-
Notifications
You must be signed in to change notification settings - Fork 2.1k
/
client.go
105 lines (89 loc) · 3.64 KB
/
client.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package accounts
import (
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"net"
"net/http"
"time"
acmeapi "golang.org/x/crypto/acme"
acmecl "github.com/cert-manager/cert-manager/pkg/acme/client"
"github.com/cert-manager/cert-manager/pkg/acme/client/middleware"
acmeutil "github.com/cert-manager/cert-manager/pkg/acme/util"
cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
"github.com/cert-manager/cert-manager/pkg/metrics"
)
const (
// defaultACMEHTTPTimeout sets the default maximum time that an individual HTTP request can take when doing ACME operations.
// Note that there may be other timeouts - e.g. dial timeouts or TLS handshake timeouts - which will be smaller than this. This
// timeout is the overall timeout for the entire request.
defaultACMEHTTPTimeout = time.Second * 90
)
// NewClientFunc is a function type for building a new ACME client.
type NewClientFunc func(*http.Client, cmacme.ACMEIssuer, *rsa.PrivateKey, string) acmecl.Interface
var _ NewClientFunc = NewClient
// NewClient is an implementation of NewClientFunc that returns a real ACME client.
func NewClient(client *http.Client, config cmacme.ACMEIssuer, privateKey *rsa.PrivateKey, userAgent string) acmecl.Interface {
return middleware.NewLogger(&acmeapi.Client{
Key: privateKey,
HTTPClient: client,
DirectoryURL: config.Server,
UserAgent: userAgent,
RetryBackoff: acmeutil.RetryBackoff,
})
}
// BuildHTTPClient returns a instrumented HTTP client to be used by an ACME client.
// For the time being, we construct a new HTTP client on each invocation, because we need
// to set the 'skipTLSVerify' flag on the HTTP client itself distinct from the ACME client
func BuildHTTPClient(metrics *metrics.Metrics, skipTLSVerify bool) *http.Client {
return BuildHTTPClientWithCABundle(metrics, skipTLSVerify, nil)
}
// BuildHTTPClientWithCABundle returns a instrumented HTTP client to be used by an ACME
// client, with an optional custom CA bundle set.
// For the time being, we construct a new HTTP client on each invocation, because we need
// to set the 'skipTLSVerify' flag and the CA bundle on the HTTP client itself, distinct
// from the ACME client
func BuildHTTPClientWithCABundle(metrics *metrics.Metrics, skipTLSVerify bool, caBundle []byte) *http.Client {
tlsConfig := &tls.Config{
InsecureSkipVerify: skipTLSVerify,
}
// len also checks if the bundle is nil
if len(caBundle) > 0 {
pool := x509.NewCertPool()
// We only want tlsConfig.RootCAs to be non-nil if we added at least one custom
// CA to "pool".
if ok := pool.AppendCertsFromPEM(caBundle); ok {
tlsConfig.RootCAs = pool
}
}
return acmecl.NewInstrumentedClient(
metrics,
&http.Client{
Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).DialContext,
TLSClientConfig: tlsConfig,
MaxIdleConns: 100,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
},
Timeout: defaultACMEHTTPTimeout,
},
)
}