FilesExpand file tree

 mh_operator-remove-python-dependency

/

tls.go

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

111 lines (100 loc) · 3.17 KB

 mh_operator-remove-python-dependency

/

tls.go

Top

File metadata and controls

• Code
• Blame

111 lines (100 loc) · 3.17 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

package common

import (

"context"

"crypto/tls"

"crypto/x509"

"os"

"github.com/pkg/errors"

"github.com/stackrox/rox/pkg/clientconn"

"github.com/stackrox/rox/pkg/mtls"

"github.com/stackrox/rox/pkg/netutil"

"github.com/stackrox/rox/roxctl/common/flags"

)

// ConnectNames returns the endpoint and (SNI) server name given by the

// --endpoint and --server-name flags respectively and information about plaintext.

// If no server name is given, an appropriate name is derived from the given endpoint.

func ConnectNames() (string, string, bool, error) {

endpoint, usePlaintext, err := flags.EndpointAndPlaintextSetting()

if err != nil {

return "", "", false, errors.Wrap(err, "could not get endpoint")

}

if flags.UseKubeContext() {

endpoint, _, err = GetForwardingEndpoint()

if err != nil {

return "", "", false, errors.Wrap(err,

"could not get endpoint forwarding to the central service in the current k8s context")

}

}

serverName, err := getServerName(endpoint)

if err != nil {

return "", "", false, errors.Wrap(err, "could not get server name")

}

return endpoint, serverName, usePlaintext, nil

}

func getServerName(endpoint string) (string, error) {

if serverName := flags.ServerName(); serverName != "" {

return serverName, nil

}

serverName, _, _, err := netutil.ParseEndpoint(endpoint)

if err != nil {

return "", errors.Wrap(err, "could not parse endpoint")

}

return serverName, nil

}

func tlsConfigOptsForCentral() (*clientconn.TLSConfigOptions, error) {

_, serverName, _, err := ConnectNames()

if err != nil {

return nil, errors.Wrap(err, "parsing central endpoint")

}

opts := &clientconn.TLSConfigOptions{

ServerName: serverName,

InsecureSkipVerify: flags.SkipTLSValidation(),

}

if !opts.InsecureSkipVerify {

if opts.RootCAs, err = getCertPool(); err != nil {

return nil, err

}

}

if flags.UseKubeContext() {

opts.DialContext = getForwardingDialContext()

}

return opts, nil

}

func getCertPool() (*x509.CertPool, error) {

roots, err := x509.SystemCertPool()

if err != nil {

return nil, errors.Wrap(err, "could not get system certs pool")

}

if caFile := flags.CAFile(); caFile != "" {

// Read the CA from the given file.

if ca, err := os.ReadFile(caFile); err != nil {

return nil, errors.Wrap(err, "failed to parse CA certificates from file")

} else if !roots.AppendCertsFromPEM(ca) {

return nil, errors.Errorf("CA certificates file %s contains no certificates", caFile)

}

} else if flags.UseKubeContext() {

// Read the CA from the central secret.

_, core, namespace, err := getConfigs()

if err != nil {

return nil, err

}

ca, err := getCentralCA(context.Background(), core, namespace)

if err != nil {

return nil, errors.Wrap(err, "failed to read the central CA from the central-tls secret")

} else if !roots.AppendCertsFromPEM(ca) {

return nil, errors.New("central-tls secret contains no certificates")

}

}

return roots, nil

}

func tlsConfigForCentral() (*tls.Config, error) {

opts, err := tlsConfigOptsForCentral()

if err != nil {

return nil, err

}

conf, err := clientconn.TLSConfig(mtls.CentralSubject, *opts)

if err != nil {

return nil, errors.Wrap(err, "invalid TLS config")

}

return conf, nil

}