v2.5.1

分支 (51)

标签 (159)

管理

管理

main

dependabot/go_modules/k8s.io/apiserver-0.23.3

release-3.8

dependabot/go_modules/k8s.io/klog/v2-2.40.1

dependabot/go_modules/github.com/BurntSushi/toml-1.0.0

dependabot/go_modules/github.com/evanphx/json-patch-5.6.0incompatible

release-3.7

release-3.6

release-3.6.2

dependabot/go_modules/k8s.io/cli-runtime-0.21.2

release-3.6.1

dependabot/go_modules/github.com/containerd/containerd-1.5.2

dependabot/go_modules/github.com/jmoiron/sqlx-1.3.4

dependabot/go_modules/github.com/mitchellh/copystructure-1.2.0

dependabot/go_modules/github.com/lib/pq-1.10.2

release-3.5

dependabot/go_modules/k8s.io/client-go-0.21.0

dependabot/go_modules/k8s.io/apiserver-0.21.0

dependabot/go_modules/k8s.io/api-0.21.0

dependabot/go_modules/k8s.io/cli-runtime-0.21.0

v3.8.0

v3.8.0-rc.2

v3.8.0-rc.1

v3.7.2

v3.7.1

v3.7.0

v3.7.0-rc.3

v3.7.0-rc.2

v3.7.0-rc.1

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.6.0-rc.1

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.5.0-rc.2

helm
/
pkg
/
tlsutil
/
cfg.go

/*
Copyright 2016 The Kubernetes Authors All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package tlsutil

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"os"
)

// Options represents configurable options used to create client and server TLS configurations.
type Options struct {
	CaCertFile string
	// If either the KeyFile or CertFile is empty, ClientConfig() will not load them,
	// preventing helm from authenticating to Tiller. They are required to be non-empty
	// when calling ServerConfig, otherwise an error is returned.
	KeyFile  string
	CertFile string
	// Client-only options
	InsecureSkipVerify bool
	// Server-only options
	ClientAuth tls.ClientAuthType
}

// ClientConfig retusn a TLS configuration for use by a Helm client.
func ClientConfig(opts Options) (cfg *tls.Config, err error) {
	var cert *tls.Certificate
	var pool *x509.CertPool

	if opts.CertFile != "" || opts.KeyFile != "" {
		if cert, err = CertFromFilePair(opts.CertFile, opts.KeyFile); err != nil {
			if os.IsNotExist(err) {
				return nil, fmt.Errorf("could not load x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
			}
			return nil, fmt.Errorf("could not read x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
		}
	}
	if !opts.InsecureSkipVerify && opts.CaCertFile != "" {
		if pool, err = CertPoolFromFile(opts.CaCertFile); err != nil {
			return nil, err
		}
	}

	cfg = &tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify, Certificates: []tls.Certificate{*cert}, RootCAs: pool}
	return cfg, nil
}

// ServerConfig returns a TLS configuration for use by the Tiller server.
func ServerConfig(opts Options) (cfg *tls.Config, err error) {
	var cert *tls.Certificate
	var pool *x509.CertPool

	if cert, err = CertFromFilePair(opts.CertFile, opts.KeyFile); err != nil {
		if os.IsNotExist(err) {
			return nil, fmt.Errorf("could not load x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
		}
		return nil, fmt.Errorf("could not read x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
	}
	if opts.ClientAuth >= tls.VerifyClientCertIfGiven && opts.CaCertFile != "" {
		if pool, err = CertPoolFromFile(opts.CaCertFile); err != nil {
			return nil, err
		}
	}

	cfg = &tls.Config{MinVersion: tls.VersionTLS12, ClientAuth: opts.ClientAuth, Certificates: []tls.Certificate{*cert}, ClientCAs: pool}
	return cfg, nil
}