mirror of
https://github.com/kubernetes-sigs/external-dns.git
synced 2025-10-17 12:51:00 +02:00
Utilizes tlsutils in pdns
This commit is contained in:
Jason Hoch
parent
9a7fafa0c5
commit
8223796ae7
@ -26,6 +26,8 @@ import (
|
||||
"strings"
|
||||
)
|
||||
|
||||
const defaultMinVersion = 0
|
||||
|
||||
// CreateTLSConfig creates tls.Config instance from TLS parameters passed in environment variables with the given prefix
|
||||
func CreateTLSConfig(prefix string) (*tls.Config, error) {
|
||||
caFile := os.Getenv(fmt.Sprintf("%s_CA_FILE", prefix))
|
||||
@ -34,14 +36,14 @@ func CreateTLSConfig(prefix string) (*tls.Config, error) {
|
||||
serverName := os.Getenv(fmt.Sprintf("%s_TLS_SERVER_NAME", prefix))
|
||||
isInsecureStr := strings.ToLower(os.Getenv(fmt.Sprintf("%s_TLS_INSECURE", prefix)))
|
||||
isInsecure := isInsecureStr == "true" || isInsecureStr == "yes" || isInsecureStr == "1"
|
||||
tlsConfig, err := newTLSConfig(certFile, keyFile, caFile, serverName, isInsecure)
|
||||
tlsConfig, err := NewTLSConfig(certFile, keyFile, caFile, serverName, isInsecure, defaultMinVersion)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return tlsConfig, nil
|
||||
}
|
||||
|
||||
func newTLSConfig(certPath, keyPath, caPath, serverName string, insecure bool) (*tls.Config, error) {
|
||||
func NewTLSConfig(certPath, keyPath, caPath, serverName string, insecure bool, minVersion uint16) (*tls.Config, error) {
|
||||
if certPath != "" && keyPath == "" || certPath == "" && keyPath != "" {
|
||||
return nil, errors.New("either both cert and key or none must be provided")
|
||||
}
|
||||
@ -59,6 +61,7 @@ func newTLSConfig(certPath, keyPath, caPath, serverName string, insecure bool) (
|
||||
}
|
||||
|
||||
return &tls.Config{
|
||||
MinVersion: minVersion,
|
||||
Certificates: certificates,
|
||||
RootCAs: roots,
|
||||
InsecureSkipVerify: insecure,
|
||||
|
||||
@ -36,6 +36,7 @@ import (
|
||||
"github.com/kubernetes-incubator/external-dns/plan"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"github.com/kubernetes-incubator/external-dns/pkg/tlsutils"
|
||||
)
|
||||
|
||||
type pdnsChangeType string
|
||||
@ -96,19 +97,10 @@ func (tlsConfig *TLSConfig) setHTTPClient(pdnsClientConfig *pgo.Configuration) e
|
||||
if tlsConfig.CAFilePath == "" {
|
||||
return errors.New("certificate authority file path must be specified if TLS is enabled")
|
||||
}
|
||||
if tlsConfig.ClientCertFilePath == "" && tlsConfig.ClientCertKeyFilePath != "" ||
|
||||
tlsConfig.ClientCertFilePath != "" && tlsConfig.ClientCertKeyFilePath == "" {
|
||||
return errors.New("client certificate and client certificate key should be specified together if at all")
|
||||
}
|
||||
|
||||
certificateAuthority, err := loadCertificateAuthority(tlsConfig.CAFilePath)
|
||||
tlsClientConfig, err := tlsutils.NewTLSConfig(tlsConfig.ClientCertFilePath, tlsConfig.ClientCertKeyFilePath, tlsConfig.CAFilePath, "", false, tls.VersionTLS12)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
certificate, err := loadCertificate(tlsConfig.ClientCertFilePath, tlsConfig.ClientCertKeyFilePath)
|
||||
if err != nil {
|
||||
return err
|
||||
return err;
|
||||
}
|
||||
|
||||
// Timeouts taken from net.http.DefaultTransport
|
||||
@ -123,11 +115,7 @@ func (tlsConfig *TLSConfig) setHTTPClient(pdnsClientConfig *pgo.Configuration) e
|
||||
IdleConnTimeout: 90 * time.Second,
|
||||
TLSHandshakeTimeout: 10 * time.Second,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
TLSClientConfig: &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
Certificates: certificate,
|
||||
RootCAs: certificateAuthority,
|
||||
},
|
||||
TLSClientConfig: tlsClientConfig,
|
||||
}
|
||||
pdnsClientConfig.HTTPClient = &http.Client{
|
||||
Transport: transporter,
|
||||
@ -136,33 +124,6 @@ func (tlsConfig *TLSConfig) setHTTPClient(pdnsClientConfig *pgo.Configuration) e
|
||||
return nil
|
||||
}
|
||||
|
||||
func loadCertificateAuthority(certificateAuthorityFilePath string) (*x509.CertPool, error) {
|
||||
pool := x509.NewCertPool()
|
||||
|
||||
pem, err := ioutil.ReadFile(certificateAuthorityFilePath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
ok := pool.AppendCertsFromPEM(pem)
|
||||
if !ok {
|
||||
return nil, errors.New("error appending certificate to pool")
|
||||
}
|
||||
|
||||
return pool, nil
|
||||
}
|
||||
|
||||
func loadCertificate(certificateFilePath string, certificateKeyFilePath string) ([]tls.Certificate, error) {
|
||||
if certificateFilePath == "" || certificateKeyFilePath == "" {
|
||||
return []tls.Certificate{}, nil
|
||||
}
|
||||
certificate, err := tls.LoadX509KeyPair(certificateFilePath, certificateKeyFilePath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return []tls.Certificate{certificate}, nil
|
||||
}
|
||||
|
||||
// Function for debug printing
|
||||
func stringifyHTTPResponseBody(r *http.Response) (body string) {
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user