Support reading Raft TLS flags from file

CHANGELOG.md

@@ -10,6 +10,7 @@ CHANGES:
 
 IMPROVEMENTS:
 
+* cli: Support reading TLS parameters from file for the `vault operator raft join` command. [[GH-9060](https://github.com/hashicorp/vault/pull/9060)]
 * plugin: Add SDK method, `Sys.ReloadPlugin`, and CLI command, `vault plugin reload`, 
   for reloading plugins. [[GH-8777](https://github.com/hashicorp/vault/pull/8777)]
 * sdk/framework: Support accepting TypeFloat parameters over the API [[GH-8923](https://github.com/hashicorp/vault/pull/8923)]

command/operator_raft_join.go

@@ -2,8 +2,10 @@ package command
 
 import (
 	"fmt"
+	"io/ioutil"
 	"strings"
 
+	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/api"
 	"github.com/mitchellh/cli"
 	"github.com/posener/complete"
@@ -32,7 +34,15 @@ Usage: vault operator raft join [options] <leader-api-addr>
   Join the current node as a peer to the Raft cluster by providing the address
   of the Raft leader node.
 
-	  $ vault operator raft join "http://127.0.0.2:8200"
+      $ vault operator raft join "http://127.0.0.2:8200"
+
+  TLS certificate data can also be consumed from a file on disk by prefixing with
+  the "@" symbol. For example:
+
+      $ vault operator raft join "http://127.0.0.2:8200" \
+        -leader-ca-cert=@leader_ca.crt \
+        -leader-client-cert=@leader_client.crt \
+        -leader-client-key=@leader.key
 
 ` + c.Flags().Help()
 
@@ -114,6 +124,24 @@ func (c *OperatorRaftJoinCommand) Run(args []string) int {
 		return 1
 	}
 
+	leaderCACert, err := parseArg(c.flagLeaderCACert)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse leader CA certificate: %s", err))
+		return 1
+	}
+
+	leaderClientCert, err := parseArg(c.flagLeaderClientCert)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse leader client certificate: %s", err))
+		return 1
+	}
+
+	leaderClientKey, err := parseArg(c.flagLeaderClientKey)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse leader client key: %s", err))
+		return 1
+	}
+
 	client, err := c.Client()
 	if err != nil {
 		c.UI.Error(err.Error())
@@ -122,9 +150,9 @@ func (c *OperatorRaftJoinCommand) Run(args []string) int {
 
 	resp, err := client.Sys().RaftJoin(&api.RaftJoinRequest{
 		LeaderAPIAddr:    leaderAPIAddr,
-		LeaderCACert:     c.flagLeaderCACert,
-		LeaderClientCert: c.flagLeaderClientCert,
-		LeaderClientKey:  c.flagLeaderClientKey,
+		LeaderCACert:     leaderCACert,
+		LeaderClientCert: leaderClientCert,
+		LeaderClientKey:  leaderClientKey,
 		Retry:            c.flagRetry,
 		NonVoter:         c.flagNonVoter,
 	})
@@ -139,10 +167,25 @@ func (c *OperatorRaftJoinCommand) Run(args []string) int {
 		return OutputData(c.UI, resp)
 	}
 
-	out := []string{}
-	out = append(out, "Key | Value")
-	out = append(out, fmt.Sprintf("Joined | %t", resp.Joined))
+	out := []string{
+		"Key | Value",
+		fmt.Sprintf("Joined | %t", resp.Joined),
+	}
 	c.UI.Output(tableOutput(out, nil))
 
 	return 0
 }
+
+func parseArg(raw string) (string, error) {
+	// check if the provided argument should be read from file
+	if len(raw) > 0 && raw[0] == '@' {
+		contents, err := ioutil.ReadFile(raw[1:])
+		if err != nil {
+			return "", errwrap.Wrapf("error reading file: {{err}}", err)
+		}
+
+		return string(contents), nil
+	}
+
+	return raw, nil
+}