Allow users to define an additional CA

causalityloop · Dec 3, 2018 · 4fb991e · 4fb991e
1 parent 1a74a4e
commit 4fb991e
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 14 deletions.
diff --git a/cmd/trust/main.go b/cmd/trust/main.go
@@ -16,6 +16,7 @@ package main
 
 import (
 	"io/ioutil"
+	"os"
 
 	kube "github.com/IBM/portieris/helpers/kube"
 	notaryController "github.com/IBM/portieris/pkg/controller/notary"
@@ -34,18 +35,26 @@ func main() {
 		glog.Fatal("Could not get policy client", err)
 	}
 
-	trust, err := notaryClient.NewClient(".trust")
+	ca, err := ioutil.ReadFile("/etc/certs/ca.pem")
+	if err != nil {
+		if os.IsNotExist(err) {
+			glog.Info("CA not provided at /etc/certs/ca.pem, will use default system pool")
+		} else {
+			glog.Fatal("Could not read /etc/certs/ca.pem", err)
+		}
+	}
+	trust, err := notaryClient.NewClient(".trust", ca)
 	if err != nil {
 		glog.Fatal("Could not get trust client", err)
 	}
 
 	serverCert, err := ioutil.ReadFile("/etc/certs/serverCert.pem")
 	if err != nil {
-		glog.Fatal("Could not read serverCert.pem", err)
+		glog.Fatal("Could not read /etc/certs/serverCert.pem", err)
 	}
 	serverKey, err := ioutil.ReadFile("/etc/certs/serverKey.pem")
 	if err != nil {
-		glog.Fatal("Could not read serverKey.pem", err)
+		glog.Fatal("Could not read /etc/certs/serverKey.pem", err)
 	}
 
 	cr := registryclient.NewClient()

diff --git a/pkg/notary/notary.go b/pkg/notary/notary.go
@@ -16,6 +16,7 @@ package notary
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -32,6 +33,7 @@ import (
 // Client .
 type Client struct {
 	trustDir string
+	rootCAs  *x509.CertPool
 }
 
 // Interface .
@@ -40,15 +42,20 @@ type Interface interface {
 }
 
 // NewClient creates and initializes the client
-func NewClient(trustDir string) (Interface, error) {
+func NewClient(trustDir string, customCA []byte) (Interface, error) {
 	// Create a trust directory
 	err := createTrustDir(trustDir)
 	if err != nil {
 		return nil, err
 	}
-	return &Client{
-		trustDir: trustDir,
-	}, nil
+	rootCA, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+	if customCA != nil {
+		rootCA.AppendCertsFromPEM(customCA)
+	}
+	return &Client{trustDir: trustDir, rootCAs: rootCA}, nil
 }
 
 // GetNotaryRepo .
@@ -57,13 +64,13 @@ func (c Client) GetNotaryRepo(server, image, notaryToken string) (notaryclient.R
 		c.trustDir,
 		data.GUN(image),
 		server,
-		makeHubTransport(server, notaryToken, image),
+		c.makeHubTransport(server, notaryToken, image),
 		nil,
 		trustpinning.TrustPinConfig{},
 	)
 }
 
-func makeHubTransport(server, notaryToken, image string) http.RoundTripper {
+func (c Client) makeHubTransport(server, notaryToken, image string) http.RoundTripper {
 	base := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		Dial: (&net.Dialer{
@@ -73,11 +80,10 @@ func makeHubTransport(server, notaryToken, image string) http.RoundTripper {
 		}).Dial,
 		TLSHandshakeTimeout: 10 * time.Second,
 		TLSClientConfig: &tls.Config{
-			// Avoid fallback by default to SSL protocols < TLS1.0
-			MinVersion:               tls.VersionTLS10,
+			// Avoid fallback by default to SSL protocols < TLS1.2
+			MinVersion:               tls.VersionTLS12,
 			PreferServerCipherSuites: true,
-			// Uncomment this for self-signed certs
-			InsecureSkipVerify: true,
+			RootCAs:                  c.rootCAs,
 		},
 		DisableKeepAlives: true,
 	}

diff --git a/pkg/notary/notary_test.go b/pkg/notary/notary_test.go
@@ -25,7 +25,7 @@ var _ = Describe("Notary", func() {
 	)
 
 	BeforeEach(func() {
-		trust, _ = NewClient(trustDir)
+		trust, _ = NewClient(trustDir, nil)
 	})
 
 	Describe("Getting the notary repo", func() {