github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 22:46:12 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3414 from liggitt/cafile

Browse Source 
Use CAFile even if client certificate is not specified
This commit is contained in:
Joe Beda 2015-01-12 17:44:51 -08:00
commit 16d0a837f2
3 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/client/helper.go
View File

@ -186,9 +186,12 @@ func RESTClientFor(config *Config) (*RESTClient, error) {
// default http.DefaultTransport if no special case behavior is needed. // default http.DefaultTransport if no special case behavior is needed.
func TransportFor(config *Config) (http.RoundTripper, error) { func TransportFor(config *Config) (http.RoundTripper, error) {
// Set transport level security // Set transport level security
if config.Transport != nil && (config.CertFile != "" || config.Insecure) { if config.Transport != nil && (config.CAFile != "" || config.CertFile != "" || config.Insecure) {
return nil, fmt.Errorf("using a custom transport with TLS certificate options or the insecure flag is not allowed") return nil, fmt.Errorf("using a custom transport with TLS certificate options or the insecure flag is not allowed")
} }
if config.CAFile != "" && config.Insecure {
return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
}
var transport http.RoundTripper var transport http.RoundTripper
switch { switch {
case config.Transport != nil: case config.Transport != nil:
@ -199,6 +202,12 @@ func TransportFor(config *Config) (http.RoundTripper, error) {
return nil, err return nil, err
} }
transport = t transport = t
case config.CAFile != "":
t, err := NewTLSTransport(config.CAFile)
if err != nil {
return nil, err
}
transport = t
case config.Insecure: case config.Insecure:
transport = NewUnsafeTLSTransport() transport = NewUnsafeTLSTransport()
default: default:

8
pkg/client/kubelet.go
View File

@ -60,12 +60,18 @@ type HTTPKubeletClient struct {
func NewKubeletClient(config *KubeletConfig) (KubeletClient, error) { func NewKubeletClient(config *KubeletConfig) (KubeletClient, error) {
transport := http.DefaultTransport transport := http.DefaultTransport
if config.CAFile != "" { if config.CertFile != "" {
t, err := NewClientCertTLSTransport(config.CertFile, config.KeyFile, config.CAFile) t, err := NewClientCertTLSTransport(config.CertFile, config.KeyFile, config.CAFile)
if err != nil { if err != nil {
return nil, err return nil, err
} }
transport = t transport = t
} else if config.CAFile != "" {
t, err := NewTLSTransport(config.CAFile)
if err != nil {
return nil, err
}
transport = t
} }
c := &http.Client{Transport: transport} c := &http.Client{Transport: transport}

16
pkg/client/transport.go
View File

@ -80,6 +80,22 @@ func NewClientCertTLSTransport(certFile, keyFile, caFile string) (*http.Transpor
}, nil }, nil
} }
func NewTLSTransport(caFile string) (*http.Transport, error) {
data, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(data)
return &http.Transport{
TLSClientConfig: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
RootCAs: certPool,
},
}, nil
}
func NewUnsafeTLSTransport() *http.Transport { func NewUnsafeTLSTransport() *http.Transport {
return &http.Transport{ return &http.Transport{
TLSClientConfig: &tls.Config{ TLSClientConfig: &tls.Config{