Support TLS parameters

Fixes #65

README-dev.md

@@ -7,7 +7,7 @@
 [![Dependencies Status](https://img.shields.io/badge/Dependencies-Up%20to%20Date-brightgreen?style=for-the-badge&logo=dependabot)][dependabot-pulls]
 [![Semantic Versioning](https://img.shields.io/badge/versioning-semantic-black?style=for-the-badge&logo=semver)][github-releases]
 [![License](https://img.shields.io/github/license/mpapenbr/go-racelogger?color=red&style=for-the-badge)][project-license]
-[![Go v1.22](https://img.shields.io/badge/Go-%20v1.22-black?style=for-the-badge&logo=go)][gomod-file]
+[![Go v1.23](https://img.shields.io/badge/Go-%20v1.23-black?style=for-the-badge&logo=go)][gomod-file]
 
 Racelogger for iRacelog project
 

README.md

@@ -62,6 +62,20 @@ log-format: json
 | log-format | `json`      | Logs are written in JSON format. May also use `text`  |
 | log-file   |             | if present logs are written to this file              |
 
+**Notes about TLS**
+
+In general the backend is running behind a proxy. One job of the proxy is to handle the TLS termination.
+The instances running at iracing-tools.de use a Traefik proxy which is also responsible for providing the Let's encrypt certificates.
+In these cases you don't need to configure any TLS parameters.
+
+In situations where the backend is configured to use additional TLS features you may need to configure the following settings.
+
+| Key      | Info                                 |
+| -------- | ------------------------------------ |
+| tls-ca   | file containing the root certificate |
+| tls-key  | file containing the client key       |
+| tls-cert | file containing the client cert      |
+
 ## Check
 
 Enter the address of the backend server into the `racelogger.yml` file and perform a version check.

cmd/root.go

@@ -50,6 +50,7 @@ func Execute() {
 	}
 }
 
+//nolint:funlen // ok here
 func init() {
 	cobra.OnInitialize(initConfig)
 
@@ -77,6 +78,22 @@ func init() {
 		"log-file",
 		"",
 		"if present logs are written to this file, otherwise to stdout")
+	rootCmd.PersistentFlags().BoolVar(&config.DefaultCliArgs().TLSSkipVerify,
+		"tls-skip-verify",
+		false,
+		"skip verification of server certificate (used for development only)")
+	rootCmd.PersistentFlags().StringVar(&config.DefaultCliArgs().TLSKey,
+		"tls-key",
+		"",
+		"path to TLS key")
+	rootCmd.PersistentFlags().StringVar(&config.DefaultCliArgs().TLSCert,
+		"tls-cert",
+		"",
+		"path to TLS cert")
+	rootCmd.PersistentFlags().StringVar(&config.DefaultCliArgs().TLSCa,
+		"tls-ca",
+		"",
+		"path to TLS root certificate")
 
 	// add commands here
 	// e.g. rootCmd.AddCommand(sampleCmd.NewSampleCmd())

pkg/config/config.go

@@ -14,6 +14,10 @@ var (
 type CliArgs struct {
 	Addr                    string  // ism gRPC address
 	Insecure                bool    // connect to gRPC server without TLS
+	TLSSkipVerify           bool    // skip TLS verification
+	TLSCert                 string  // path to TLS certificate
+	TLSKey                  string  // path to TLS key
+	TLSCa                   string  // path to TLS CA
 	LogLevel                string  // sets the log level (zap log level values)
 	LogFormat               string  // text vs json
 	LogFile                 string  // log file to write to

pkg/util/connection.go

@@ -2,6 +2,9 @@ package util
 
 import (
 	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"os"
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
@@ -10,6 +13,7 @@ import (
 	"github.com/mpapenbr/go-racelogger/pkg/config"
 )
 
+//nolint:nestif // false positive
 func ConnectGrpc(cfg *config.CliArgs) (*grpc.ClientConn, error) {
 	if cfg.Insecure {
 		return grpc.NewClient(cfg.Addr,
@@ -18,6 +22,27 @@ func ConnectGrpc(cfg *config.CliArgs) (*grpc.ClientConn, error) {
 		tlsConfig := &tls.Config{
 			MinVersion: tls.VersionTLS13, // Set the minimum TLS version to TLS 1.3
 		}
+		if cfg.TLSCert != "" && cfg.TLSKey != "" {
+			cert, err := tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
+			if err != nil {
+				return nil, err
+			}
+			tlsConfig.Certificates = []tls.Certificate{cert}
+		}
+		if cfg.TLSCa != "" {
+			caCert, err := os.ReadFile(cfg.TLSCa)
+			if err != nil {
+				return nil, err
+			}
+			caCertPool := x509.NewCertPool()
+			if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+				return nil, fmt.Errorf("failed to append server certificate")
+			}
+			tlsConfig.RootCAs = caCertPool
+		}
+		if cfg.TLSSkipVerify {
+			tlsConfig.InsecureSkipVerify = true
+		}
 		return grpc.NewClient(cfg.Addr,
 			grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
 	}