drGrove
Using with logcli
How can I use logcli to access a loki instance behind mtls?
Loki supports the env vars:
- LOKI_CA_CERT_PATH
- LOKI_CLIENT_CERT_PATH
- LOKI_CLIENT_KEY_PATH
So the right wrapper/alias should work?
All of the necessary things live in the $XDG_CONFIG_HOME/mtls.
Your key can be found at $XDG_CONFIG_HOME/mtls/$USER.key.gpg (which you would need to decrypt of course).
Then the Client and Root certificate can be found at $XDG_CONFIG_HOME/mtls/<server-name>/<server-name>.pem and $XDG_CONFIG_HOME/mtls/<server-name>/<server-name>_Root_CA.pem.
Your key is encrypted to your PGP key mostly for safety reasons.
A mtls proxy command could be added as a separate option, but you wouldn't be able to wrap another command and keep the key old decrypted in memory to my knowledge
I'd love a subcommand e.g. mtls run logcli that would
- create a temporary directory that isn't on the file system (e.g. create a directory; then
rm -rfit while keeping an open handle to the directory) - place the key, cert and ca cert into the temporary directory; keep open file handles to them
- run the configured
logclicommand from the config file, which might be e.g.:
#!/bin/sh
export LOKI_CLIENT_KEY_PATH=/dev/fd/3
export LOKI_CLIENT_CERT_PATH=/dev/fd/4
export LOKI_CA_CERT_PATH=/dev/fd/5
exec logcli "$@"