mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
feat: treat /var/run/secrets/ on k8s as system cert directory (#11123)
consider `/var/run/secrets/kubernetes.io/serviceaccount` as system cert directory for container platform.
This commit is contained in:
parent
b390a2a0b9
commit
970ddb424b
@ -38,7 +38,7 @@ func GetRootCAs(certsCAsDir string) (*x509.CertPool, error) {
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) || os.IsPermission(err) {
|
||||
// Return success if CA's directory is missing or permission denied.
|
||||
err = nil
|
||||
return rootCAs, nil
|
||||
}
|
||||
return rootCAs, err
|
||||
}
|
||||
@ -46,11 +46,10 @@ func GetRootCAs(certsCAsDir string) (*x509.CertPool, error) {
|
||||
// Load all custom CA files.
|
||||
for _, fi := range fis {
|
||||
caCert, err := ioutil.ReadFile(path.Join(certsCAsDir, fi.Name()))
|
||||
if err != nil {
|
||||
// ignore files which are not readable.
|
||||
continue
|
||||
if err == nil {
|
||||
rootCAs.AppendCertsFromPEM(caCert)
|
||||
}
|
||||
rootCAs.AppendCertsFromPEM(caCert)
|
||||
// ignore files which are not readable.
|
||||
}
|
||||
|
||||
return rootCAs, nil
|
||||
|
@ -18,8 +18,67 @@
|
||||
|
||||
package certs
|
||||
|
||||
import "crypto/x509"
|
||||
import (
|
||||
"crypto/x509"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// Possible directories with certificate files, this is an extended
|
||||
// list from https://golang.org/src/crypto/x509/root_unix.go?#L18
|
||||
// for k8s platform
|
||||
var certDirectories = []string{
|
||||
"/var/run/secrets/kubernetes.io/serviceaccount",
|
||||
}
|
||||
|
||||
// readUniqueDirectoryEntries is like ioutil.ReadDir but omits
|
||||
// symlinks that point within the directory.
|
||||
func readUniqueDirectoryEntries(dir string) ([]os.FileInfo, error) {
|
||||
fis, err := ioutil.ReadDir(dir)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
uniq := fis[:0]
|
||||
for _, fi := range fis {
|
||||
if !isSameDirSymlink(fi, dir) {
|
||||
uniq = append(uniq, fi)
|
||||
}
|
||||
}
|
||||
return uniq, nil
|
||||
}
|
||||
|
||||
// isSameDirSymlink reports whether fi in dir is a symlink with a
|
||||
// target not containing a slash.
|
||||
func isSameDirSymlink(fi os.FileInfo, dir string) bool {
|
||||
if fi.Mode()&os.ModeSymlink == 0 {
|
||||
return false
|
||||
}
|
||||
target, err := os.Readlink(filepath.Join(dir, fi.Name()))
|
||||
return err == nil && !strings.Contains(target, "/")
|
||||
}
|
||||
|
||||
func loadSystemRoots() (*x509.CertPool, error) {
|
||||
return x509.SystemCertPool()
|
||||
caPool, err := x509.SystemCertPool()
|
||||
if err != nil {
|
||||
return caPool, err
|
||||
}
|
||||
|
||||
for _, directory := range certDirectories {
|
||||
fis, err := readUniqueDirectoryEntries(directory)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) || os.IsPermission(err) {
|
||||
return caPool, nil
|
||||
}
|
||||
return caPool, err
|
||||
}
|
||||
for _, fi := range fis {
|
||||
data, err := ioutil.ReadFile(directory + "/" + fi.Name())
|
||||
if err == nil {
|
||||
caPool.AppendCertsFromPEM(data)
|
||||
}
|
||||
}
|
||||
}
|
||||
return caPool, nil
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user