Using with logcli - Githubissues

daurnimator commented 4 years ago

How can I use logcli to access a loki instance behind mtls?

Loki supports the env vars:

LOKI_CA_CERT_PATH
LOKI_CLIENT_CERT_PATH
LOKI_CLIENT_KEY_PATH

So the right wrapper/alias should work?

drGrove commented 4 years ago

All of the necessary things live in the $XDG_CONFIG_HOME/mtls.

Your key can be found at $XDG_CONFIG_HOME/mtls/$USER.key.gpg (which you would need to decrypt of course). Then the Client and Root certificate can be found at $XDG_CONFIG_HOME/mtls/<server-name>/<server-name>.pem and $XDG_CONFIG_HOME/mtls/<server-name>/<server-name>_Root_CA.pem.

Your key is encrypted to your PGP key mostly for safety reasons.

A mtls proxy command could be added as a separate option, but you wouldn't be able to wrap another command and keep the key old decrypted in memory to my knowledge

daurnimator commented 4 years ago

I'd love a subcommand e.g. mtls run logcli that would

create a temporary directory that isn't on the file system (e.g. create a directory; then rm -rf it while keeping an open handle to the directory)
place the key, cert and ca cert into the temporary directory; keep open file handles to them

run the configured logcli command from the config file, which might be e.g.:

#!/bin/sh
export LOKI_CLIENT_KEY_PATH=/dev/fd/3
export LOKI_CLIENT_CERT_PATH=/dev/fd/4
export LOKI_CA_CERT_PATH=/dev/fd/5
exec logcli "$@"

drGrove / mtls-cli

Using with logcli #38