forked from rancher/rancher
-
Notifications
You must be signed in to change notification settings - Fork 0
/
tls.go
111 lines (96 loc) · 3.05 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package tls
import (
"fmt"
"io/ioutil"
"os"
v3 "github.com/rancher/types/apis/management.cattle.io/v3"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
rancherCertFile = "/etc/rancher/ssl/cert.pem"
rancherKeyFile = "/etc/rancher/ssl/key.pem"
rancherCACertsFile = "/etc/rancher/ssl/cacerts.pem"
)
func ReadTLSConfig(acmeDomains []string, noCACerts bool) (*v3.ListenConfig, error) {
var err error
lc := &v3.ListenConfig{
TypeMeta: metav1.TypeMeta{
Kind: "ListenConfig",
APIVersion: "management.cattle.io/v3",
},
ObjectMeta: metav1.ObjectMeta{
Name: "cli-config",
},
Enabled: true,
Mode: "https",
}
// ACME / Let's Encrypt
// If --acme-domain is set, configure and return
if len(acmeDomains) > 0 {
lc.Mode = "acme"
lc.Domains = acmeDomains
return lc, nil
}
// Mounted certificates
// If certificate file/key are set
certFileExists := fileExists(rancherCertFile)
keyFileExists := fileExists(rancherKeyFile)
// If certificate file exists but not certificate key, or other way around, error out
if (certFileExists && !keyFileExists) || (!certFileExists && keyFileExists) {
return nil, fmt.Errorf("invalid SSL configuration found, please set both certificate file and certificate key file (one is missing)")
}
caFileExists := fileExists(rancherCACertsFile)
// If certificate file and certificate key file exists, load files into listenConfig
if certFileExists && keyFileExists {
lc.Cert, err = readPEM(rancherCertFile)
if err != nil {
return nil, err
}
lc.Key, err = readPEM(rancherKeyFile)
if err != nil {
return nil, err
}
// Selfsigned needs cacerts, recognized CA needs --no-cacerts but can't be used together
if (caFileExists && noCACerts) || (!caFileExists && !noCACerts) {
return nil, fmt.Errorf("invalid SSL configuration found, please set cacerts when using self signed certificates or use --no-cacerts when using certificates from a recognized Certificate Authority, do not use both at the same time")
}
// Load cacerts if exists
if caFileExists {
lc.CACerts, err = readPEM(rancherCACertsFile)
if err != nil {
return nil, err
}
}
return lc, nil
}
// External termination
// We need to check if cacerts is passed or if --no-cacerts is used (when not providing certificate file and key)
// If cacerts is passed
if caFileExists {
// We can't have --no-cacerts
if noCACerts {
return nil, fmt.Errorf("invalid SSL configuration found, please set cacerts when using self signed certificates or use --no-cacerts when using certificates from a recognized Certificate Authority, do not use both at the same time")
}
lc.CACerts, err = readPEM(rancherCACertsFile)
if err != nil {
return nil, err
}
}
// No certificates mounted or only --no-cacerts used
return lc, nil
}
func fileExists(path string) bool {
if _, err := os.Stat(path); err != nil {
if os.IsNotExist(err) {
return false
}
}
return true
}
func readPEM(path string) (string, error) {
content, err := ioutil.ReadFile(path)
if err != nil {
return "", err
}
return string(content), nil
}