trace tls configurations

Author: FZambia

internal/confighelpers/redis.go

@@ -41,7 +41,7 @@ func addRedisShardCommonSettings(shardConf *centrifuge.RedisShardConfig, redisCo
 	shardConf.ClientName = redisConf.ClientName
 
 	if redisConf.TLS.Enabled {
-		tlsConfig, err := redisConf.TLS.ToGoTLSConfig()
+		tlsConfig, err := redisConf.TLS.ToGoTLSConfig("redis")
 		if err != nil {
 			return fmt.Errorf("error creating Redis TLS config: %v", err)
 		}
@@ -109,7 +109,7 @@ func getRedisShardConfigs(redisConf configtypes.Redis) ([]centrifuge.RedisShardC
 			}
 			conf.SentinelClientName = redisConf.SentinelClientName
 			if redisConf.SentinelTLS.Enabled {
-				tlsConfig, err := redisConf.TLS.ToGoTLSConfig()
+				tlsConfig, err := redisConf.TLS.ToGoTLSConfig("redis_sentinel")
 				if err != nil {
 					return nil, "", fmt.Errorf("error creating Redis Sentinel TLS config: %v", err)
 				}

internal/configtypes/tls.go

@@ -7,6 +7,10 @@ import (
 	"errors"
 	"fmt"
 	"os"
+
+	"github.com/rs/zerolog"
+
+	"github.com/rs/zerolog/log"
 )
 
 // TLSConfig is a common configuration for TLS.
@@ -15,52 +19,56 @@ import (
 // 2. Base64 encoded PEM
 // 3. Raw PEM
 // It's up to the user to only use a single source of configured values. I.e. if both file and raw PEM are set
-// the file will be used and raw PEM will be just ignored.
+// the file will be used and raw PEM will be just ignored. For certificate and key it's required to use the same
+// source type - whether set both from file, both from base64 or both from raw string.
 type TLSConfig struct {
 	// Enabled turns on using TLS.
 	Enabled bool `mapstructure:"enabled" json:"enabled" yaml:"enabled" toml:"enabled" envconfig:"enabled"`
 
-	// CertPem is a certificate in PEM format.
-	CertPem string `mapstructure:"cert_pem" json:"cert_pem" envconfig:"cert_pem" yaml:"cert_pem" toml:"cert_pem"`
-	// CertPemB64 is a certificate in base64 encoded PEM format.
-	CertPemB64 string `mapstructure:"cert_pem_b64" json:"cert_pem_b64" envconfig:"cert_pem_b64" yaml:"cert_pem_b64" toml:"cert_pem_b64"`
 	// CertPemFile is a path to a file with certificate in PEM format.
 	CertPemFile string `mapstructure:"cert_pem_file" json:"cert_pem_file" envconfig:"cert_pem_file" yaml:"cert_pem_file" toml:"cert_pem_file"`
+	// KeyPemFile is a path to a file with key in PEM format.
+	KeyPemFile string `mapstructure:"key_pem_file" json:"key_pem_file" envconfig:"key_pem_file" yaml:"key_pem_file" toml:"key_pem_file"`
 
-	// KeyPem is a key in PEM format.
-	KeyPem string `mapstructure:"key_pem" json:"key_pem" envconfig:"key_pem" yaml:"key_pem" toml:"key_pem"`
+	// CertPemB64 is a certificate in base64 encoded PEM format.
+	CertPemB64 string `mapstructure:"cert_pem_b64" json:"cert_pem_b64" envconfig:"cert_pem_b64" yaml:"cert_pem_b64" toml:"cert_pem_b64"`
 	// KeyPemB64 is a key in base64 encoded PEM format.
 	KeyPemB64 string `mapstructure:"key_pem_b64" json:"key_pem_b64" envconfig:"key_pem_b64" yaml:"key_pem_b64" toml:"key_pem_b64"`
-	// KeyPemFile is a path to a file with key in PEM format.
-	KeyPemFile string `mapstructure:"key_pem_file" json:"key_pem_file" envconfig:"key_pem_file" yaml:"key_pem_file" toml:"key_pem_file"`
 
-	// ServerCAPem is a server root CA certificate in PEM format.
+	// CertPem is a certificate in PEM format.
+	CertPem string `mapstructure:"cert_pem" json:"cert_pem" envconfig:"cert_pem" yaml:"cert_pem" toml:"cert_pem"`
+	// KeyPem is a key in PEM format.
+	KeyPem string `mapstructure:"key_pem" json:"key_pem" envconfig:"key_pem" yaml:"key_pem" toml:"key_pem"`
+
+	// ServerCAPemFile is a path to a file with server root CA certificate in PEM format.
 	// The client uses this certificate to verify the server's certificate during the TLS handshake.
-	ServerCAPem string `mapstructure:"server_ca_pem" json:"server_ca_pem" envconfig:"server_ca_pem" yaml:"server_ca_pem" toml:"server_ca_pem"`
+	ServerCAPemFile string `mapstructure:"server_ca_pem_file" json:"server_ca_pem_file" envconfig:"server_ca_pem_file" yaml:"server_ca_pem_file" toml:"server_ca_pem_file"`
 	// ServerCAPemB64 is a server root CA certificate in base64 encoded PEM format.
 	ServerCAPemB64 string `mapstructure:"server_ca_pem_b64" json:"server_ca_pem_b64" envconfig:"server_ca_pem_b64" yaml:"server_ca_pem_b64" toml:"server_ca_pem_b64"`
-	// ServerCAPemFile is a path to a file with server root CA certificate in PEM format.
-	ServerCAPemFile string `mapstructure:"server_ca_pem_file" json:"server_ca_pem_file" envconfig:"server_ca_pem_file" yaml:"server_ca_pem_file" toml:"server_ca_pem_file"`
+	// ServerCAPem is a server root CA certificate in PEM format.
+	ServerCAPem string `mapstructure:"server_ca_pem" json:"server_ca_pem" envconfig:"server_ca_pem" yaml:"server_ca_pem" toml:"server_ca_pem"`
 
-	// ClientCAPem is a client CA certificate in PEM format.
+	// ClientCAPemFile is a path to a file with client CA certificate in PEM format.
 	// The server uses this certificate to verify the client's certificate during the TLS handshake.
-	ClientCAPem string `mapstructure:"client_ca_pem" json:"client_ca_pem" envconfig:"client_ca_pem" yaml:"client_ca_pem" toml:"client_ca_pem"`
+	ClientCAPemFile string `mapstructure:"client_ca_pem_file" json:"client_ca_pem_file" envconfig:"client_ca_pem_file" yaml:"client_ca_pem_file" toml:"client_ca_pem_file"`
 	// ClientCAPemB64 is a client CA certificate in base64 encoded PEM format.
 	ClientCAPemB64 string `mapstructure:"client_ca_pem_b64" json:"client_ca_pem_b64" envconfig:"client_ca_pem_b64" yaml:"client_ca_pem_b64" toml:"client_ca_pem_b64"`
-	// ClientCAPemFile is a path to a file with client CA certificate in PEM format.
-	ClientCAPemFile string `mapstructure:"client_ca_pem_file" json:"client_ca_pem_file" envconfig:"client_ca_pem_file" yaml:"client_ca_pem_file" toml:"client_ca_pem_file"`
+	// ClientCAPem is a client CA certificate in PEM format.
+	ClientCAPem string `mapstructure:"client_ca_pem" json:"client_ca_pem" envconfig:"client_ca_pem" yaml:"client_ca_pem" toml:"client_ca_pem"`
 
 	// InsecureSkipVerify turns off server certificate verification.
 	InsecureSkipVerify bool `mapstructure:"insecure_skip_verify" json:"insecure_skip_verify" envconfig:"insecure_skip_verify" yaml:"insecure_skip_verify" toml:"insecure_skip_verify"`
 	// ServerName is used to verify the hostname on the returned certificates.
 	ServerName string `mapstructure:"server_name" json:"server_name" envconfig:"server_name" yaml:"server_name" toml:"server_name"`
 }
 
-func (c TLSConfig) ToGoTLSConfig() (*tls.Config, error) {
+func (c TLSConfig) ToGoTLSConfig(logTraceEntity string) (*tls.Config, error) {
 	if !c.Enabled {
 		return nil, nil
 	}
-	return makeTLSConfig(c, os.ReadFile)
+	logger := log.With().Str("entity", logTraceEntity).Logger()
+	logger.Trace().Msg("TLS enabled")
+	return makeTLSConfig(c, logger, os.ReadFile)
 }
 
 // ReadFileFunc is an abstraction for os.ReadFile but also io/fs.ReadFile
@@ -71,108 +79,129 @@ func (c TLSConfig) ToGoTLSConfig() (*tls.Config, error) {
 type ReadFileFunc func(name string) ([]byte, error)
 
 // makeTLSConfig constructs a tls.Config instance using the given configuration.
-func makeTLSConfig(cfg TLSConfig, readFile ReadFileFunc) (*tls.Config, error) {
+func makeTLSConfig(cfg TLSConfig, logger zerolog.Logger, readFile ReadFileFunc) (*tls.Config, error) {
 	tlsConfig := &tls.Config{}
+	if err := loadCertificate(cfg, logger, tlsConfig, readFile); err != nil {
+		return nil, fmt.Errorf("error load certificate: %w", err)
+	}
+	if err := loadServerCA(cfg, logger, tlsConfig, readFile); err != nil {
+		return nil, fmt.Errorf("error load server CA: %w", err)
+	}
+	if err := loadClientCA(cfg, logger, tlsConfig, readFile); err != nil {
+		return nil, fmt.Errorf("error load client CA: %w", err)
+	}
+	tlsConfig.ServerName = cfg.ServerName
+	tlsConfig.InsecureSkipVerify = cfg.InsecureSkipVerify
+	logger.Trace().Str("server_name", cfg.ServerName).Bool("insecure_skip_verify", cfg.InsecureSkipVerify).Msg("TLS config options set")
+	logger.Trace().Msg("TLS config created")
+	return tlsConfig, nil
+}
 
-	if cfg.CertPemFile != "" && cfg.KeyPemFile != "" {
-		certPEMBlock, err := readFile(cfg.CertPemFile)
-		if err != nil {
-			return nil, fmt.Errorf("read TLS certificate for %s: %w", cfg.CertPemFile, err)
-		}
-		keyPEMBlock, err := readFile(cfg.KeyPemFile)
-		if err != nil {
-			return nil, fmt.Errorf("read TLS key for %s: %w", cfg.KeyPemFile, err)
-		}
-		cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
+// loadCertificate loads the TLS certificate from various sources.
+func loadCertificate(cfg TLSConfig, logger zerolog.Logger, tlsConfig *tls.Config, readFile ReadFileFunc) error {
+	var certPEMBlock, keyPEMBlock []byte
+	var err error
+
+	switch {
+	case cfg.CertPemFile != "" && cfg.KeyPemFile != "":
+		logger.Trace().Str("cert_pem_file", cfg.CertPemFile).Str("key_pem_file", cfg.KeyPemFile).Msg("load TLS certificate and key from files")
+		certPEMBlock, err = readFile(cfg.CertPemFile)
 		if err != nil {
-			return nil, fmt.Errorf("parse certificate/key pair for %s/%s: %w", cfg.CertPemFile, cfg.KeyPemFile, err)
+			return fmt.Errorf("read TLS certificate for %s: %w", cfg.CertPemFile, err)
 		}
-		tlsConfig.Certificates = []tls.Certificate{cert}
-	} else if cfg.CertPemB64 != "" && cfg.KeyPemB64 != "" {
-		certPem, err := base64.StdEncoding.DecodeString(cfg.CertPemB64)
+		keyPEMBlock, err = readFile(cfg.KeyPemFile)
 		if err != nil {
-			return nil, fmt.Errorf("error base64 decode certificate PEM: %w", err)
+			return fmt.Errorf("read TLS key for %s: %w", cfg.KeyPemFile, err)
 		}
-		keyPem, err := base64.StdEncoding.DecodeString(cfg.KeyPemB64)
+	case cfg.CertPemB64 != "" && cfg.KeyPemB64 != "":
+		logger.Trace().Msg("load TLS certificate and key from base64 encoded strings")
+		certPEMBlock, err = base64.StdEncoding.DecodeString(cfg.CertPemB64)
 		if err != nil {
-			return nil, fmt.Errorf("error base64 decode key PEM: %w", err)
+			return fmt.Errorf("error base64 decode certificate PEM: %w", err)
 		}
-		cert, err := tls.X509KeyPair(certPem, keyPem)
+		keyPEMBlock, err = base64.StdEncoding.DecodeString(cfg.KeyPemB64)
 		if err != nil {
-			return nil, fmt.Errorf("error parse certificate/key pair: %w", err)
+			return fmt.Errorf("error base64 decode key PEM: %w", err)
 		}
-		tlsConfig.Certificates = []tls.Certificate{cert}
-	} else if cfg.CertPem != "" && cfg.KeyPem != "" {
-		cert, err := tls.X509KeyPair([]byte(cfg.CertPem), []byte(cfg.KeyPem))
+	case cfg.CertPem != "" && cfg.KeyPem != "":
+		logger.Trace().Msg("load TLS certificate and key from raw strings")
+		certPEMBlock, keyPEMBlock = []byte(cfg.CertPem), []byte(cfg.KeyPem)
+	default:
+	}
+
+	if len(certPEMBlock) > 0 && len(keyPEMBlock) > 0 {
+		logger.Trace().Msg("create x509 key pair")
+		cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
 		if err != nil {
-			return nil, fmt.Errorf("error parse certificate/key pair: %w", err)
+			return fmt.Errorf("error create x509 key pair: %w", err)
 		}
 		tlsConfig.Certificates = []tls.Certificate{cert}
+	} else {
+		logger.Trace().Msg("no cert or key provided, skip loading x509 key pair")
 	}
+	return nil
+}
 
-	if cfg.ServerCAPemFile != "" {
-		caCert, err := readFile(cfg.ServerCAPemFile)
-		if err != nil {
-			return nil, fmt.Errorf("read the root CA certificate for %s: %w", cfg.ServerCAPemFile, err)
-		}
-		caCertPool, err := newCertPoolFromPEM(caCert)
-		if err != nil {
-			return nil, fmt.Errorf("error parse root CA certificate: %w", err)
-		}
-		tlsConfig.RootCAs = caCertPool
-	} else if cfg.ServerCAPemB64 != "" {
-		caCert, err := base64.StdEncoding.DecodeString(cfg.ServerCAPemB64)
-		if err != nil {
-			return nil, fmt.Errorf("error base64 decode root CA PEM: %w", err)
-		}
+// loadServerCA loads the root CA from various sources.
+func loadServerCA(cfg TLSConfig, logger zerolog.Logger, tlsConfig *tls.Config, readFile ReadFileFunc) error {
+	caCert, err := loadPEMBlock(cfg.ServerCAPemFile, cfg.ServerCAPemB64, cfg.ServerCAPem, logger, "server CA", readFile)
+	if err != nil {
+		return fmt.Errorf("error load server CA certificate: %w", err)
+	}
+	if len(caCert) > 0 {
+		logger.Trace().Msg("load server CA certificate")
 		caCertPool, err := newCertPoolFromPEM(caCert)
 		if err != nil {
-			return nil, fmt.Errorf("error parse root CA certificate: %w", err)
-		}
-		tlsConfig.RootCAs = caCertPool
-	} else if cfg.ServerCAPem != "" {
-		caCertPool, err := newCertPoolFromPEM([]byte(cfg.ServerCAPem))
-		if err != nil {
-			return nil, fmt.Errorf("error parse root CA certificate: %w", err)
+			return fmt.Errorf("error create server CA certificate pool: %w", err)
 		}
 		tlsConfig.RootCAs = caCertPool
+	} else {
+		logger.Trace().Msg("no server CA certificate provided")
 	}
+	return nil
+}
 
-	if cfg.ClientCAPemFile != "" {
-		caCert, err := readFile(cfg.ClientCAPemFile)
-		if err != nil {
-			return nil, fmt.Errorf("read the client CA certificate for %s: %w", cfg.ClientCAPemFile, err)
-		}
+// loadClientCA loads the client CA from various sources.
+func loadClientCA(cfg TLSConfig, logger zerolog.Logger, tlsConfig *tls.Config, readFile ReadFileFunc) error {
+	caCert, err := loadPEMBlock(cfg.ClientCAPemFile, cfg.ClientCAPemB64, cfg.ClientCAPem, logger, "client CA", readFile)
+	if err != nil {
+		return err
+	}
+	if len(caCert) > 0 {
+		logger.Trace().Msg("load client CA certificate")
 		caCertPool, err := newCertPoolFromPEM(caCert)
 		if err != nil {
-			return nil, fmt.Errorf("error parse client CA certificate: %w", err)
+			return fmt.Errorf("error create client CA certificate pool: %w", err)
 		}
 		tlsConfig.ClientCAs = caCertPool
 		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-	} else if cfg.ClientCAPemB64 != "" {
-		caCert, err := base64.StdEncoding.DecodeString(cfg.ClientCAPemB64)
-		if err != nil {
-			return nil, fmt.Errorf("error base64 decode client CA PEM: %w", err)
-		}
-		caCertPool, err := newCertPoolFromPEM(caCert)
+	} else {
+		logger.Trace().Msg("no client CA certificate provided")
+	}
+	return nil
+}
+
+// loadPEMBlock attempts to load PEM data from a file, base64 string, or raw string.
+func loadPEMBlock(file, b64, raw string, logger zerolog.Logger, certType string, readFile ReadFileFunc) ([]byte, error) {
+	var pemBlock []byte
+	var err error
+	if file != "" {
+		logger.Trace().Str("file", file).Msg("load PEM block of " + certType + " from file")
+		pemBlock, err = readFile(file)
 		if err != nil {
-			return nil, fmt.Errorf("error parse client CA certificate: %w", err)
+			return nil, fmt.Errorf("read PEM block for %s: %w", file, err)
 		}
-		tlsConfig.ClientCAs = caCertPool
-		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-	} else if cfg.ClientCAPem != "" {
-		caCertPool, err := newCertPoolFromPEM([]byte(cfg.ClientCAPem))
+	} else if b64 != "" {
+		logger.Trace().Msg("load PEM block of " + certType + " from base64 encoded string")
+		pemBlock, err = base64.StdEncoding.DecodeString(b64)
 		if err != nil {
-			return nil, fmt.Errorf("error parse client CA certificate: %w", err)
+			return nil, fmt.Errorf("error base64 decode PEM block: %w", err)
 		}
-		tlsConfig.ClientCAs = caCertPool
-		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	} else if raw != "" {
+		logger.Trace().Msg("load PEM block of " + certType + " from raw string")
+		pemBlock = []byte(raw)
 	}
-
-	tlsConfig.ServerName = cfg.ServerName
-	tlsConfig.InsecureSkipVerify = cfg.InsecureSkipVerify
-
-	return tlsConfig, nil
+	return pemBlock, nil
 }
 
 // newCertPoolFromPEM returns certificate pool for the given PEM-encoded

internal/consuming/kafka.go

@@ -119,7 +119,7 @@ func (c *KafkaConsumer) initClient() (*kgo.Client, error) {
 		kgo.InstanceID(c.getInstanceID()),
 	}
 	if c.config.TLS.Enabled {
-		tlsConfig, err := c.config.TLS.ToGoTLSConfig()
+		tlsConfig, err := c.config.TLS.ToGoTLSConfig("kafka_" + c.name)
 		if err != nil {
 			return nil, fmt.Errorf("error making TLS configuration: %w", err)
 		}

internal/consuming/postgresql.go

@@ -42,7 +42,7 @@ func NewPostgresConsumer(name string, logger Logger, dispatcher Dispatcher, conf
 		return nil, fmt.Errorf("error parsing postgresql DSN: %w", err)
 	}
 	if config.TLS.Enabled {
-		tlsConfig, err := config.TLS.ToGoTLSConfig()
+		tlsConfig, err := config.TLS.ToGoTLSConfig("postgresql_" + name)
 		if err != nil {
 			return nil, fmt.Errorf("error creating postgresql TLS config: %w", err)
 		}

internal/natsbroker/broker.go

@@ -96,7 +96,7 @@ func (b *NatsBroker) Run(h centrifuge.BrokerEventHandler) error {
 		nats.FlusherTimeout(b.config.WriteTimeout.ToDuration()),
 	}
 	if b.config.TLS.Enabled {
-		tlsConfig, err := b.config.TLS.ToGoTLSConfig()
+		tlsConfig, err := b.config.TLS.ToGoTLSConfig("nats")
 		if err != nil {
 			return fmt.Errorf("error creating TLS config: %w", err)
 		}

internal/proxy/grpc.go

@@ -58,7 +58,7 @@ func getDialOpts(p Config) ([]grpc.DialOption, error) {
 		}))
 	}
 	if p.GRPC.TLS.Enabled {
-		tlsConfig, err := p.GRPC.TLS.ToGoTLSConfig()
+		tlsConfig, err := p.GRPC.TLS.ToGoTLSConfig("proxy_grpc_" + p.Name)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create TLS config %v", err)
 		}

internal/runutil/grpc.go

@@ -37,7 +37,7 @@ func runGRPCAPIServer(cfg config.Config, node *centrifuge.Node, useAPIOpenteleme
 	}
 	var grpcAPITLSConfig *tls.Config
 	if cfg.GrpcAPI.TLS.Enabled {
-		grpcAPITLSConfig, err = cfg.GrpcAPI.TLS.ToGoTLSConfig()
+		grpcAPITLSConfig, err = cfg.GrpcAPI.TLS.ToGoTLSConfig("grpc_api")
 		if err != nil {
 			return nil, fmt.Errorf("error getting TLS config for GRPC API: %v", err)
 		}
@@ -84,7 +84,7 @@ func runGRPCUniServer(cfg config.Config, node *centrifuge.Node) (*grpc.Server, e
 
 	var uniGrpcTLSConfig *tls.Config
 	if cfg.GrpcAPI.TLS.Enabled {
-		uniGrpcTLSConfig, err = cfg.GrpcAPI.TLS.ToGoTLSConfig()
+		uniGrpcTLSConfig, err = cfg.GrpcAPI.TLS.ToGoTLSConfig("uni_grpc")
 		if err != nil {
 			return nil, fmt.Errorf("error getting TLS config for uni GRPC: %v", err)
 		}

internal/runutil/tls.go

@@ -69,7 +69,7 @@ func GetTLSConfig(cfg config.Config) (*tls.Config, error) {
 
 	} else if tlsEnabled {
 		// Autocert disabled - just try to use provided SSL cert and key files.
-		return cfg.TLS.ToGoTLSConfig()
+		return cfg.TLS.ToGoTLSConfig("http_server")
 	}
 
 	return nil, nil