From 60c014334fcfea2cdc3ed5067eb8eff32965aee9 Mon Sep 17 00:00:00 2001 From: Clayton Coleman Date: Thu, 19 Feb 2015 20:54:21 -0500 Subject: [PATCH] Split TLS loading to allow 3rd parties to load keys easily The LoadTLSFiles method is useful for configuration code that needs to read the current client config and get values out for creating other config files. --- pkg/client/helper.go | 14 --------- pkg/client/transport.go | 63 +++++++++++++++++++++++++++++------------ 2 files changed, 45 insertions(+), 32 deletions(-) diff --git a/pkg/client/helper.go b/pkg/client/helper.go index 0ae507257f3..ac3dce0dd3a 100644 --- a/pkg/client/helper.go +++ b/pkg/client/helper.go @@ -18,7 +18,6 @@ package client import ( "fmt" - "io/ioutil" "net" "net/http" "net/url" @@ -274,19 +273,6 @@ func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTrip return rt, nil } -// dataFromSliceOrFile returns data from the slice (if non-empty), or from the file, -// or an error if an error occurred reading the file -func dataFromSliceOrFile(data []byte, file string) ([]byte, error) { - if len(data) > 0 { - return data, nil - } - fileData, err := ioutil.ReadFile(file) - if err != nil { - return []byte{}, err - } - return fileData, nil -} - // DefaultServerURL converts a host, host:port, or URL string to the default base server API path // to use with a Client at a given API version following the standard conventions for a // Kubernetes API. diff --git a/pkg/client/transport.go b/pkg/client/transport.go index 62dd0964872..22278c4481e 100644 --- a/pkg/client/transport.go +++ b/pkg/client/transport.go @@ -20,6 +20,7 @@ import ( "crypto/tls" "crypto/x509" "fmt" + "io/ioutil" "net/http" ) @@ -81,32 +82,19 @@ func TLSConfigFor(config *Config) (*tls.Config, error) { if hasCA && config.Insecure { return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed") } + if err := LoadTLSFiles(config); err != nil { + return nil, err + } var tlsConfig *tls.Config switch { case hasCert: - certData, err := dataFromSliceOrFile(config.CertData, config.CertFile) - if err != nil { - return nil, err - } - keyData, err := dataFromSliceOrFile(config.KeyData, config.KeyFile) - if err != nil { - return nil, err - } - caData, err := dataFromSliceOrFile(config.CAData, config.CAFile) - if err != nil { - return nil, err - } - cfg, err := NewClientCertTLSConfig(certData, keyData, caData) + cfg, err := NewClientCertTLSConfig(config.CertData, config.KeyData, config.CAData) if err != nil { return nil, err } tlsConfig = cfg case hasCA: - caData, err := dataFromSliceOrFile(config.CAData, config.CAFile) - if err != nil { - return nil, err - } - cfg, err := NewTLSConfig(caData) + cfg, err := NewTLSConfig(config.CAData) if err != nil { return nil, err } @@ -118,6 +106,45 @@ func TLSConfigFor(config *Config) (*tls.Config, error) { return tlsConfig, nil } +// LoadTLSFiles copies the data from the CertFile, KeyFile, and CAFile fields into the CertData, +// KeyData, and CAFile fields, or returns an error. If no error is returned, all three fields are +// either populated or were empty to start. +func LoadTLSFiles(config *Config) error { + certData, err := dataFromSliceOrFile(config.CertData, config.CertFile) + if err != nil { + return err + } + config.CertData = certData + keyData, err := dataFromSliceOrFile(config.KeyData, config.KeyFile) + if err != nil { + return err + } + config.KeyData = keyData + caData, err := dataFromSliceOrFile(config.CAData, config.CAFile) + if err != nil { + return err + } + config.CAData = caData + + return nil +} + +// dataFromSliceOrFile returns data from the slice (if non-empty), or from the file, +// or an error if an error occurred reading the file +func dataFromSliceOrFile(data []byte, file string) ([]byte, error) { + if len(data) > 0 { + return data, nil + } + if len(file) > 0 { + fileData, err := ioutil.ReadFile(file) + if err != nil { + return []byte{}, err + } + return fileData, nil + } + return nil, nil +} + func NewClientCertTLSConfig(certData, keyData, caData []byte) (*tls.Config, error) { cert, err := tls.X509KeyPair(certData, keyData) if err != nil {