-
Notifications
You must be signed in to change notification settings - Fork 17
/
tls.go
47 lines (38 loc) · 1.22 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package loggregator
import (
"crypto/tls"
"crypto/x509"
"errors"
"io/ioutil"
)
// NewIngressTLSConfig provides a convenient means for creating a *tls.Config
// which uses the CA, cert, and key for the ingress endpoint.
func NewIngressTLSConfig(caPath, certPath, keyPath string) (*tls.Config, error) {
return newTLSConfig(caPath, certPath, keyPath, "metron")
}
// NewEgressTLSConfig provides a convenient means for creating a *tls.Config
// which uses the CA, cert, and key for the egress endpoint.
func NewEgressTLSConfig(caPath, certPath, keyPath string) (*tls.Config, error) {
return newTLSConfig(caPath, certPath, keyPath, "reverselogproxy")
}
func newTLSConfig(caPath, certPath, keyPath, cn string) (*tls.Config, error) {
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
return nil, err
}
tlsConfig := &tls.Config{
ServerName: cn,
Certificates: []tls.Certificate{cert},
InsecureSkipVerify: false,
}
caCertBytes, err := ioutil.ReadFile(caPath)
if err != nil {
return nil, err
}
caCertPool := x509.NewCertPool()
if ok := caCertPool.AppendCertsFromPEM(caCertBytes); !ok {
return nil, errors.New("cannot parse ca cert")
}
tlsConfig.RootCAs = caCertPool
return tlsConfig, nil
}