mirror of
https://github.com/outbackdingo/certificates.git
synced 2026-01-27 10:18:34 +00:00
Merge pull request #1685 from venkyg-sec/allow_custom_tls_config
Allow usage of externally supplied TLS config
This commit is contained in:
Mariano Cano
36
ca/ca.go
36
ca/ca.go
@@ -49,6 +49,7 @@ type options struct {
|
||||
sshUserPassword []byte
|
||||
database db.AuthDB
|
||||
x509CAService apiv1.CertificateAuthorityService
|
||||
tlsConfig *tls.Config
|
||||
}
|
||||
|
||||
func (o *options) apply(opts []Option) {
|
||||
@@ -114,6 +115,14 @@ func WithDatabase(d db.AuthDB) Option {
|
||||
}
|
||||
}
|
||||
|
||||
// WithTLSConfig sets the TLS configuration to be used by the HTTP(s) server
|
||||
// spun by step-ca.
|
||||
func WithTLSConfig(t *tls.Config) Option {
|
||||
return func(o *options) {
|
||||
o.tlsConfig = t
|
||||
}
|
||||
}
|
||||
|
||||
// WithLinkedCAToken sets the token used to authenticate with the linkedca.
|
||||
func WithLinkedCAToken(token string) Option {
|
||||
return func(o *options) {
|
||||
@@ -193,9 +202,20 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
|
||||
}
|
||||
ca.auth = auth
|
||||
|
||||
tlsConfig, clientTLSConfig, err := ca.getTLSConfig(auth)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
var tlsConfig *tls.Config
|
||||
var clientTLSConfig *tls.Config
|
||||
if ca.opts.tlsConfig != nil {
|
||||
// try using the tls Configuration supplied by the caller
|
||||
log.Print("Using tls configuration supplied by the application")
|
||||
tlsConfig = ca.opts.tlsConfig
|
||||
clientTLSConfig = ca.opts.tlsConfig
|
||||
} else {
|
||||
// default to using the step-ca x509 Signer Interface
|
||||
log.Print("Building new tls configuration using step-ca x509 Signer Interface")
|
||||
tlsConfig, clientTLSConfig, err = ca.getTLSConfig(auth)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
webhookTransport.TLSClientConfig = clientTLSConfig
|
||||
@@ -457,7 +477,10 @@ func (ca *CA) Run() error {
|
||||
// Stop stops the CA calling to the server Shutdown method.
|
||||
func (ca *CA) Stop() error {
|
||||
close(ca.compactStop)
|
||||
ca.renewer.Stop()
|
||||
if ca.renewer != nil {
|
||||
ca.renewer.Stop()
|
||||
}
|
||||
|
||||
if err := ca.auth.Shutdown(); err != nil {
|
||||
log.Printf("error stopping ca.Authority: %+v\n", err)
|
||||
}
|
||||
@@ -532,7 +555,10 @@ func (ca *CA) Reload() error {
|
||||
// 2. Safely shutdown any internal resources (e.g. key manager)
|
||||
// 3. Replace ca properties
|
||||
// Do not replace ca.srv
|
||||
ca.renewer.Stop()
|
||||
if ca.renewer != nil {
|
||||
ca.renewer.Stop()
|
||||
}
|
||||
|
||||
ca.auth.CloseForReload()
|
||||
ca.auth = newCA.auth
|
||||
ca.config = newCA.config
|
||||
|
||||
Reference in New Issue
Block a user