV9ZahbLv/zBFpkXpDeze62zd8y9chP
NEqcrLZBOb4UoKXmOt1lIdeo23nysR4rC6XemWNSFcZv9zagUzliMeca3XN2RIUA
FZv4o+gYPqqXQi+0a+OOq0jnKpawW+avn2UG7wzXGlLcVOvLe5BOCA1RfWtR8w03
MFdvoBAesXJ4xGX1ROUzelldedmpqtvORdhmGQIDAQABAoIBAQCsbu6KhDehMDHJ
NCWjK0I4zh78/iyZDVbiDBPKRpBag4GuifX329yD95LIgnNvAGOKxz8rrT4sy19f
rQ8Ggx5pdVvDcExUmRF+Obvw/WN4PywSoBhn59iYbs7Gh+lKo0Tvrrns+bC1l0y+
RguiMYn3CqeZ/1w1vyp2TflYuNqvcR4zMzJ4dN474CCLPIUX9OfK21Lbv/UMdguF
Rs/BuStucqaCzEtTLyZYlxQc1i8S8Uy2yukXR6TYWJOsWZj0KIgH/YI7ZgzvTIxL
ax4Hn4jIHPFSJ+vl2ehDKffkQQ0lzm60ASkjaJY6GsFoTQzsmuafpLIAoJbDbZR1
txPSFC+BAoGBAPbp6+LsXoEY+4RfStg4c/oLWmK3aTxzQzMY90vxnMm6SJTwTPAm
pO+Pp2UGyEGHV7hg3d+ItWpM9QGVmsjm+punIfc0W/0+AVUonjPLfv44dz7+geYt
/oeMv4RTqCclROvtQTqV6hHn4E3Xg061miEe6OxYmqfZuLD2nv2VlsQRAoGBANcR
GAqeClQtraTnu+yU9U+FJZfvSxs1yHr7XItCMtwxeU6+nipa+3pXNnKu0dKKekUG
PCdUipXgggA6OUm2YFKPUhiXJUNoHCj45Tkv2NshGplW33U3NcCkDqL7vvZoBBfP
OPxEVRVEIlwp/WzEambs9MjWoecEaOe7/3UCVumJAoGANlfVquQLCK7O7JtshZon
LGlDQ2bKqptTtvNPuk87CssNHnqk9FYNBwy+8uVDPejjzZjEPGaCRxsY8XhT0NPF
ZGysdRP5CwuSj4OZDh1DngAffqXVQSvuUTcRD7a506PIP4TATnygP8ChBYDhTXl6
qr961EnMABVTKN+eroE15YECgYEAv+YLyqV71+KuNx9i6lV7kcnfYnNtU8koqruQ
tt2Jnjoy4JVrcaWfEGmzNp9Qr4lKUj6e/AUOZ29c8DEDnwcxaVliynhLEptZzSFQ
/zb3S4d9QWdnmiJ6Pvrj6H+yxBDJ3ijT0xxxwrj547y/2QZlXpN+U5pX+ldP974i
0dgVjukCgYEArxv0dO2VEguWLx5YijHiN72nDDI+skbfkQkvWQjA7x8R9Xx1SWUl
WeyeaaV5rqfJZF1wBCK5VJndjbOGhPh6u/0mpeYw4Ty3+CKN2WoikQO27qYfMZW5
vvT7m9ZR+gkm2TjZ+pZuilz2gqu/yMJKl8Fi8Q7dsb8eWedWQXjbUZg=
-----END RSA PRIVATE KEY-----
"""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As fastly.toml is often committed into projects - could we also offer key_path and certificate_path which contain paths to the files which contain the key and certificate, that way projects can exclude those files from being committed whilst still allowing fastly.toml to be committed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code has moved and shifted a bit, and I think maybe this comment has gotten mis-attributed. But, if you look in lib/src/config/backends/client_cert_info.rs (or the CHANGELOG), you'll see that this PR does add the ability to either add the TLS certificate/key directly in the file (using certificate and key) or by reference in a file (using certificate_file and key_file).

Obviously, we can change those to certificate_path and key_path, if those would be better names.

@acw acw requested a review from JakeChampion June 20, 2024 20:32
Copy link
Contributor

@JakeChampion JakeChampion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

@acw acw merged commit 940df82 into main Jul 12, 2024
7 checks passed
@acw acw deleted the awick/static-client-certs branch July 12, 2024 21:10
@kpfleming
Copy link
Contributor

I was going to ask about adding documentation for this to https://www.fastly.com/documentation/reference/compute/fastly-toml/, but I see that "ca_certs" isn't documented there either. I guess this means we need to launch an 'audit' project to get the docs up to date with what the CLI and Viceroy actually support in fastly.toml.

GeeWee pushed a commit to GeeWee/Viceroy that referenced this pull request Jul 25, 2024
…astly#306)

 Add support for supplying client certificates in fastly.toml, through the use of the
 `client_cert_info` table, which must have one of a "certificate" or "certificate_file"
 key, as well as one of a "key" and "key_file" key. The "_file" variants can be used to
 point to certificate/key files on disk, whereas the non-"_file" variants should be
 multi-line string constants in the toml. In all cases, they should be in PEM format.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants