@@ -45,9 +45,10 @@ type TLSBytes struct {
45
45
// - ca.crt, for the CA certificate
46
46
//
47
47
// Secrets with no certificate, private key, AND CA cert are ignored. If only a
48
- // certificate OR private key is found, an error is returned.
48
+ // certificate OR private key is found, an error is returned. The Secret type
49
+ // can be blank, Opaque or kubernetes.io/tls.
49
50
func KubeTLSClientConfigFromSecret (secret corev1.Secret , url string ) (* tls.Config , * TLSBytes , error ) {
50
- return tlsClientConfigFromSecret (secret , url , true )
51
+ return tlsClientConfigFromSecret (secret , url , true , true )
51
52
}
52
53
53
54
// TLSClientConfigFromSecret returns a TLS client config as a `tls.Config`
@@ -58,9 +59,23 @@ func KubeTLSClientConfigFromSecret(secret corev1.Secret, url string) (*tls.Confi
58
59
// - caFile, for the CA certificate
59
60
//
60
61
// Secrets with no certificate, private key, AND CA cert are ignored. If only a
61
- // certificate OR private key is found, an error is returned.
62
+ // certificate OR private key is found, an error is returned. The Secret type
63
+ // can be blank, Opaque or kubernetes.io/tls.
62
64
func TLSClientConfigFromSecret (secret corev1.Secret , url string ) (* tls.Config , * TLSBytes , error ) {
63
- return tlsClientConfigFromSecret (secret , url , false )
65
+ return tlsClientConfigFromSecret (secret , url , false , true )
66
+ }
67
+
68
+ // LegacyTLSClientConfigFromSecret returns a TLS client config as a `tls.Config`
69
+ // object and in its bytes representation. The secret is expected to have the
70
+ // following keys:
71
+ // - keyFile, for the private key
72
+ // - certFile, for the certificate
73
+ // - caFile, for the CA certificate
74
+ //
75
+ // Secrets with no certificate, private key, AND CA cert are ignored. If only a
76
+ // certificate OR private key is found, an error is returned.
77
+ func LegacyTLSClientConfigFromSecret (secret corev1.Secret , url string ) (* tls.Config , * TLSBytes , error ) {
78
+ return tlsClientConfigFromSecret (secret , url , false , false )
64
79
}
65
80
66
81
// tlsClientConfigFromSecret attempts to construct and return a TLS client
@@ -75,14 +90,20 @@ func TLSClientConfigFromSecret(secret corev1.Secret, url string) (*tls.Config, *
75
90
// - ca.crt/caFile for the CA certificate
76
91
// The keys should adhere to a single convention, i.e. a Secret with tls.key
77
92
// and certFile is invalid.
78
- func tlsClientConfigFromSecret (secret corev1.Secret , url string , kubernetesTLSKeys bool ) (* tls.Config , * TLSBytes , error ) {
79
- // Only Secrets of type Opaque and TLS are allowed. We also allow Secrets with a blank
80
- // type, to avoid having to specify the type of the Secret for every test case.
81
- // Since a real Kubernetes Secret is of type Opaque by default, its safe to allow this.
82
- switch secret .Type {
83
- case corev1 .SecretTypeOpaque , corev1 .SecretTypeTLS , "" :
84
- default :
85
- return nil , nil , fmt .Errorf ("cannot use secret '%s' to construct TLS config: invalid secret type: '%s'" , secret .Name , secret .Type )
93
+ //
94
+ // checkType is a boolean indicating whether to check the Secret type. If true
95
+ // and the Secret's type is not blank, Opaque or kubernetes.io/tls, then an
96
+ // error is returned.
97
+ func tlsClientConfigFromSecret (secret corev1.Secret , url string , kubernetesTLSKeys bool , checkType bool ) (* tls.Config , * TLSBytes , error ) {
98
+ if checkType {
99
+ // Only Secrets of type Opaque and TLS are allowed. We also allow Secrets with a blank
100
+ // type, to avoid having to specify the type of the Secret for every test case.
101
+ // Since a real Kubernetes Secret is of type Opaque by default, its safe to allow this.
102
+ switch secret .Type {
103
+ case corev1 .SecretTypeOpaque , corev1 .SecretTypeTLS , "" :
104
+ default :
105
+ return nil , nil , fmt .Errorf ("cannot use secret '%s' to construct TLS config: invalid secret type: '%s'" , secret .Name , secret .Type )
106
+ }
86
107
}
87
108
88
109
var certBytes , keyBytes , caBytes []byte
0 commit comments