Allow specifying custom CA cert and insecure TLS connection

README.md

@@ -20,6 +20,11 @@ Flags:
 * The private key corresponding to the public key, used to create a compute instance, is required
 * Only RSA PKCS #1 v1.5 is supported by OpenStack
 
+## TLS options
+
+* `OS_CACERT` - environment variable with a path to custom CA certificate.
+* `OS_INSECURE` - skip endpoint TLS certificate validation. Set to `true` **only if you are otherwise convinced of the OpenStack endpoint's authenticity**.
+
 ## Windows
 
 ```sh

go.mod

@@ -1,16 +1,14 @@
-module github.wdf.sap.corp/cc/nova-password
+module github.com/sapcc/nova-password
 
-go 1.12
+go 1.14
 
 require (
-	github.com/google/uuid v1.1.1
-	github.com/gophercloud/gophercloud v0.6.1-0.20191019020556-0907b320e0ac
-	github.com/gophercloud/utils v0.0.0-20191020172814-bd86af96d544
-	github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/google/uuid v1.1.2-0.20190416172445-c2e93f3ae59f
+	github.com/gophercloud/gophercloud v0.8.1-0.20200306172827-d936e6876d28
+	github.com/gophercloud/utils v0.0.0-20200302155035-0565566533e4
+	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
 	github.com/kayrus/putty v0.0.0-20190531171731-550ff2bc782c
-	github.com/sapcc/cloud-env v0.0.0-20190605131219-0ee79abc7af8
-	github.com/spf13/cobra v0.0.3
-	github.com/spf13/viper v1.4.0
-	golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f
+	github.com/spf13/cobra v0.0.7-0.20200228181340-95f2f73ed97e
+	github.com/spf13/viper v1.6.3-0.20200219234104-97ee7adfef48
+	golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073
 )

main.go

@@ -2,22 +2,26 @@ package main
 
 import (
 	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
 	"os/user"
 	"path/filepath"
+	"strings"
 
 	"github.com/google/uuid"
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack"
 	"github.com/gophercloud/gophercloud/openstack/compute/v2/servers"
 	"github.com/gophercloud/utils/client"
+	"github.com/gophercloud/utils/env"
 	"github.com/gophercloud/utils/openstack/clientconfig"
 	"github.com/howeyc/gopass"
 	"github.com/kayrus/putty"
-	env "github.com/sapcc/cloud-env"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"golang.org/x/crypto/ssh"
@@ -181,10 +185,30 @@ func newComputeV2() (*gophercloud.ServiceClient, error) {
 		return nil, err
 	}
 
+	config := &tls.Config{}
+	if v := os.Getenv("OS_INSECURE"); v != "" {
+		config.InsecureSkipVerify = strings.ToLower(v) == "true"
+	}
+
+	if v := os.Getenv("OS_CACERT"); v != "" {
+		caCert, err := ioutil.ReadFile(v)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read %q CA certificate: %s", v, err)
+		}
+		caPool := x509.NewCertPool()
+		ok := caPool.AppendCertsFromPEM([]byte(caCert))
+		if !ok {
+			return nil, fmt.Errorf("failed to parse %q CA certificate", v)
+		}
+		config.RootCAs = caPool
+	}
+
+	provider.HTTPClient.Transport = &http.Transport{TLSClientConfig: config}
+
 	if viper.GetBool("debug") {
 		provider.HTTPClient = http.Client{
 			Transport: &client.RoundTripper{
-				Rt:     &http.Transport{},
+				Rt:     provider.HTTPClient.Transport,
 				Logger: &client.DefaultLogger{},
 			},
 		}
@@ -307,7 +331,7 @@ func readKey(path string) ([]byte, error) {
 }
 
 func getKeyPass(quiet bool) ([]byte, error) {
-	pass := env.Get("NOVA_PASSWORD_KEY_PASSWORD")
+	pass := env.Getenv("NOVA_PASSWORD_KEY_PASSWORD")
 
 	if pass == "" {
 		if quiet == true {