MCPcopy
hub / github.com/kubernetes/client-go / TLSConfigFor

Function TLSConfigFor

transport/transport.go:55–116  ·  view source on GitHub ↗

TLSConfigFor returns a tls.Config that will provide the transport level security defined by the provided Config. Will return nil if no transport level security is requested.

(c *Config)

Source from the content-addressed store, hash-verified

53// TLSConfigFor returns a tls.Config that will provide the transport level security defined
54// by the provided Config. Will return nil if no transport level security is requested.
55func TLSConfigFor(c *Config) (*tls.Config, error) {
56 if !(c.HasCA() || c.HasCertAuth() || c.HasCertCallback() || c.TLS.Insecure || len(c.TLS.ServerName) > 0) {
57 return nil, nil
58 }
59 if c.HasCA() && c.TLS.Insecure {
60 return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
61 }
62 if err := loadTLSFiles(c); err != nil {
63 return nil, err
64 }
65
66 tlsConfig := &tls.Config{
67 // Can't use SSLv3 because of POODLE and BEAST
68 // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
69 // Can't use TLSv1.1 because of RC4 cipher usage
70 MinVersion: tls.VersionTLS12,
71 InsecureSkipVerify: c.TLS.Insecure,
72 ServerName: c.TLS.ServerName,
73 }
74
75 if c.HasCA() {
76 tlsConfig.RootCAs = rootCertPool(c.TLS.CAData)
77 }
78
79 var staticCert *tls.Certificate
80 if c.HasCertAuth() {
81 // If key/cert were provided, verify them before setting up
82 // tlsConfig.GetClientCertificate.
83 cert, err := tls.X509KeyPair(c.TLS.CertData, c.TLS.KeyData)
84 if err != nil {
85 return nil, err
86 }
87 staticCert = &cert
88 }
89
90 if c.HasCertAuth() || c.HasCertCallback() {
91 tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
92 // Note: static key/cert data always take precedence over cert
93 // callback.
94 if staticCert != nil {
95 return staticCert, nil
96 }
97 if c.HasCertCallback() {
98 cert, err := c.TLS.GetCert()
99 if err != nil {
100 return nil, err
101 }
102 // GetCert may return empty value, meaning no cert.
103 if cert != nil {
104 return cert, nil
105 }
106 }
107
108 // Both c.TLS.CertData/KeyData were unset and GetCert didn't return
109 // anything. Return an empty tls.Certificate, no client cert will
110 // be sent to the server.
111 return &tls.Certificate{}, nil
112 }

Callers 3

TestTLSCredentialsFunction · 0.92
TLSConfigForFunction · 0.92
getMethod · 0.70

Calls 6

loadTLSFilesFunction · 0.85
rootCertPoolFunction · 0.85
HasCAMethod · 0.80
HasCertAuthMethod · 0.80
HasCertCallbackMethod · 0.80
ErrorfMethod · 0.65

Tested by 1

TestTLSCredentialsFunction · 0.74