[fftls] Allow for In-Memory or Inlined TLS Certificates #132
Conversation
Signed-off-by: hfuss <[email protected]>
Signed-off-by: hfuss <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #132 +/- ##
=======================================
Coverage 99.96% 99.96%
=======================================
Files 79 79
Lines 6490 6507 +17
=======================================
+ Hits 6488 6505 +17
Misses 1 1
Partials 1 1 ☔ View full report in Codecov by Sentry. |
Signed-off-by: hfuss <[email protected]>
Signed-off-by: hfuss <[email protected]>
|
Small example that provides some context: cfg := &ffresty.Config{}
secretName := "mtls-config"
secret := &corev1.Secret{}
err := ctrlClient.Get(context, types.NamespacedName{Namespace: "default", Name: secretName}, secret)
if err != nil {
return nil, err
}
tls, err := fftls.NewTLSConfig(context, &fftls.Config{
Enabled: true,
CA: string(secret.Data["ca.crt"]),
Cert: string(secret.Data["tls.crt"]),
Key: string(secret.Data["tls.key"]),
}, fftls.ClientType)
if err != nil {
return nil, err
}
cfg.TLSClientConfig = tls
// proceed to use ffresty config to make a client |
| @@ -24,9 +24,11 @@ import ( | |||
| "crypto/x509" | |||
| "crypto/x509/pkix" | |||
| "encoding/pem" | |||
| "github.com/stretchr/testify/require" | |||
There was a problem hiding this comment.
Is there a specific reason to pull in require here, as opposed to assert? I think for unit tests we typically have stuck with assert, though I am noticing that is not as true in this particular repo
There was a problem hiding this comment.
So require fails the test immediately whereas assert keep runs the test if it doesn't pass. So I always use require for anything involve setup, where if it errors / is not successful, the entire things fails.
It's just syntactic sugar for:
if err != nil {
t.Fatal(err)
}I believe
| @@ -23,14 +23,21 @@ import ( | |||
| const ( | |||
| // HTTPConfTLSCAFile the TLS certificate authority file for the HTTP server | |||
| HTTPConfTLSCAFile = "caFile" | |||
| // HTTPConfTLSCA the TLS certificate authority in PEM format | |||
| HTTPConfTLSCA = "ca" | |||
There was a problem hiding this comment.
I think we should document (probably in this comment so it's visible to the developer) that if these are set they will take precedence over the "file" fields.
There was a problem hiding this comment.
Well its the opposite in that the file fields take precedence over these fields for backwards compatibility's sake.
That could be the wrong approach, but I'm updating the comments now to reflect the current behavior.
There was a problem hiding this comment.
Comments updated
There was a problem hiding this comment.
You're right sorry. Had the switch statement backwards in my head.
Signed-off-by: hfuss <[email protected]>
Useful for configs which want to inline the certs as large PEM blocks in their config files, or when constructing TLS configs from in-memory certificates (such as certificates downloaded from a Kubernetes Secret).