Commit 60c01433 authored by Clayton Coleman's avatar Clayton Coleman

Split TLS loading to allow 3rd parties to load keys easily

The LoadTLSFiles method is useful for configuration code that needs to read the current client config and get values out for creating other config files.
parent 5eb71a18
...@@ -18,7 +18,6 @@ package client ...@@ -18,7 +18,6 @@ package client
import ( import (
"fmt" "fmt"
"io/ioutil"
"net" "net"
"net/http" "net/http"
"net/url" "net/url"
...@@ -274,19 +273,6 @@ func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTrip ...@@ -274,19 +273,6 @@ func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTrip
return rt, nil return rt, nil
} }
// dataFromSliceOrFile returns data from the slice (if non-empty), or from the file,
// or an error if an error occurred reading the file
func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
if len(data) > 0 {
return data, nil
}
fileData, err := ioutil.ReadFile(file)
if err != nil {
return []byte{}, err
}
return fileData, nil
}
// DefaultServerURL converts a host, host:port, or URL string to the default base server API path // DefaultServerURL converts a host, host:port, or URL string to the default base server API path
// to use with a Client at a given API version following the standard conventions for a // to use with a Client at a given API version following the standard conventions for a
// Kubernetes API. // Kubernetes API.
......
...@@ -20,6 +20,7 @@ import ( ...@@ -20,6 +20,7 @@ import (
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
) )
...@@ -81,32 +82,19 @@ func TLSConfigFor(config *Config) (*tls.Config, error) { ...@@ -81,32 +82,19 @@ func TLSConfigFor(config *Config) (*tls.Config, error) {
if hasCA && config.Insecure { if hasCA && config.Insecure {
return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed") return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
} }
if err := LoadTLSFiles(config); err != nil {
return nil, err
}
var tlsConfig *tls.Config var tlsConfig *tls.Config
switch { switch {
case hasCert: case hasCert:
certData, err := dataFromSliceOrFile(config.CertData, config.CertFile) cfg, err := NewClientCertTLSConfig(config.CertData, config.KeyData, config.CAData)
if err != nil {
return nil, err
}
keyData, err := dataFromSliceOrFile(config.KeyData, config.KeyFile)
if err != nil {
return nil, err
}
caData, err := dataFromSliceOrFile(config.CAData, config.CAFile)
if err != nil {
return nil, err
}
cfg, err := NewClientCertTLSConfig(certData, keyData, caData)
if err != nil { if err != nil {
return nil, err return nil, err
} }
tlsConfig = cfg tlsConfig = cfg
case hasCA: case hasCA:
caData, err := dataFromSliceOrFile(config.CAData, config.CAFile) cfg, err := NewTLSConfig(config.CAData)
if err != nil {
return nil, err
}
cfg, err := NewTLSConfig(caData)
if err != nil { if err != nil {
return nil, err return nil, err
} }
...@@ -118,6 +106,45 @@ func TLSConfigFor(config *Config) (*tls.Config, error) { ...@@ -118,6 +106,45 @@ func TLSConfigFor(config *Config) (*tls.Config, error) {
return tlsConfig, nil return tlsConfig, nil
} }
// LoadTLSFiles copies the data from the CertFile, KeyFile, and CAFile fields into the CertData,
// KeyData, and CAFile fields, or returns an error. If no error is returned, all three fields are
// either populated or were empty to start.
func LoadTLSFiles(config *Config) error {
certData, err := dataFromSliceOrFile(config.CertData, config.CertFile)
if err != nil {
return err
}
config.CertData = certData
keyData, err := dataFromSliceOrFile(config.KeyData, config.KeyFile)
if err != nil {
return err
}
config.KeyData = keyData
caData, err := dataFromSliceOrFile(config.CAData, config.CAFile)
if err != nil {
return err
}
config.CAData = caData
return nil
}
// dataFromSliceOrFile returns data from the slice (if non-empty), or from the file,
// or an error if an error occurred reading the file
func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
if len(data) > 0 {
return data, nil
}
if len(file) > 0 {
fileData, err := ioutil.ReadFile(file)
if err != nil {
return []byte{}, err
}
return fileData, nil
}
return nil, nil
}
func NewClientCertTLSConfig(certData, keyData, caData []byte) (*tls.Config, error) { func NewClientCertTLSConfig(certData, keyData, caData []byte) (*tls.Config, error) {
cert, err := tls.X509KeyPair(certData, keyData) cert, err := tls.X509KeyPair(certData, keyData)
if err != nil { if err != nil {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment