Skip to content
This repository was archived by the owner on Mar 5, 2024. It is now read-only.

Commit

Permalink
Fix TLS auth when a port is specified (#86)
Browse files Browse the repository at this point in the history 
- Fix TLS config by properly splitting address into host and port
- Add nicer error messages around creating GRPC connection
- Clean up gateway code a bit
  • Loading branch information
@idiamond-stripe @pingles
idiamond-stripe authored and pingles committed Jun 8, 2018
1 parent 28f4012 commit 8f577a5
Showing 1 changed file with 21 additions and 16 deletions.
37 changes: 21 additions & 16 deletions pkg/server/gateway.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,16 @@ import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net"
"time"

retry "github.com/grpc-ecosystem/go-grpc-middleware/retry"
"github.com/uswitch/kiam/pkg/aws/sts"
pb "github.com/uswitch/kiam/proto"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/naming"
"io/ioutil"
"time"
)

// Client to interact with KiamServer, exposing k8s.RoleFinder and sts.CredentialsProvider interfaces
Expand All @@ -38,51 +40,54 @@ const (
RetryInterval = 10 * time.Millisecond
)

// Creates a client suitable for interacting with a remote server. It can
// be closed cleanly
type GatewayConfig struct {
Address string
TLS *TLSConfig
}

func NewGateway(ctx context.Context, address string, refresh time.Duration, caFile, certificateFile, keyFile string) (*KiamGateway, error) {
callOpts := []retry.CallOption{
retry.WithBackoff(retry.BackoffLinear(RetryInterval)),
}

certificate, err := tls.LoadX509KeyPair(certificateFile, keyFile)
if err != nil {
return nil, err
return nil, fmt.Errorf("error loading keypair: %v", err)
}
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
return nil, fmt.Errorf("error reading SSL cert: %v, err")
}
if ok := certPool.AppendCertsFromPEM(ca); !ok {
return nil, fmt.Errorf("error appending certs from ca")
}

host, _, err := net.SplitHostPort(address)
if err != nil {
return nil, fmt.Errorf("error parsing hostname: %v", err)
}

creds := credentials.NewTLS(&tls.Config{
ServerName: address,
ServerName: host,
Certificates: []tls.Certificate{certificate},
RootCAs: certPool,
})

resolver, err := naming.NewDNSResolverWithFreq(refresh)
if err != nil {
return nil, err
return nil, fmt.Errorf("error creating DNS resolver: %v", err)
}

balancer := grpc.RoundRobin(resolver)
dialOpts := []grpc.DialOption{grpc.WithTransportCredentials(creds), grpc.WithUnaryInterceptor(retry.UnaryClientInterceptor(callOpts...)), grpc.WithBalancer(balancer)}
dialOpts := []grpc.DialOption{
grpc.WithTransportCredentials(creds),
grpc.WithUnaryInterceptor(retry.UnaryClientInterceptor(callOpts...)),
grpc.WithBalancer(balancer),
}
conn, err := grpc.Dial(address, dialOpts...)
if err != nil {
return nil, err
return nil, fmt.Errorf("error dialing grpc server: %v", err)
}

_, _, err = balancer.Get(ctx, grpc.BalancerGetOptions{BlockingWait: true})
if err != nil {
return nil, fmt.Errorf("error waiting for address being available in the balancer: %v", err)
return nil, fmt.Errorf("error waiting for address to be available in the balancer: %v", err)
}

client := pb.NewKiamServiceClient(conn)
Expand Down

0 comments on commit 8f577a5

Please # to comment.