Use CAFile even if client certificate is not specified

duda · Jan 12, 2015 · 1f8a746 · 1f8a746
1 parent 6f43074
commit 1f8a746
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/pkg/client/helper.go b/pkg/client/helper.go
@@ -186,9 +186,12 @@ func RESTClientFor(config *Config) (*RESTClient, error) {
 // default http.DefaultTransport if no special case behavior is needed.
 func TransportFor(config *Config) (http.RoundTripper, error) {
 	// Set transport level security
-	if config.Transport != nil && (config.CertFile != "" || config.Insecure) {
+	if config.Transport != nil && (config.CAFile != "" || config.CertFile != "" || config.Insecure) {
 		return nil, fmt.Errorf("using a custom transport with TLS certificate options or the insecure flag is not allowed")
 	}
+	if config.CAFile != "" && config.Insecure {
+		return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
+	}
 	var transport http.RoundTripper
 	switch {
 	case config.Transport != nil:
@@ -199,6 +202,12 @@ func TransportFor(config *Config) (http.RoundTripper, error) {
 			return nil, err
 		}
 		transport = t
+	case config.CAFile != "":
+		t, err := NewTLSTransport(config.CAFile)
+		if err != nil {
+			return nil, err
+		}
+		transport = t
 	case config.Insecure:
 		transport = NewUnsafeTLSTransport()
 	default:

diff --git a/pkg/client/kubelet.go b/pkg/client/kubelet.go
@@ -60,12 +60,18 @@ type HTTPKubeletClient struct {
 
 func NewKubeletClient(config *KubeletConfig) (KubeletClient, error) {
 	transport := http.DefaultTransport
-	if config.CAFile != "" {
+	if config.CertFile != "" {
 		t, err := NewClientCertTLSTransport(config.CertFile, config.KeyFile, config.CAFile)
 		if err != nil {
 			return nil, err
 		}
 		transport = t
+	} else if config.CAFile != "" {
+		t, err := NewTLSTransport(config.CAFile)
+		if err != nil {
+			return nil, err
+		}
+		transport = t
 	}
 
 	c := &http.Client{Transport: transport}

diff --git a/pkg/client/transport.go b/pkg/client/transport.go
@@ -80,6 +80,22 @@ func NewClientCertTLSTransport(certFile, keyFile, caFile string) (*http.Transpor
 	}, nil
 }
 
+func NewTLSTransport(caFile string) (*http.Transport, error) {
+	data, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return nil, err
+	}
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(data)
+	return &http.Transport{
+		TLSClientConfig: &tls.Config{
+			// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
+			MinVersion: tls.VersionTLS10,
+			RootCAs:    certPool,
+		},
+	}, nil
+}
+
 func NewUnsafeTLSTransport() *http.Transport {
 	return &http.Transport{
 		TLSClientConfig: &tls.Config{