Install CA in clients

Author: jsoriano

internal/certs/pool.go

@@ -0,0 +1,37 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package certs
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+)
+
+func SystemPoolWithCACertificate(path string) (*x509.CertPool, error) {
+	d, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	cert, _ := pem.Decode(d)
+	if cert == nil || cert.Type != "CERTIFICATE" {
+		return nil, fmt.Errorf("no certificate found in %q", path)
+	}
+
+	ca, err := x509.ParseCertificate(cert.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("parsing certificate found in %q: %w", path, err)
+	}
+
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("initializing root certificate pool: %w", path, err)
+	}
+	pool.AddCert(ca)
+
+	return pool, nil
+}

internal/elasticsearch/client.go

@@ -6,6 +6,7 @@ package elasticsearch
 
 import (
 	"crypto/tls"
+	"fmt"
 	"net/http"
 	"os"
 
@@ -14,6 +15,7 @@ import (
 	"github.com/elastic/go-elasticsearch/v7"
 	"github.com/elastic/go-elasticsearch/v7/esapi"
 
+	"github.com/elastic/elastic-package/internal/certs"
 	"github.com/elastic/elastic-package/internal/stack"
 )
 
@@ -32,16 +34,20 @@ type clientOptions struct {
 	username string
 	password string
 
+	// certificateAuthority is the certificate to validate the server certificate.
+	certificateAuthority string
+
 	// skipTLSVerify disables TLS validation.
 	skipTLSVerify bool
 }
 
 // defaultOptionsFromEnv returns clientOptions initialized with values from environmet variables.
 func defaultOptionsFromEnv() clientOptions {
 	return clientOptions{
-		address:  os.Getenv(stack.ElasticsearchHostEnv),
-		username: os.Getenv(stack.ElasticsearchUsernameEnv),
-		password: os.Getenv(stack.ElasticsearchPasswordEnv),
+		address:              os.Getenv(stack.ElasticsearchHostEnv),
+		username:             os.Getenv(stack.ElasticsearchUsernameEnv),
+		password:             os.Getenv(stack.ElasticsearchPasswordEnv),
+		certificateAuthority: os.Getenv(stack.CACertificateEnv),
 	}
 }
 
@@ -54,6 +60,13 @@ func OptionWithAddress(address string) ClientOption {
 	}
 }
 
+// OptionWithCertificateAuthority sets the certificate authority to be used by the client.
+func OptionWithCertificateAuthority(certificateAuthority string) ClientOption {
+	return func(opts *clientOptions) {
+		opts.certificateAuthority = certificateAuthority
+	}
+}
+
 // OptionWithSkipTLSVerify disables TLS validation.
 func OptionWithSkipTLSVerify() ClientOption {
 	return func(opts *clientOptions) {
@@ -81,6 +94,14 @@ func Client(customOptions ...ClientOption) (*elasticsearch.Client, error) {
 		config.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
+	} else if options.certificateAuthority != "" {
+		rootCAs, err := certs.SystemPoolWithCACertificate(options.certificateAuthority)
+		if err != nil {
+			return nil, fmt.Errorf("reading CA certificate: %w", err)
+		}
+		config.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{RootCAs: rootCAs},
+		}
 	}
 
 	client, err := elasticsearch.NewClient(config)

internal/kibana/client.go

@@ -7,13 +7,15 @@ package kibana
 import (
 	"bytes"
 	"crypto/tls"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
 
 	"github.com/pkg/errors"
 
+	"github.com/elastic/elastic-package/internal/certs"
 	"github.com/elastic/elastic-package/internal/install"
 	"github.com/elastic/elastic-package/internal/logger"
 	"github.com/elastic/elastic-package/internal/stack"
@@ -25,7 +27,8 @@ type Client struct {
 	username string
 	password string
 
-	tlSkipVerify bool
+	certificateAuthority string
+	tlSkipVerify         bool
 }
 
 // ClientOption is functional option modifying Kibana client.
@@ -40,11 +43,13 @@ func NewClient(opts ...ClientOption) (*Client, error) {
 
 	username := os.Getenv(stack.ElasticsearchUsernameEnv)
 	password := os.Getenv(stack.ElasticsearchPasswordEnv)
+	certificateAuthority := os.Getenv(stack.CACertificateEnv)
 
 	c := &Client{
-		host:     host,
-		username: username,
-		password: password,
+		host:                 host,
+		username:             username,
+		password:             password,
+		certificateAuthority: certificateAuthority,
 	}
 
 	for _, opt := range opts {
@@ -60,6 +65,13 @@ func TLSSkipVerify() ClientOption {
 	}
 }
 
+// CertificateAuthority sets the certificate authority to be used by the client.
+func CertificateAuthority(certificateAuthority string) ClientOption {
+	return func(c *Client) {
+		c.certificateAuthority = certificateAuthority
+	}
+}
+
 func (c *Client) get(resourcePath string) (int, []byte, error) {
 	return c.sendRequest(http.MethodGet, resourcePath, nil)
 }
@@ -106,6 +118,14 @@ func (c *Client) sendRequest(method, resourcePath string, body []byte) (int, []b
 		client.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
+	} else if c.certificateAuthority != "" {
+		rootCAs, err := certs.SystemPoolWithCACertificate(c.certificateAuthority)
+		if err != nil {
+			return 0, nil, fmt.Errorf("reading CA certificate: %w", err)
+		}
+		client.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{RootCAs: rootCAs},
+		}
 	}
 
 	resp, err := client.Do(req)