summaryrefslogtreecommitdiffstats
path: root/src/go/collectors/go.d.plugin/pkg/tlscfg/config.go
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/go/collectors/go.d.plugin/pkg/tlscfg/config.go77
1 files changed, 77 insertions, 0 deletions
diff --git a/src/go/collectors/go.d.plugin/pkg/tlscfg/config.go b/src/go/collectors/go.d.plugin/pkg/tlscfg/config.go
new file mode 100644
index 000000000..60e152e0f
--- /dev/null
+++ b/src/go/collectors/go.d.plugin/pkg/tlscfg/config.go
@@ -0,0 +1,77 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package tlscfg
+
+import (
+ "crypto/tls"
+ "crypto/x509"
+ "fmt"
+ "os"
+)
+
+// TLSConfig represents the standard client TLS configuration.
+type TLSConfig struct {
+ // TLSCA specifies the certificate authority to use when verifying server certificates.
+ TLSCA string `yaml:"tls_ca" json:"tls_ca"`
+
+ // TLSCert specifies tls certificate file.
+ TLSCert string `yaml:"tls_cert" json:"tls_cert"`
+
+ // TLSKey specifies tls key file.
+ TLSKey string `yaml:"tls_key" json:"tls_key"`
+
+ // InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name.
+ InsecureSkipVerify bool `yaml:"tls_skip_verify" json:"tls_skip_verify"`
+}
+
+// NewTLSConfig creates a tls.Config, may be nil without an error if TLS is not configured.
+func NewTLSConfig(cfg TLSConfig) (*tls.Config, error) {
+ if cfg.TLSCA == "" && cfg.TLSKey == "" && cfg.TLSCert == "" && !cfg.InsecureSkipVerify {
+ return nil, nil
+ }
+
+ tlsConfig := &tls.Config{
+ InsecureSkipVerify: cfg.InsecureSkipVerify,
+ Renegotiation: tls.RenegotiateNever,
+ }
+
+ if cfg.TLSCA != "" {
+ pool, err := loadCertPool([]string{cfg.TLSCA})
+ if err != nil {
+ return nil, err
+ }
+ tlsConfig.RootCAs = pool
+ }
+
+ if cfg.TLSCert != "" && cfg.TLSKey != "" {
+ cert, err := loadCertificate(cfg.TLSCert, cfg.TLSKey)
+ if err != nil {
+ return nil, err
+ }
+ tlsConfig.Certificates = []tls.Certificate{cert}
+ }
+
+ return tlsConfig, nil
+}
+
+func loadCertPool(certFiles []string) (*x509.CertPool, error) {
+ pool := x509.NewCertPool()
+ for _, certFile := range certFiles {
+ pem, err := os.ReadFile(certFile)
+ if err != nil {
+ return nil, fmt.Errorf("could not read certificate %q: %v", certFile, err)
+ }
+ if !pool.AppendCertsFromPEM(pem) {
+ return nil, fmt.Errorf("could not parse any PEM certificates %q: %v", certFile, err)
+ }
+ }
+ return pool, nil
+}
+
+func loadCertificate(certFile, keyFile string) (tls.Certificate, error) {
+ cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ if err != nil {
+ return tls.Certificate{}, fmt.Errorf("could not load keypair %s:%s: %v", certFile, keyFile, err)
+ }
+ return cert, nil
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-17 00:00:37 +0000