From 137fb515fbd6876ea31cfde541c62c123efc6a7e Mon Sep 17 00:00:00 2001 From: tim Date: Thu, 19 Nov 2020 15:07:46 -0800 Subject: [PATCH] feat(tunnel): add TUNNEL_ORIGIN_CERT_CONTENT env This PR adds support for specifying the origin certificate content as an environment variable. This is useful when deploying cloudflared in environments where writing a file is not possible, ex: Heroku The cert must be base64 encoded. --- cmd/cloudflared/tunnel/configuration.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/cmd/cloudflared/tunnel/configuration.go b/cmd/cloudflared/tunnel/configuration.go index fb57abb7..8fbe4219 100644 --- a/cmd/cloudflared/tunnel/configuration.go +++ b/cmd/cloudflared/tunnel/configuration.go @@ -2,6 +2,7 @@ package tunnel import ( "crypto/tls" + "encoding/base64" "fmt" "io/ioutil" "os" @@ -35,6 +36,11 @@ var ( argumentsUrl = developerPortal + "/reference/arguments/" ) +const ( + // name of the environment variable that contains the base64 encoded origin cert + encodedOriginCert = "TUNNEL_ORIGIN_CERT_CONTENT" +) + // returns the first path that contains a cert.pem file. If none of the DefaultConfigSearchDirectories // contains a cert.pem file, return empty string func findDefaultOriginCertPath() string { @@ -95,7 +101,7 @@ func dnsProxyStandAlone(c *cli.Context) bool { func findOriginCert(c *cli.Context, logger logger.Service) (string, error) { originCertPath := c.String("origincert") - if originCertPath == "" { + if originCertPath == "" && os.Getenv(encodedOriginCert) == "" { logger.Infof("Cannot determine default origin certificate path. No file %s in %v", config.DefaultCredentialFile, config.DefaultConfigSearchDirectories()) if isRunningFromTerminal() { logger.Errorf("You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", argumentsUrl) @@ -146,6 +152,11 @@ func readOriginCert(originCertPath string, logger logger.Service) ([]byte, error } func getOriginCert(c *cli.Context, logger logger.Service) ([]byte, error) { + // check if cert is present as a base64 encoded ENV + certContent := os.Getenv(encodedOriginCert) + if certContent != "" { + return base64.StdEncoding.DecodeString(certContent) + } if originCertPath, err := findOriginCert(c, logger); err != nil { return nil, err } else {