Merge pull request #5 from PowerDNS/use-tlsconfig-for-s3

s3: add TLS configuration options

Author: wojas

backends/s3/s3.go

@@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/PowerDNS/go-tlsconfig"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
 	s3config "github.com/aws/aws-sdk-go-v2/config"
@@ -51,6 +52,10 @@ type Options struct {
 	// instead of AWS S3.
 	EndpointURL string `yaml:"endpoint_url"`
 
+	// TLS allows customising the TLS configuration
+	// See https://github.com/PowerDNS/go-tlsconfig for the available options
+	TLS tlsconfig.Config `yaml:"tls"`
+
 	// InitTimeout is the time we allow for initialisation, like credential
 	// checking and bucket creation. It defaults to DefaultInitTimeout, which
 	// is currently 20s.
@@ -241,15 +246,39 @@ func New(ctx context.Context, opt Options) (*Backend, error) {
 		return nil, err
 	}
 
-	// Some of the following calls require a context
+	// Automatic TLS handling
+	// This MUST receive a longer running context to be able to automatically
+	// reload certificates, so we use the original ctx, not one with added
+	// InitTimeout.
+	tlsmgr, err := tlsconfig.NewManager(ctx, opt.TLS, tlsconfig.Options{
+		IsClient: true,
+		// TODO: logging might be useful here, but we need to figure this
+		//       out for other parts of simpleblob first.
+		Logr: nil,
+	})
+	if err != nil {
+		return nil, err
+	}
+	// Get an opinionated HTTP client that:
+	// - Uses a custom tls.Config
+	// - Sets proxies from the environment
+	// - Sets reasonable timeouts on various operations
+	// Check the implementation for details.
+	hc, err := tlsmgr.HTTPClient()
+	if err != nil {
+		return nil, err
+	}
+
+	// Some of the following calls require a short running context
 	ctx, cancel := context.WithTimeout(ctx, opt.InitTimeout)
 	defer cancel()
 
 	creds := credentials.NewStaticCredentialsProvider(opt.AccessKey, opt.SecretKey, "")
 	cfg, err := s3config.LoadDefaultConfig(
 		ctx,
 		s3config.WithCredentialsProvider(creds),
-		s3config.WithRegion(opt.Region))
+		s3config.WithRegion(opt.Region),
+		s3config.WithHTTPClient(hc))
 	if err != nil {
 		return nil, err
 	}

go.mod

@@ -14,6 +14,7 @@ require (
 )
 
 require (
+	github.com/PowerDNS/go-tlsconfig v0.0.0-20201014142732-fe6ff56e2a95 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.2.0 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.10.0 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.4 // indirect
@@ -28,6 +29,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-logr/logr v0.2.1 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kr/text v0.2.0 // indirect

go.sum

@@ -33,6 +33,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/PowerDNS/go-tlsconfig v0.0.0-20201014142732-fe6ff56e2a95 h1:jWxEVXkF1InUh1o5aCq4cc+ZjKKSwYsGV3yNK5Rpp6A=
+github.com/PowerDNS/go-tlsconfig v0.0.0-20201014142732-fe6ff56e2a95/go.mod h1:Q+i/He4WS46khYyqBUWBASsayUrenws7sOh964AK7TY=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -100,6 +102,8 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-logr/logr v0.2.1 h1:fV3MLmabKIZ383XifUjFSwcoGee0v9qgPp8wy5svibE=
+github.com/go-logr/logr v0.2.1/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=