feat: Client TLS Identification (#176)

Unleash · May 4, 2023 · 9f01316 · 9f01316
1 parent b238521
commit 9f01316
Show file tree

Hide file tree

Showing 42 changed files with 1,231 additions and 42 deletions.
diff --git a/.github/workflows/build-docker-release.yaml b/.github/workflows/build-docker-release.yaml
@@ -13,6 +13,7 @@ on:
 permissions:
   id-token: write
   contents: read
+  packages: write
 
 jobs:
   dockerpublish:

diff --git a/.github/workflows/build-main-docker-tag.yaml b/.github/workflows/build-main-docker-tag.yaml
@@ -13,6 +13,7 @@ on:
 permissions:
   id-token: write
   contents: read
+  packages: write
 
 jobs:
   dockerpublish:

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cross.toml b/Cross.toml
@@ -0,0 +1,4 @@
+[target.x86_64-unknown-linux-gnu]
+dockerfile = "Dockerfile.cross.x86_64"
+[target.aarch64-unknown-linux-gnu]
+dockerfile = "Dockerfile.cross.aarch64"
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM gcr.io/distroless/cc
+FROM gcr.io/distroless/cc-debian11
 
 COPY target/aarch64-unknown-linux-gnu/release/unleash-edge /unleash-edge
 ENTRYPOINT ["/unleash-edge"]
diff --git a/Dockerfile.cross.aarch64 b/Dockerfile.cross.aarch64
@@ -0,0 +1,3 @@
+FROM ghcr.io/cross-rs/aarch64-unknown-linux-gnu:edge
+RUN dpkg --add-architecture arm64
+RUN apt-get update && apt-get install --assume-yes libssl-dev:arm64
diff --git a/Dockerfile.cross.x86_64 b/Dockerfile.cross.x86_64
@@ -0,0 +1,2 @@
+FROM ghcr.io/cross-rs/x86_64-unknown-linux-gnu:edge
+RUN apt-get update && apt-get install --assume-yes libssl-dev
diff --git a/Dockerfile.dockerbuild b/Dockerfile.dockerbuild
diff --git a/Dockerfile.publish b/Dockerfile.publish
@@ -1,8 +1,8 @@
 # FINAL arch images
-FROM --platform=amd64 gcr.io/distroless/cc as final-amd64
+FROM --platform=amd64 gcr.io/distroless/cc-debian11 as final-amd64
 COPY target/x86_64-unknown-linux-gnu/release/unleash-edge /unleash-edge
 
-FROM --platform=arm64 gcr.io/distroless/cc as final-arm64
+FROM --platform=arm64 gcr.io/distroless/cc-debian11 as final-arm64
 COPY target/aarch64-unknown-linux-gnu/release/unleash-edge /unleash-edge
 
 # Final image

diff --git a/README.md b/README.md
@@ -154,6 +154,19 @@ Options:
           Get data for these client tokens at startup. Hot starts your feature cache [env: TOKENS=]
   -H, --custom-client-headers <CUSTOM_CLIENT_HEADERS>
           Expects curl header format (-H <HEADERNAME>: <HEADERVALUE>) for instance `-H X-Api-Key: mysecretapikey` [env: CUSTOM_CLIENT_HEADERS=]
+  -s, --skip-ssl-verification
+          If set to true, we will skip SSL verification when connecting to the upstream Unleash server [env: SKIP_SSL_VERIFICATION=]
+      --pkcs8-client-certificate-file <PKCS8_CLIENT_CERTIFICATE_FILE>
+          Client certificate chain in PEM encoded X509 format with the leaf certificate first. The certificate chain should contain any intermediate certificates that should be sent to clients to allow them to build a chain to a trusted root [env: PKCS8_CLIENT_CERTIFICATE_FILE=]
+      --pkcs8-client-key-file <PKCS8_CLIENT_KEY_FILE>
+          Client key is a PEM encoded PKCS#8 formatted private key for the leaf certificate [env: PKCS8_CLIENT_KEY_FILE=]
+      --pkcs12-identity-file <PKCS12_IDENTITY_FILE>
+          Identity file in pkcs12 format. Typically this file has a pfx extension [env: PKCS12_IDENTITY_FILE=]
+      --pkcs12-passphrase <PKCS12_PASSPHRASE>
+          Passphrase used to unlock the pkcs12 file [env: PKCS12_PASSPHRASE=]
+      --upstream-certificate-file <UPSTREAM_CERTIFICATE_FILE>
+          Extra certificate passed to the client for building its trust chain. Needs to be in PEM format (crt or pem extensions usually are) [env: UPSTREAM_CERTIFICATE_FILE=]
+
   -h, --help
           Print help
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		FROM ghcr.io/cross-rs/x86_64-unknown-linux-gnu:edge
		RUN apt-get update && apt-get install --assume-yes libssl-dev