From b82b5242600c476281304782ffe516f7a5a90b74 Mon Sep 17 00:00:00 2001
From: JulienBalestra <julien.balestra@datadoghq.com>
Date: Mon, 27 Aug 2018 19:16:32 +0200
Subject: [PATCH] stream: can use user certificates

Signed-off-by: JulienBalestra <julien.balestra@datadoghq.com>
---
 pkg/config/config.go    |  4 ++++
 pkg/server/streaming.go | 26 +++++++++++++++++++-------
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/pkg/config/config.go b/pkg/config/config.go
index 6919ce6b8..a5f27f48e 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -114,6 +114,10 @@ type PluginConfig struct {
 	SystemdCgroup bool `toml:"systemd_cgroup" json:"systemdCgroup"`
 	// EnableTLSStreaming indicates to enable the TLS streaming support.
 	EnableTLSStreaming bool `toml:"enable_tls_streaming" json:"enableTLSStreaming"`
+	// TLSCertFileStreaming is the path to a certificate file
+	TLSCertFileStreaming string `toml:"tls_cert_file_streaming" json:"tlsCertFileStreaming"`
+	// TLSKeyFileStreaming is the path to a private key file
+	TLSKeyFileStreaming string `toml:"tls_key_file_streaming" json:"tlsKeyFileStreaming"`
 	// MaxContainerLogLineSize is the maximum log line size in bytes for a container.
 	// Log line longer than the limit will be split into multiple lines. Non-positive
 	// value means no limit.
diff --git a/pkg/server/streaming.go b/pkg/server/streaming.go
index 4e103248e..255b7c9a6 100644
--- a/pkg/server/streaming.go
+++ b/pkg/server/streaming.go
@@ -44,18 +44,30 @@ func newStreamServer(c *criService, addr, port string) (streaming.Server, error)
 	}
 	config := streaming.DefaultConfig
 	config.Addr = net.JoinHostPort(addr, port)
-	runtime := newStreamRuntime(c)
-	if c.config.EnableTLSStreaming {
-		tlsCert, err := newTLSCert()
+	run := newStreamRuntime(c)
+	if !c.config.EnableTLSStreaming {
+		return streaming.NewServer(config, run)
+	}
+	if c.config.TLSCertFileStreaming != "" && c.config.TLSKeyFileStreaming != "" {
+		tlsCert, err := tls.LoadX509KeyPair(c.config.TLSCertFileStreaming, c.config.TLSKeyFileStreaming)
 		if err != nil {
-			return nil, errors.Wrap(err, "failed to generate tls certificate for stream server")
+			return nil, errors.Wrap(err, "failed to load x509 key pair for stream server")
 		}
 		config.TLSConfig = &tls.Config{
-			Certificates:       []tls.Certificate{tlsCert},
-			InsecureSkipVerify: true,
+			Certificates: []tls.Certificate{tlsCert},
 		}
+		return streaming.NewServer(config, run)
 	}
-	return streaming.NewServer(config, runtime)
+	// generating self-sign certs
+	tlsCert, err := newTLSCert()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to generate tls certificate for stream server")
+	}
+	config.TLSConfig = &tls.Config{
+		Certificates:       []tls.Certificate{tlsCert},
+		InsecureSkipVerify: true,
+	}
+	return streaming.NewServer(config, run)
 }
 
 type streamRuntime struct {