go: add bazel buildfiles, implement leasifier
diff --git a/go/pki/BUILD.bazel b/go/pki/BUILD.bazel
new file mode 100644
index 0000000..0d3544f
--- /dev/null
+++ b/go/pki/BUILD.bazel
@@ -0,0 +1,17 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+ name = "go_default_library",
+ srcs = ["grpc.go"],
+ importpath = "code.hackerspace.pl/hscloud/go/pki",
+ visibility = ["//visibility:public"],
+ deps = [
+ "@com_github_golang_glog//:go_default_library",
+ "@org_golang_google_grpc//:go_default_library",
+ "@org_golang_google_grpc//codes:go_default_library",
+ "@org_golang_google_grpc//credentials:go_default_library",
+ "@org_golang_google_grpc//peer:go_default_library",
+ "@org_golang_google_grpc//status:go_default_library",
+ "@org_golang_x_net//trace:go_default_library",
+ ],
+)
diff --git a/go/pki/grpc.go b/go/pki/grpc.go
index f014a34..6d8f173 100644
--- a/go/pki/grpc.go
+++ b/go/pki/grpc.go
@@ -37,6 +37,7 @@
flagCertificatePath string
flagKeyPath string
flagPKIRealm string
+ flagPKIDisable bool
// Enable logging HSPKI info into traces
Trace = true
@@ -53,6 +54,7 @@
flag.StringVar(&flagCertificatePath, "hspki_tls_certificate_path", "pki/service.pem", "Path to PKI service certificate")
flag.StringVar(&flagKeyPath, "hspki_tls_key_path", "pki/service-key.pem", "Path to PKI service private key")
flag.StringVar(&flagPKIRealm, "hspki_realm", "svc.cluster.local", "PKI realm")
+ flag.BoolVar(&flagPKIDisable, "hspki_disable", false, "Disable PKI entirely (insecure!)")
}
func maybeTrace(ctx context.Context, f string, args ...interface{}) {
@@ -168,6 +170,10 @@
if !flag.Parsed() {
glog.Exitf("WithServerHSPKI called before flag.Parse!")
}
+ if flagPKIDisable {
+ return []grpc.ServerOption{}
+ }
+
serverCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
if err != nil {
glog.Exitf("WithServerHSPKI: cannot load service certificate/key: %v", err)
@@ -194,6 +200,13 @@
}
func WithClientHSPKI() grpc.DialOption {
+ if !flag.Parsed() {
+ glog.Exitf("WithServerHSPKI called before flag.Parse!")
+ }
+ if flagPKIDisable {
+ return grpc.WithInsecure()
+ }
+
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile(flagCAPath)
if err != nil {