mirror of https://github.com/k3s-io/k3s
k8s-merge-robot
commit
de1a9e3167
|
|
@ -110,28 +110,32 @@ func TLSConfigFor(config *Config) (*tls.Config, error) {
|
|||
hasCA := len(config.CAFile) > 0 || len(config.CAData) > 0
|
||||
hasCert := len(config.CertFile) > 0 || len(config.CertData) > 0
|
||||
|
||||
if !hasCA && !hasCert && !config.Insecure {
|
||||
return nil, nil
|
||||
}
|
||||
if hasCA && config.Insecure {
|
||||
return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
|
||||
}
|
||||
if err := LoadTLSFiles(config); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var tlsConfig *tls.Config
|
||||
switch {
|
||||
case hasCert:
|
||||
cfg, err := NewClientCertTLSConfig(config.CertData, config.KeyData, config.CAData)
|
||||
|
||||
tlsConfig := &tls.Config{
|
||||
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
|
||||
MinVersion: tls.VersionTLS10,
|
||||
InsecureSkipVerify: config.Insecure,
|
||||
}
|
||||
|
||||
if hasCA {
|
||||
tlsConfig.RootCAs = rootCertPool(config.CAData)
|
||||
}
|
||||
|
||||
if hasCert {
|
||||
cert, err := tls.X509KeyPair(config.CertData, config.KeyData)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig = cfg
|
||||
case hasCA:
|
||||
cfg, err := NewTLSConfig(config.CAData)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsConfig = cfg
|
||||
case config.Insecure:
|
||||
tlsConfig = NewUnsafeTLSConfig()
|
||||
tlsConfig.Certificates = []tls.Certificate{cert}
|
||||
}
|
||||
|
||||
return tlsConfig, nil
|
||||
|
|
@ -186,30 +190,6 @@ func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
func NewClientCertTLSConfig(certData, keyData, caData []byte) (*tls.Config, error) {
|
||||
cert, err := tls.X509KeyPair(certData, keyData)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &tls.Config{
|
||||
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
|
||||
MinVersion: tls.VersionTLS10,
|
||||
Certificates: []tls.Certificate{
|
||||
cert,
|
||||
},
|
||||
RootCAs: rootCertPool(caData),
|
||||
}, nil
|
||||
}
|
||||
|
||||
func NewTLSConfig(caData []byte) (*tls.Config, error) {
|
||||
return &tls.Config{
|
||||
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
|
||||
MinVersion: tls.VersionTLS10,
|
||||
RootCAs: rootCertPool(caData),
|
||||
}, nil
|
||||
}
|
||||
|
||||
// rootCertPool returns nil if caData is empty. When passed along, this will mean "use system CAs".
|
||||
// When caData is not empty, it will be the ONLY information used in the CertPool.
|
||||
func rootCertPool(caData []byte) *x509.CertPool {
|
||||
|
|
@ -226,12 +206,6 @@ func rootCertPool(caData []byte) *x509.CertPool {
|
|||
return certPool
|
||||
}
|
||||
|
||||
func NewUnsafeTLSConfig() *tls.Config {
|
||||
return &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
}
|
||||
}
|
||||
|
||||
// cloneRequest returns a clone of the provided *http.Request.
|
||||
// The clone is a shallow copy of the struct and its Header map.
|
||||
func cloneRequest(r *http.Request) *http.Request {
|
||||
|
|
|
|||
|
|
@ -24,13 +24,6 @@ import (
|
|||
"k8s.io/kubernetes/pkg/api/testapi"
|
||||
)
|
||||
|
||||
func TestUnsecuredTLSTransport(t *testing.T) {
|
||||
cfg := NewUnsafeTLSConfig()
|
||||
if !cfg.InsecureSkipVerify {
|
||||
t.Errorf("expected config to be insecure")
|
||||
}
|
||||
}
|
||||
|
||||
type testRoundTripper struct {
|
||||
Request *http.Request
|
||||
Response *http.Response
|
||||
|
|
|
|||
Loading…
Reference in New Issue