-
Notifications
You must be signed in to change notification settings - Fork 88
/
http.go
98 lines (82 loc) · 2.75 KB
/
http.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package client
import (
"bytes"
"context"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"log"
"net/http"
"os"
"sync"
"github.com/hashicorp/go-cleanhttp"
"github.com/pkg/errors"
kotsv1beta1 "github.com/replicatedhq/kotskinds/apis/kots/v1beta1"
)
var (
httpClient *http.Client
httpClientMu sync.RWMutex
kurlProxyTLSCert []byte
identityConfigSpecCACert string
identityConfigSpecInsecureSkipTLSVerify bool
)
func HTTPClient(ctx context.Context, namespace string, identityConfig kotsv1beta1.IdentityConfig) (*http.Client, error) {
// NOTE: it may be possible to mount both the secret and the identity spec and watch for changes
httpClientMu.Lock()
defer httpClientMu.Unlock()
pemCert, err := getKurlProxyTLSCert()
if err != nil {
return nil, errors.Wrap(err, "failed to get kurl proxy tls cert")
}
if httpClient != nil && !hasTLSConfigChanged(pemCert, identityConfig.Spec) {
return httpClient, nil
}
// Get the SystemCertPool, continue with an empty pool on error
rootCAs, err := x509.SystemCertPool()
if err != nil {
return nil, errors.Wrap(err, "failed to get system cert pool")
}
if rootCAs == nil {
rootCAs = x509.NewCertPool()
}
kurlProxyTLSCert = pemCert
identityConfigSpecCACert = identityConfig.Spec.CACertPemBase64
identityConfigSpecInsecureSkipTLSVerify = identityConfig.Spec.InsecureSkipTLSVerify
if kurlProxyTLSCert != nil {
if !rootCAs.AppendCertsFromPEM(kurlProxyTLSCert) {
// TODO: how can I log here?
log.Println(errors.New("no certificate blocks found in kurl tls proxy ca certificate"))
}
}
if identityConfig.Spec.CACertPemBase64 != "" {
caCert, err := base64.StdEncoding.DecodeString(identityConfig.Spec.CACertPemBase64)
if err != nil {
log.Println(errors.Wrap(err, "failed to base64 decode provided ca certificate"))
} else if caCert != nil {
if !rootCAs.AppendCertsFromPEM(caCert) {
log.Println(errors.New("no certificate blocks found in provided ca certificate"))
}
}
}
transport := cleanhttp.DefaultTransport()
transport.TLSClientConfig = &tls.Config{
RootCAs: rootCAs,
InsecureSkipVerify: identityConfig.Spec.InsecureSkipTLSVerify,
}
httpClient = &http.Client{
Transport: transport,
}
return httpClient, nil
}
func hasTLSConfigChanged(pemCert []byte, identityConfigSpec kotsv1beta1.IdentityConfigSpec) bool {
return !bytes.Equal(kurlProxyTLSCert, pemCert) ||
identityConfigSpecCACert != identityConfigSpec.CACertPemBase64 ||
identityConfigSpecInsecureSkipTLSVerify != identityConfigSpec.InsecureSkipTLSVerify
}
func getKurlProxyTLSCert() ([]byte, error) {
certPath := os.Getenv("KURL_PROXY_TLS_CERT_PATH")
if certPath == "" {
return nil, nil
}
return os.ReadFile(certPath)
}