added support for Consul TLS transport

config/config.go

@@ -151,6 +151,7 @@ type Consul struct {
 	CheckDeregisterCriticalServiceAfter string
 	ChecksRequired                      string
 	ServiceMonitors                     int
+	TLS                                 ConsulTlS
 }
 
 type Tracing struct {
@@ -173,3 +174,11 @@ type BasicAuth struct {
 	Realm string
 	File  string
 }
+
+type ConsulTlS struct {
+	KeyFile            string
+	CertFile           string
+	CAFile             string
+	CAPath             string
+	InsecureSkipVerify bool
+}

config/load.go

@@ -172,6 +172,11 @@ func load(cmdline, environ, envprefix []string, props *properties.Properties) (c
 	f.StringVar(&cfg.Registry.Consul.KVPath, "registry.consul.kvpath", defaultConfig.Registry.Consul.KVPath, "consul KV path for manual overrides")
 	f.StringVar(&cfg.Registry.Consul.NoRouteHTMLPath, "registry.consul.noroutehtmlpath", defaultConfig.Registry.Consul.NoRouteHTMLPath, "consul KV path for HTML returned when no route is found")
 	f.StringVar(&cfg.Registry.Consul.TagPrefix, "registry.consul.tagprefix", defaultConfig.Registry.Consul.TagPrefix, "prefix for consul tags")
+	f.StringVar(&cfg.Registry.Consul.TLS.KeyFile, "registry.consul.tls.keyfile", defaultConfig.Registry.Consul.TLS.KeyFile, "path to consul key file")
+	f.StringVar(&cfg.Registry.Consul.TLS.CertFile, "registry.consul.tls.certfile", defaultConfig.Registry.Consul.TLS.CertFile, "path to consul cert file")
+	f.StringVar(&cfg.Registry.Consul.TLS.CAFile, "registry.consul.tls.cafile", defaultConfig.Registry.Consul.TLS.CAFile, "path to consul CA file")
+	f.StringVar(&cfg.Registry.Consul.TLS.CAPath, "registry.consul.tls.capath", defaultConfig.Registry.Consul.TLS.CAPath, "path to consul CA directory")
+	f.BoolVar(&cfg.Registry.Consul.TLS.InsecureSkipVerify, "registry.consul.tls.insecureskipverify", defaultConfig.Registry.Consul.TLS.InsecureSkipVerify, "is tls check enabled")
 	f.BoolVar(&cfg.Registry.Consul.Register, "registry.consul.register.enabled", defaultConfig.Registry.Consul.Register, "register fabio in consul")
 	f.StringVar(&cfg.Registry.Consul.ServiceAddr, "registry.consul.register.addr", defaultConfig.Registry.Consul.ServiceAddr, "service registration address")
 	f.StringVar(&cfg.Registry.Consul.ServiceName, "registry.consul.register.name", defaultConfig.Registry.Consul.ServiceName, "service registration name")

fabio.properties

@@ -657,6 +657,54 @@
 # registry.consul.token =
 
 
+# registry.consul.tls.keyfile the path to the TLS certificate private key used for Consul communication.
+#
+# This is the full path to the TLS private key while using TLS transport to
+# communicate with Consul
+#
+# The default is
+#
+# registry.consul.tls.keyfile =
+
+# registry.consul.tls.certfile the path to the TLS certificate used for Consul communication.
+#
+# This is the full path to the TLS certificate while using TLS transport to
+# communicate with Consul
+#
+# The default is
+#
+# registry.consul.tls.certfile =
+
+
+# registry.consul.tls.cafile the path to the ca certificate used for Consul communication.
+#
+# This is the full path to the CA certificate while using TLS transport to
+# communicate with Consul
+#
+# The default is
+#
+# registry.consul.tls.cafile =
+
+# registry.consul.tls.capath the path to the folder containing CA certificates.
+#
+# This is the full path to the folder with CA certificates while using TLS transport to
+# communicate with Consul
+#
+# The default is
+#
+# registry.consul.tls.capath =
+
+
+# registry.consul.tls.insecureskipverify enable SSL verification with Consul.
+#
+# registry.consul.tls.insecureskipverify enables or disables SSL verification while using TLS transport to
+# communicate with Consul
+#
+# The default is
+#
+# registry.consul.tls.insecureskipverify = false
+
+
 # registry.consul.kvpath configures the KV path for manual routes.
 #
 # The consul KV path is watched for changes which get appended to

registry/consul/backend.go

@@ -19,8 +19,18 @@ type be struct {
 }
 
 func NewBackend(cfg *config.Consul) (registry.Backend, error) {
+
+	consulCfg := &api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token}
+	if cfg.Scheme == "https" {
+		consulCfg.TLSConfig.KeyFile = cfg.TLS.KeyFile
+		consulCfg.TLSConfig.CertFile = cfg.TLS.CertFile
+		consulCfg.TLSConfig.CAFile = cfg.TLS.CAFile
+		consulCfg.TLSConfig.CAPath = cfg.TLS.CAPath
+		consulCfg.TLSConfig.InsecureSkipVerify = cfg.TLS.InsecureSkipVerify
+	}
+
 	// create a reusable client
-	c, err := api.NewClient(&api.Config{Address: cfg.Addr, Scheme: cfg.Scheme, Token: cfg.Token})
+	c, err := api.NewClient(consulCfg)
 	if err != nil {
 		return nil, err
 	}