Honor ca-certificate in 1-way TLS

This lets you use kt with unauthenticated clusters exposed via a k8s ingress, e.g. as deployed by strimzi
fgeller · Sep 9, 2023 · 9d4c73f · 9d4c73f
1 parent 486f3b8
commit 9d4c73f
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -283,11 +283,16 @@ Required fields:
 
  - `mode`: This needs to be set to `TLS-1way`
 
+Optional fields:
+
+ - `ca-certificate`: Path to your CA certificate
+
+
 Example:
 
 
     {
-        "mode": "TLS-1way",
+        "mode": "TLS-1way"
     }
 
 ### Other modes

diff --git a/common.go b/common.go
@@ -238,6 +238,26 @@ func setupSASL(auth authConfig, saramaCfg *sarama.Config) error {
 func setupAuthTLS1Way(auth authConfig, saramaCfg *sarama.Config) error {
 	saramaCfg.Net.TLS.Enable = true
 	saramaCfg.Net.TLS.Config = &tls.Config{}
+
+	if auth.CACert == "" {
+		return nil
+	}
+
+	caString, err := ioutil.ReadFile(auth.CACert)
+	if err != nil {
+		return fmt.Errorf("failed to read ca-certificate err=%v", err)
+	}
+
+	caPool := x509.NewCertPool()
+	ok := caPool.AppendCertsFromPEM(caString)
+	if !ok {
+		failf("unable to add ca-certificate at %s to certificate pool", auth.CACert)
+	}
+
+	tlsCfg := &tls.Config{RootCAs: caPool}
+	tlsCfg.BuildNameToCertificate()
+
+	saramaCfg.Net.TLS.Config = tlsCfg
 	return nil
 }