MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: treat /var/run/secrets/ on k8s as system cert directory (#11123) 

consider `/var/run/secrets/kubernetes.io/serviceaccount`
as system cert directory for container platform.
This commit is contained in:
Harshavardhana 2020-12-16 18:24:12 -08:00 committed by GitHub
parent b390a2a0b9
commit 970ddb424b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 65 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/certs/ca-certs.go
View File

@ -38,7 +38,7 @@ func GetRootCAs(certsCAsDir string) (*x509.CertPool, error) {
if err != nil { if err != nil {
if os.IsNotExist(err) || os.IsPermission(err) { if os.IsNotExist(err) || os.IsPermission(err) {
// Return success if CA's directory is missing or permission denied. // Return success if CA's directory is missing or permission denied.
err = nil return rootCAs, nil
} }
return rootCAs, err return rootCAs, err
} }
@ -46,12 +46,11 @@ func GetRootCAs(certsCAsDir string) (*x509.CertPool, error) {
// Load all custom CA files. // Load all custom CA files.
for _, fi := range fis { for _, fi := range fis {
caCert, err := ioutil.ReadFile(path.Join(certsCAsDir, fi.Name())) caCert, err := ioutil.ReadFile(path.Join(certsCAsDir, fi.Name()))
if err != nil { if err == nil {
// ignore files which are not readable.
continue
}
rootCAs.AppendCertsFromPEM(caCert) rootCAs.AppendCertsFromPEM(caCert)
} }
// ignore files which are not readable.
}
return rootCAs, nil return rootCAs, nil
} }

63
pkg/certs/cert_pool_nix.go
View File

@ -18,8 +18,67 @@
package certs package certs
import "crypto/x509" import (
"crypto/x509"
"io/ioutil"
"os"
"path/filepath"
"strings"
)
// Possible directories with certificate files, this is an extended
// list from https://golang.org/src/crypto/x509/root_unix.go?#L18
// for k8s platform
var certDirectories = []string{
"/var/run/secrets/kubernetes.io/serviceaccount",
}
// readUniqueDirectoryEntries is like ioutil.ReadDir but omits
// symlinks that point within the directory.
func readUniqueDirectoryEntries(dir string) ([]os.FileInfo, error) {
fis, err := ioutil.ReadDir(dir)
if err != nil {
return nil, err
}
uniq := fis[:0]
for _, fi := range fis {
if !isSameDirSymlink(fi, dir) {
uniq = append(uniq, fi)
}
}
return uniq, nil
}
// isSameDirSymlink reports whether fi in dir is a symlink with a
// target not containing a slash.
func isSameDirSymlink(fi os.FileInfo, dir string) bool {
if fi.Mode()&os.ModeSymlink == 0 {
return false
}
target, err := os.Readlink(filepath.Join(dir, fi.Name()))
return err == nil && !strings.Contains(target, "/")
}
func loadSystemRoots() (*x509.CertPool, error) { func loadSystemRoots() (*x509.CertPool, error) {
return x509.SystemCertPool() caPool, err := x509.SystemCertPool()
if err != nil {
return caPool, err
}
for _, directory := range certDirectories {
fis, err := readUniqueDirectoryEntries(directory)
if err != nil {
if os.IsNotExist(err) || os.IsPermission(err) {
return caPool, nil
}
return caPool, err
}
for _, fi := range fis {
data, err := ioutil.ReadFile(directory + "/" + fi.Name())
if err == nil {
caPool.AppendCertsFromPEM(data)
}
}
}
return caPool, nil
} }