add support for custom upstream CAs

Josef Karasek · Josef Karasek · commit 808ed5b6cdaa · 2019-02-15T15:01:20.000+01:00
diff --git a/README.md b/README.md
@@ -54,6 +54,7 @@ Usage of _output/linux/amd64/kube-rbac-proxy:
       --tls-min-version string                      Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants. (default "VersionTLS12")
       --tls-private-key-file string                 File containing the default x509 private key matching --tls-cert-file.
       --upstream string                             The upstream URL to proxy to once requests have successfully been authenticated and authorized.
+      --upstream-ca-file string                     The CA the upstream uses for TLS connection. This is required when the upstream uses TLS and its own CA certificate
       --upstream-force-h2c                          Force h2c to communiate with the upstream. This is required when the upstream speaks h2c(http/2 cleartext - insecure variant of http/2) only. For example, go-grpc server in the insecure mode, such as helm's tiller w/o TLS, speaks h2c only
   -v, --v Level                                     log level for V logs
       --vmodule moduleSpec                          comma-separated list of pattern=N settings for file-filtered logging
diff --git a/main.go b/main.go
@@ -53,6 +53,7 @@ type config struct {
 	secureListenAddress   string
 	upstream              string
 	upstreamForceH2C      bool
+	upstreamCAFile        string
 	auth                  proxy.Config
 	tls                   tlsConfig
 	kubeconfigLocation    string
@@ -104,6 +105,7 @@ func main() {
 	flagset.StringVar(&cfg.secureListenAddress, "secure-listen-address", "", "The address the kube-rbac-proxy HTTPs server should listen on.")
 	flagset.StringVar(&cfg.upstream, "upstream", "", "The upstream URL to proxy to once requests have successfully been authenticated and authorized.")
 	flagset.BoolVar(&cfg.upstreamForceH2C, "upstream-force-h2c", false, "Force h2c to communiate with the upstream. This is required when the upstream speaks h2c(http/2 cleartext - insecure variant of http/2) only. For example, go-grpc server in the insecure mode, such as helm's tiller w/o TLS, speaks h2c only")
+	flagset.StringVar(&cfg.upstreamCAFile, "upstream-ca-file", "", "The CA the upstream uses for TLS connection. This is required when the upstream uses TLS and its own CA certificate")
 	flagset.StringVar(&configFileName, "config-file", "", "Configuration file to configure kube-rbac-proxy.")
 
 	// TLS flags
@@ -193,7 +195,13 @@ func main() {
 		glog.Fatalf("Failed to create rbac-proxy: %v", err)
 	}
 
+	upstreamTransport, err := initTransport(cfg.upstreamCAFile)
+	if err != nil {
+		glog.Fatalf("Failed to set up upstream TLS connection: %v", err)
+	}
+
 	proxy := httputil.NewSingleHostReverseProxy(upstreamURL)
+	proxy.Transport = upstreamTransport
 	mux := http.NewServeMux()
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		ok := auth.Handle(w, req)
diff --git a/test/ca.pem b/test/ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu
+c2hpZnQtc2lnbmVyQDE1NDA0NzY0NTUwHhcNMTgxMDI1MTQwNzM1WhcNMjMxMDI0
+MTQwNzM2WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE1NDA0NzY0NTUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQ1+8Z00Ovc93IpUjOsWs2
+ueNfcaDpDYW7P2y50jqy4XGdRRdHiLQKQv7S3Zqy/wTlnaDpk8TLMp6YSZ41p1Qy
+5HhIbXMviR9Bqg1JziSx9HaFvo5w79gn7YbICpftKpsi1L2KBk2ekgnTnt+pw+Ml
+L8N/ELtWtK8pu5cNZJIkJptxTWJzPyeUSVfDDPbEXP0VSDw2MOSoIxqcH1C4mR42
+Wr/6Crxtr2oyvAzLZvAtWCtUEY9fkmJVTGMjzfwRnrvxsfMguwSHKyyrRdDLoQMp
+sFn8cRBu0omTIbyMQlHo+QVgdQ+P6LnV9Dbjn5fX7+5ithyu4iTrJFqjDsd47vBN
+AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQBIzSylEYbVIl/KzelTWz0FZznczPMJnBlJAa4OGUHt8VuY
+viUcItOdjrGhzwCzJn+IfbLtuv7d5YHYKEZZFNbUIPyvRByAM+iNKXXFSSnGBelz
+J3onnrM4kMD8TwNZA4AJGpWy7Ntmtw/ie2BZ1AgBR9AhpxLC1Md7zxly59QGmahT
+ym2aYUfblwQRm0AgRlccRgyVZdf3fCU5/BxLZkRT/hOKMQbAPPlxIGnpk/uJJcD4
+ZxKXypiQ2tzsKId8VybBYmgdG482bKrd6q/bsJGZx4B1++hHrvIPDaJYrmJG3UMP
+x8z5unyK1BzrXFcyID1Dw998m4dhspjJeYPVNd2a
+-----END CERTIFICATE-----
diff --git a/transport.go b/transport.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2017 Frederic Branczyk All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"time"
+)
+
+func initTransport(upstreamCAFile string) (http.RoundTripper, error) {
+	if upstreamCAFile == "" {
+		return http.DefaultTransport, nil
+	}
+
+	rootPEM, err := ioutil.ReadFile(upstreamCAFile)
+	if err != nil {
+		return nil, fmt.Errorf("error reading upstream CA file: %v", err)
+	}
+
+	roots := x509.NewCertPool()
+	if ok := roots.AppendCertsFromPEM([]byte(rootPEM)); !ok {
+		return nil, errors.New("error parsing upstream CA certificate")
+	}
+
+	// http.Transport sourced from go 1.10.7
+	transport := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).DialContext,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig:       &tls.Config{RootCAs: roots},
+	}
+
+	return transport, nil
+}
diff --git a/transport_test.go b/transport_test.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2017 Frederic Branczyk All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package main
+
+import (
+	"net/http"
+	"testing"
+)
+
+func TestInitTransportWithDefault(t *testing.T) {
+	roundTripper, err := initTransport("")
+	if err != nil {
+		t.Errorf("want err to be nil, but got %v", err)
+		return
+	}
+	if roundTripper == nil {
+		t.Error("expected roundtripper, got nil")
+	}
+}
+
+func TestInitTransportWithCustomCA(t *testing.T) {
+	roundTripper, err := initTransport("test/ca.pem")
+	if err != nil {
+		t.Errorf("want err to be nil, but got %v", err)
+		return
+	}
+	transport := roundTripper.(*http.Transport)
+	if transport.TLSClientConfig.RootCAs == nil {
+		t.Error("expected root CA to be set, got nil")
+	}
+}
