Merge pull request #3414 from liggitt/cafile

Use CAFile even if client certificate is not specified
2025-07-29 14:37:00 +00:00 · 2015-01-12 17:44:51 -08:00 · 2015-01-12 17:44:51 -08:00 · 16d0a837f2
commit 16d0a837f2
parent dd24e7e078 1f8a74626f
3 changed files with 33 additions and 2 deletions
--- a/pkg/client/helper.go
+++ b/pkg/client/helper.go
@ -186,9 +186,12 @@ func RESTClientFor(config *Config) (*RESTClient, error) {
 // default http.DefaultTransport if no special case behavior is needed.
 func TransportFor(config *Config) (http.RoundTripper, error) {
 	// Set transport level security
-	if config.Transport != nil && (config.CertFile != "" || config.Insecure) {
+	if config.Transport != nil && (config.CAFile != "" || config.CertFile != "" || config.Insecure) {
 		return nil, fmt.Errorf("using a custom transport with TLS certificate options or the insecure flag is not allowed")
 	}
+	if config.CAFile != "" && config.Insecure {
+		return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
+	}
 	var transport http.RoundTripper
 	switch {
 	case config.Transport != nil:
@ -199,6 +202,12 @@ func TransportFor(config *Config) (http.RoundTripper, error) {
 			return nil, err
 		}
 		transport = t
+	case config.CAFile != "":
+		t, err := NewTLSTransport(config.CAFile)
+		if err != nil {
+			return nil, err
+		}
+		transport = t
 	case config.Insecure:
 		transport = NewUnsafeTLSTransport()
 	default:
--- a/pkg/client/kubelet.go
+++ b/pkg/client/kubelet.go
@ -60,12 +60,18 @@ type HTTPKubeletClient struct {

 func NewKubeletClient(config *KubeletConfig) (KubeletClient, error) {
 	transport := http.DefaultTransport
-	if config.CAFile != "" {
+	if config.CertFile != "" {
 		t, err := NewClientCertTLSTransport(config.CertFile, config.KeyFile, config.CAFile)
 		if err != nil {
 			return nil, err
 		}
 		transport = t
+	} else if config.CAFile != "" {
+		t, err := NewTLSTransport(config.CAFile)
+		if err != nil {
+			return nil, err
+		}
+		transport = t
 	}

 	c := &http.Client{Transport: transport}
--- a/pkg/client/transport.go
+++ b/pkg/client/transport.go
@ -80,6 +80,22 @@ func NewClientCertTLSTransport(certFile, keyFile, caFile string) (*http.Transpor
 	}, nil
 }

+func NewTLSTransport(caFile string) (*http.Transport, error) {
+	data, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return nil, err
+	}
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(data)
+	return &http.Transport{
+		TLSClientConfig: &tls.Config{
+			// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
+			MinVersion: tls.VersionTLS10,
+			RootCAs:    certPool,
+		},
+	}, nil
+}
+
 func NewUnsafeTLSTransport() *http.Transport {
 	return &http.Transport{
 		TLSClientConfig: &tls.Config{