go: add bazel buildfiles, implement leasifier
diff --git a/go/pki/grpc.go b/go/pki/grpc.go
index f014a34..6d8f173 100644
--- a/go/pki/grpc.go
+++ b/go/pki/grpc.go
@@ -37,6 +37,7 @@
flagCertificatePath string
flagKeyPath string
flagPKIRealm string
+ flagPKIDisable bool
// Enable logging HSPKI info into traces
Trace = true
@@ -53,6 +54,7 @@
flag.StringVar(&flagCertificatePath, "hspki_tls_certificate_path", "pki/service.pem", "Path to PKI service certificate")
flag.StringVar(&flagKeyPath, "hspki_tls_key_path", "pki/service-key.pem", "Path to PKI service private key")
flag.StringVar(&flagPKIRealm, "hspki_realm", "svc.cluster.local", "PKI realm")
+ flag.BoolVar(&flagPKIDisable, "hspki_disable", false, "Disable PKI entirely (insecure!)")
}
func maybeTrace(ctx context.Context, f string, args ...interface{}) {
@@ -168,6 +170,10 @@
if !flag.Parsed() {
glog.Exitf("WithServerHSPKI called before flag.Parse!")
}
+ if flagPKIDisable {
+ return []grpc.ServerOption{}
+ }
+
serverCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
if err != nil {
glog.Exitf("WithServerHSPKI: cannot load service certificate/key: %v", err)
@@ -194,6 +200,13 @@
}
func WithClientHSPKI() grpc.DialOption {
+ if !flag.Parsed() {
+ glog.Exitf("WithServerHSPKI called before flag.Parse!")
+ }
+ if flagPKIDisable {
+ return grpc.WithInsecure()
+ }
+
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile(flagCAPath)
if err != nil {