111 lines
3 KiB
Go
111 lines
3 KiB
Go
package types
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/traefik/traefik/v2/pkg/log"
|
|
)
|
|
|
|
// +k8s:deepcopy-gen=true
|
|
|
|
// ClientTLS holds TLS specific configurations as client
|
|
// CA, Cert and Key can be either path or file contents.
|
|
type ClientTLS struct {
|
|
CA string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
|
|
CAOptional bool `description:"TLS CA.Optional" json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"`
|
|
Cert string `description:"TLS cert" json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
|
|
Key string `description:"TLS key" json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty"`
|
|
InsecureSkipVerify bool `description:"TLS insecure skip verify" json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
|
|
}
|
|
|
|
// CreateTLSConfig creates a TLS config from ClientTLS structures.
|
|
func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, error) {
|
|
if clientTLS == nil {
|
|
log.FromContext(ctx).Warnf("clientTLS is nil")
|
|
return nil, nil
|
|
}
|
|
|
|
// Not initialized, to rely on system bundle.
|
|
var caPool *x509.CertPool
|
|
|
|
clientAuth := tls.NoClientCert
|
|
if clientTLS.CA != "" {
|
|
var ca []byte
|
|
if _, errCA := os.Stat(clientTLS.CA); errCA == nil {
|
|
var err error
|
|
ca, err = os.ReadFile(clientTLS.CA)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read CA. %w", err)
|
|
}
|
|
} else {
|
|
ca = []byte(clientTLS.CA)
|
|
}
|
|
|
|
caPool = x509.NewCertPool()
|
|
if !caPool.AppendCertsFromPEM(ca) {
|
|
return nil, errors.New("failed to parse CA")
|
|
}
|
|
|
|
if clientTLS.CAOptional {
|
|
clientAuth = tls.VerifyClientCertIfGiven
|
|
} else {
|
|
clientAuth = tls.RequireAndVerifyClientCert
|
|
}
|
|
}
|
|
|
|
hasCert := len(clientTLS.Cert) > 0
|
|
hasKey := len(clientTLS.Key) > 0
|
|
|
|
if hasCert != hasKey {
|
|
return nil, errors.New("both TLS cert and key must be defined")
|
|
}
|
|
|
|
if !hasCert || !hasKey {
|
|
return &tls.Config{
|
|
RootCAs: caPool,
|
|
InsecureSkipVerify: clientTLS.InsecureSkipVerify,
|
|
ClientAuth: clientAuth,
|
|
}, nil
|
|
}
|
|
|
|
cert, err := loadKeyPair(clientTLS.Cert, clientTLS.Key)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
RootCAs: caPool,
|
|
InsecureSkipVerify: clientTLS.InsecureSkipVerify,
|
|
ClientAuth: clientAuth,
|
|
}, nil
|
|
}
|
|
|
|
func loadKeyPair(cert, key string) (tls.Certificate, error) {
|
|
keyPair, err := tls.X509KeyPair([]byte(cert), []byte(key))
|
|
if err == nil {
|
|
return keyPair, nil
|
|
}
|
|
|
|
_, err = os.Stat(cert)
|
|
if err != nil {
|
|
return tls.Certificate{}, errors.New("cert file does not exist")
|
|
}
|
|
|
|
_, err = os.Stat(key)
|
|
if err != nil {
|
|
return tls.Certificate{}, errors.New("key file does not exist")
|
|
}
|
|
|
|
keyPair, err = tls.LoadX509KeyPair(cert, key)
|
|
if err != nil {
|
|
return tls.Certificate{}, err
|
|
}
|
|
|
|
return keyPair, nil
|
|
}
|