raft: use file paths for TLS info in the retry_join block

physical/raft/raft.go

@@ -156,7 +156,7 @@ func (b *RaftBackend) JoinConfig() ([]*LeaderJoinInfo, error) {
 		var tlsConfig *tls.Config
 		var err error
 		if len(info.LeaderCACert) != 0 || len(info.LeaderClientCert) != 0 || len(info.LeaderClientKey) != 0 {
-			tlsConfig, err = tlsutil.ClientTLSConfig([]byte(info.LeaderCACert), []byte(info.LeaderClientCert), []byte(info.LeaderClientKey))
+			tlsConfig, err = tlsutil.LoadClientTLSConfig(info.LeaderCACert, info.LeaderClientCert, info.LeaderClientKey)
 			if err != nil {
 				return nil, errwrap.Wrapf(fmt.Sprintf("failed to create tls config to communicate with leader node %q: {{err}}", info.LeaderAPIAddr), err)
 			}

sdk/helper/tlsutil/tlsutil.go

@@ -79,6 +79,8 @@ func GetCipherName(cipher uint16) (string, error) {
 	return "", fmt.Errorf("unsupported cipher %d", cipher)
 }
 
+// ClientTLSConfig parses the CA certificate, and optionally a public/private
+// client certificate key pair. The certificates must be in PEM encoded format.
 func ClientTLSConfig(caCert []byte, clientCert []byte, clientKey []byte) (*tls.Config, error) {
 	var tlsConfig *tls.Config
 	var pool *x509.CertPool
@@ -117,6 +119,55 @@ func ClientTLSConfig(caCert []byte, clientCert []byte, clientKey []byte) (*tls.C
 	return tlsConfig, nil
 }
 
+// LoadClientTLSConfig loads and parse the CA certificate, and optionally a
+// public/private client certificate key pair. The certificates must be in PEM
+// encoded format.
+func LoadClientTLSConfig(caCert, clientCert, clientKey string) (*tls.Config, error) {
+	var tlsConfig *tls.Config
+	var pool *x509.CertPool
+
+	switch {
+	case len(caCert) != 0:
+		// Valid
+	case len(clientCert) != 0 && len(clientKey) != 0:
+		// Valid
+	default:
+		return nil, ErrInvalidCertParams
+	}
+
+	if len(caCert) != 0 {
+		pool = x509.NewCertPool()
+
+		data, err := ioutil.ReadFile(caCert)
+		if err != nil {
+			return nil, errwrap.Wrapf("failed to read CA file: {{err}}", err)
+		}
+
+		if !pool.AppendCertsFromPEM(data) {
+			return nil, fmt.Errorf("failed to parse CA certificate")
+		}
+	}
+
+	tlsConfig = &tls.Config{
+		RootCAs:    pool,
+		ClientAuth: tls.RequireAndVerifyClientCert,
+		MinVersion: tls.VersionTLS12,
+	}
+
+	var cert tls.Certificate
+	var err error
+	if len(clientCert) != 0 && len(clientKey) != 0 {
+		cert, err = tls.LoadX509KeyPair(clientCert, clientKey)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
+	tlsConfig.BuildNameToCertificate()
+
+	return tlsConfig, nil
+}
+
 func SetupTLSConfig(conf map[string]string, address string) (*tls.Config, error) {
 	serverName, _, err := net.SplitHostPort(address)
 	switch {