feat: support for proxmox clusters dehind a reverse proxy with certificate-based authentication

Author: plaffitt

README.md

@@ -81,9 +81,25 @@ clusters:
     token_value: randomtokenvalue
 ```
 
+### Reverse proxies
+
+`pvecontrol` supports certificate-based authentication to a reverse proxy. Which makes it suitable for use with tools like [teleport](https://goteleport.com/docs/enroll-resources/application-access/guides/connecting-apps/) using teleport apps.
+
+```yaml
+clusters:
+  - name: fr-par-1
+    host: localhost
+    user: pvecontrol@pve
+    password: my.password.is.weak
+    proxy_certificate_path: /tmp/proxmox-reverse-proxy.pem
+    proxy_certificate_key_path: /tmp/proxmox-reverse-proxy
+```
+
+CAUTION: environment variable and `~` expansion and are not supported.
+
 ### Better security
 
-Instead of specifying users and passwords in plain text in the configuration file, you can use the shell command substitution syntax `$(...)` inside the `user` and `password` fields; for instance:
+Instead of specifying users, passwords and certificates paths in plain text in the configuration file, you can use the shell command substitution syntax `$(...)` inside the `user`, `password`, `proxy_certificate_path` and `proxy_certificate_path_key` fields; for instance:
 
 ```yaml
 clusters:

src/pvecontrol/__init__.py

@@ -5,9 +5,11 @@
 import logging
 import re
 import subprocess
+
+from importlib.metadata import version
+
 import urllib3
 import shtab
-from importlib.metadata import version
 
 from pvecontrol import actions, node, vm, task, storage
 from pvecontrol.cluster import PVECluster
@@ -72,8 +74,8 @@ def filter_type(x):
 
 def _parser():
     parser = argparse.ArgumentParser(
-        description=f"Proxmox VE control CLI, version: {version(__name__)}",
-        epilog="Made with love by Enix.io")
+        description=f"Proxmox VE control CLI, version: {version(__name__)}", epilog="Made with love by Enix.io"
+    )
     parser.add_argument("-v", "--verbose", action="store_true")
     parser.add_argument("--debug", action="store_true")
     parser.add_argument(
@@ -170,14 +172,31 @@ def run_auth_commands(clusterconfig):
     auth = {}
     regex = r"^\$\((.*)\)$"
 
-    for key in ("user", "password", "token_name", "token_value"):
+    for key in (
+        "user",
+        "password",
+        "token_name",
+        "token_value",
+        "proxy_certificate_path",
+        "proxy_certificate_key_path",
+    ):
         value = clusterconfig.get(key)
         if value is not None:
             result = re.match(regex, value)
             if result:
                 value = _execute_command(result.group(1))
             auth[key] = value
 
+    proxy_certificate = auth.get("proxy_certificate_path")
+    proxy_certificate_key = auth.get("proxy_certificate_key_path")
+    if proxy_certificate != "" and proxy_certificate_key != "":
+        auth["cert"] = (proxy_certificate, proxy_certificate_key)
+
+    if "proxy_certificate_path" in auth:
+        del auth["proxy_certificate_path"]
+    if "proxy_certificate_key_path" in auth:
+        del auth["proxy_certificate_key_path"]
+
     logging.debug("Auth: %s", auth)
     # check for "incompatible" auth options
     if "password" in auth and ("token_name" in auth or "token_value" in auth):

src/pvecontrol/config.py

@@ -10,6 +10,8 @@
             "host": str,
             "user": str,
             "password": confuse.Optional(str, None),
+            "proxy_certificate_path": confuse.Optional(str, None),
+            "proxy_certificate_key_path": confuse.Optional(str, None),
             "token_name": confuse.Optional(str, None),
             "token_value": confuse.Optional(str, None),
             "node": confuse.Optional(