diff --git a/pkg/tlsutils/tlsconfig.go b/pkg/tlsutils/tlsconfig.go index e6e4373b3c..5356b6703e 100644 --- a/pkg/tlsutils/tlsconfig.go +++ b/pkg/tlsutils/tlsconfig.go @@ -25,7 +25,10 @@ import ( "strings" ) -const defaultMinVersion = 0 +const ( + // The TLS 1.2 default was introduced in Go 1.18 (released March 2022). + defaultMinVersion = tls.VersionTLS12 +) // CreateTLSConfig creates tls.Config instance from TLS parameters passed in environment variables with the given prefix func CreateTLSConfig(prefix string) (*tls.Config, error) { @@ -40,7 +43,7 @@ func CreateTLSConfig(prefix string) (*tls.Config, error) { // NewTLSConfig creates a tls.Config instance from directly passed parameters, loading the ca, cert, and key from disk func NewTLSConfig(certPath, keyPath, caPath, serverName string, insecure bool, minVersion uint16) (*tls.Config, error) { - if certPath != "" && keyPath == "" || certPath == "" && keyPath != "" { + if (certPath != "" && keyPath == "") || (certPath == "" && keyPath != "") { return nil, errors.New("either both cert and key or none must be provided") } var certificates []tls.Certificate @@ -78,9 +81,8 @@ func loadRoots(caPath string) (*x509.CertPool, error) { if err != nil { return nil, fmt.Errorf("error reading %s: %w", caPath, err) } - ok := roots.AppendCertsFromPEM(pem) - if !ok { - return nil, fmt.Errorf("could not read root certs: %w", err) + if !roots.AppendCertsFromPEM(pem) { + return nil, fmt.Errorf("could not parse PEM certificates from %s", caPath) } return roots, nil } diff --git a/pkg/tlsutils/tlsconfig_test.go b/pkg/tlsutils/tlsconfig_test.go index ed794b9956..64b8456bdb 100644 --- a/pkg/tlsutils/tlsconfig_test.go +++ b/pkg/tlsutils/tlsconfig_test.go @@ -28,7 +28,8 @@ import ( "sigs.k8s.io/external-dns/internal/gen/docs/utils" ) -var rsaCertPEM = `-----BEGIN CERTIFICATE----- +var ( + rsaCertPEM = `-----BEGIN CERTIFICATE----- MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF @@ -41,8 +42,7 @@ MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V -----END CERTIFICATE----- ` - -var rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY----- + rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY----- MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N @@ -52,6 +52,7 @@ xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== -----END RSA TESTING KEY----- `) +) func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") } @@ -117,7 +118,7 @@ func TestCreateTLSConfig(t *testing.T) { "", func(_ *tls.Config, err error) { assert.Error(t, err) - assert.Contains(t, err.Error(), "could not read root certs") + assert.Contains(t, err.Error(), "could not parse PEM certificates from") }, }, { @@ -158,7 +159,8 @@ func TestCreateTLSConfig(t *testing.T) { if tc.caFile != "" { path := fmt.Sprintf("%s/caFile", dir) - utils.WriteToFile(path, tc.caFile) + err := utils.WriteToFile(path, tc.caFile) + require.NoError(t, err) t.Setenv(fmt.Sprintf("%s_CA_FILE", tc.prefix), path) } @@ -168,13 +170,15 @@ func TestCreateTLSConfig(t *testing.T) { if tc.certFile != "" { path := fmt.Sprintf("%s/certFile", dir) - utils.WriteToFile(path, tc.certFile) + err := utils.WriteToFile(path, tc.certFile) + require.NoError(t, err) t.Setenv(fmt.Sprintf("%s_CERT_FILE", tc.prefix), path) } if tc.keyFile != "" { path := fmt.Sprintf("%s/keyFile", dir) - utils.WriteToFile(path, tc.keyFile) + err := utils.WriteToFile(path, tc.keyFile) + require.NoError(t, err) t.Setenv(fmt.Sprintf("%s_KEY_FILE", tc.prefix), path) } @@ -183,7 +187,7 @@ func TestCreateTLSConfig(t *testing.T) { } if tc.isInsecureStr != "" { - t.Setenv(fmt.Sprintf("%s_INSECURE", tc.prefix), tc.isInsecureStr) + t.Setenv(fmt.Sprintf("%s_TLS_INSECURE", tc.prefix), tc.isInsecureStr) } // test