Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow usage of externally supplied TLS config #1685

Merged
merged 3 commits into from
Feb 14, 2024
Merged

Allow usage of externally supplied TLS config #1685

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
356e707
Allow usage of externally supplied TLS config
venkyg-sec Jan 21, 2024
beea482
Fix linter errors in ca/ca.go
maraino Feb 14, 2024
503e504
Merge branch 'master' into allow_custom_tls_config
maraino Feb 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
36 changes: 31 additions & 5 deletions ca/ca.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ type options struct {
sshUserPassword []byte
database db.AuthDB
x509CAService apiv1.CertificateAuthorityService
tlsConfig *tls.Config
}

func (o *options) apply(opts []Option) {
Expand Down Expand Up @@ -114,6 +115,14 @@ func WithDatabase(d db.AuthDB) Option {
}
}

// WithTLSConfig sets the TLS configuration to be used by the HTTP(s) server
// spun by step-ca.
func WithTLSConfig(t *tls.Config) Option {
return func(o *options) {
o.tlsConfig = t
}
}

// WithLinkedCAToken sets the token used to authenticate with the linkedca.
func WithLinkedCAToken(token string) Option {
return func(o *options) {
Expand Down Expand Up @@ -193,9 +202,20 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
}
ca.auth = auth

tlsConfig, clientTLSConfig, err := ca.getTLSConfig(auth)
if err != nil {
return nil, err
var tlsConfig *tls.Config
var clientTLSConfig *tls.Config
if ca.opts.tlsConfig != nil {
// try using the tls Configuration supplied by the caller
log.Print("Using tls configuration supplied by the application")
tlsConfig = ca.opts.tlsConfig
clientTLSConfig = ca.opts.tlsConfig
} else {
// default to using the step-ca x509 Signer Interface
log.Print("Building new tls configuration using step-ca x509 Signer Interface")
tlsConfig, clientTLSConfig, err = ca.getTLSConfig(auth)
if err != nil {
return nil, err
}
}

webhookTransport.TLSClientConfig = clientTLSConfig
Expand Down Expand Up @@ -457,7 +477,10 @@ func (ca *CA) Run() error {
// Stop stops the CA calling to the server Shutdown method.
func (ca *CA) Stop() error {
close(ca.compactStop)
ca.renewer.Stop()
if ca.renewer != nil {
ca.renewer.Stop()
}

if err := ca.auth.Shutdown(); err != nil {
log.Printf("error stopping ca.Authority: %+v\n", err)
}
Expand Down Expand Up @@ -532,7 +555,10 @@ func (ca *CA) Reload() error {
// 2. Safely shutdown any internal resources (e.g. key manager)
// 3. Replace ca properties
// Do not replace ca.srv
ca.renewer.Stop()
if ca.renewer != nil {
ca.renewer.Stop()
}

ca.auth.CloseForReload()
ca.auth = newCA.auth
ca.config = newCA.config
Expand Down