Make the TLS certificates management dynamic.

2017-11-09 12:16:03 +01:00 · 2017-11-09 12:16:03 +01:00 · c469e669fd
commit c469e669fd
parent f6aa147c78
36 changed files with 1257 additions and 513 deletions
--- a/configuration/configuration.go
+++ b/configuration/configuration.go
@ -1,10 +1,7 @@
 package configuration

 import (
-	"crypto/tls"
 	"fmt"
-	"io/ioutil"
-	"os"
 	"strings"
 	"time"

@ -25,6 +22,7 @@ import (
 	"github.com/containous/traefik/provider/rancher"
 	"github.com/containous/traefik/provider/web"
 	"github.com/containous/traefik/provider/zk"
+	"github.com/containous/traefik/tls"
 	"github.com/containous/traefik/types"
 )

@ -64,7 +62,7 @@ type GlobalConfiguration struct {
 	MaxIdleConnsPerHost       int                     `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, DefaultMaxIdleConnsPerHost is used" export:"true"`
 	IdleTimeout               flaeg.Duration          `description:"(Deprecated) maximum amount of time an idle (keep-alive) connection will remain idle before closing itself." export:"true"` // Deprecated
 	InsecureSkipVerify        bool                    `description:"Disable SSL certificate verification" export:"true"`
-	RootCAs                   RootCAs                 `description:"Add cert file for self-signed certificate"`
+	RootCAs                   tls.RootCAs             `description:"Add cert file for self-signed certificate"`
 	Retry                     *Retry                  `description:"Enable retry sending request if network error" export:"true"`
 	HealthCheck               *HealthCheckConfig      `description:"Health check parameters" export:"true"`
 	RespondingTimeouts        *RespondingTimeouts     `description:"Timeouts for incoming requests to the Traefik instance" export:"true"`
@ -191,68 +189,6 @@ func (dep *DefaultEntryPoints) Type() string {
 	return "defaultentrypoints"
 }

-// RootCAs hold the CA we want to have in root
-type RootCAs []FileOrContent
-
-// FileOrContent hold a file path or content
-type FileOrContent string
-
-func (f FileOrContent) String() string {
-	return string(f)
-}
-
-func (f FileOrContent) Read() ([]byte, error) {
-	var content []byte
-	if _, err := os.Stat(f.String()); err == nil {
-		content, err = ioutil.ReadFile(f.String())
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		content = []byte(f)
-	}
-	return content, nil
-}
-
-// String is the method to format the flag's value, part of the flag.Value interface.
-// The String method's output will be used in diagnostics.
-func (r *RootCAs) String() string {
-	sliceOfString := make([]string, len([]FileOrContent(*r)))
-	for key, value := range *r {
-		sliceOfString[key] = value.String()
-	}
-	return strings.Join(sliceOfString, ",")
-}
-
-// Set is the method to set the flag value, part of the flag.Value interface.
-// Set's argument is a string to be parsed to set the flag.
-// It's a comma-separated list, so we split it.
-func (r *RootCAs) Set(value string) error {
-	rootCAs := strings.Split(value, ",")
-	if len(rootCAs) == 0 {
-		return fmt.Errorf("bad RootCAs format: %s", value)
-	}
-	for _, rootCA := range rootCAs {
-		*r = append(*r, FileOrContent(rootCA))
-	}
-	return nil
-}
-
-// Get return the EntryPoints map
-func (r *RootCAs) Get() interface{} {
-	return RootCAs(*r)
-}
-
-// SetValue sets the EntryPoints map with val
-func (r *RootCAs) SetValue(val interface{}) {
-	*r = RootCAs(val.(RootCAs))
-}
-
-// Type is type of the struct
-func (r *RootCAs) Type() string {
-	return "rootcas"
-}
-
 // EntryPoints holds entry points configuration of the reverse proxy (ip, port, TLS...)
 type EntryPoints map[string]*EntryPoint

@ -268,18 +204,18 @@ func (ep *EntryPoints) String() string {
 func (ep *EntryPoints) Set(value string) error {
 	result := parseEntryPointsConfiguration(value)

-	var configTLS *TLS
+	var configTLS *tls.TLS
 	if len(result["tls"]) > 0 {
-		certs := Certificates{}
+		certs := tls.Certificates{}
 		if err := certs.Set(result["tls"]); err != nil {
 			return err
 		}
-		configTLS = &TLS{
+		configTLS = &tls.TLS{
 			Certificates: certs,
 		}
 	} else if len(result["tls_acme"]) > 0 {
-		configTLS = &TLS{
-			Certificates: Certificates{},
+		configTLS = &tls.TLS{
+			Certificates: tls.Certificates{},
 		}
 	}
 	if len(result["ca"]) > 0 {
@ -391,7 +327,7 @@ func (ep *EntryPoints) Type() string {
 type EntryPoint struct {
 	Network              string
 	Address              string
-	TLS                  *TLS        `export:"true"`
+	TLS                  *tls.TLS    `export:"true"`
 	Redirect             *Redirect   `export:"true"`
 	Auth                 *types.Auth `export:"true"`
 	WhitelistSourceRange []string
@ -407,123 +343,6 @@ type Redirect struct {
 	Replacement string
 }

-// TLS configures TLS for an entry point
-type TLS struct {
-	MinVersion    string `export:"true"`
-	CipherSuites  []string
-	Certificates  Certificates
-	ClientCAFiles []string
-}
-
-// MinVersion Map of allowed TLS minimum versions
-var MinVersion = map[string]uint16{
-	`VersionTLS10`: tls.VersionTLS10,
-	`VersionTLS11`: tls.VersionTLS11,
-	`VersionTLS12`: tls.VersionTLS12,
-}
-
-// CipherSuites Map of TLS CipherSuites from crypto/tls
-// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
-var CipherSuites = map[string]uint16{
-	`TLS_RSA_WITH_RC4_128_SHA`:                tls.TLS_RSA_WITH_RC4_128_SHA,
-	`TLS_RSA_WITH_3DES_EDE_CBC_SHA`:           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-	`TLS_RSA_WITH_AES_128_CBC_SHA`:            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-	`TLS_RSA_WITH_AES_256_CBC_SHA`:            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-	`TLS_RSA_WITH_AES_128_CBC_SHA256`:         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-	`TLS_RSA_WITH_AES_128_GCM_SHA256`:         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-	`TLS_RSA_WITH_AES_256_GCM_SHA384`:         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-	`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`:        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`:    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	`TLS_ECDHE_RSA_WITH_RC4_128_SHA`:          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-	`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`:     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`:      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-	`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`:   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`:   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`:    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-	`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`:  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-}
-
-// Certificates defines traefik certificates type
-// Certs and Keys could be either a file path, or the file content itself
-type Certificates []Certificate
-
-//CreateTLSConfig creates a TLS config from Certificate structures
-func (certs *Certificates) CreateTLSConfig() (*tls.Config, error) {
-	config := &tls.Config{}
-	config.Certificates = []tls.Certificate{}
-	certsSlice := []Certificate(*certs)
-	for _, v := range certsSlice {
-		var err error
-
-		certContent, err := v.CertFile.Read()
-		if err != nil {
-			return nil, err
-		}
-
-		keyContent, err := v.KeyFile.Read()
-		if err != nil {
-			return nil, err
-		}
-
-		cert, err := tls.X509KeyPair(certContent, keyContent)
-		if err != nil {
-			return nil, err
-		}
-
-		config.Certificates = append(config.Certificates, cert)
-	}
-	return config, nil
-}
-
-// String is the method to format the flag's value, part of the flag.Value interface.
-// The String method's output will be used in diagnostics.
-func (certs *Certificates) String() string {
-	if len(*certs) == 0 {
-		return ""
-	}
-	var result []string
-	for _, certificate := range *certs {
-		result = append(result, certificate.CertFile.String()+","+certificate.KeyFile.String())
-	}
-	return strings.Join(result, ";")
-}
-
-// Set is the method to set the flag value, part of the flag.Value interface.
-// Set's argument is a string to be parsed to set the flag.
-// It's a comma-separated list, so we split it.
-func (certs *Certificates) Set(value string) error {
-	certificates := strings.Split(value, ";")
-	for _, certificate := range certificates {
-		files := strings.Split(certificate, ",")
-		if len(files) != 2 {
-			return fmt.Errorf("bad certificates format: %s", value)
-		}
-		*certs = append(*certs, Certificate{
-			CertFile: FileOrContent(files[0]),
-			KeyFile:  FileOrContent(files[1]),
-		})
-	}
-	return nil
-}
-
-// Type is type of the struct
-func (certs *Certificates) Type() string {
-	return "certificates"
-}
-
-// Certificate holds a SSL cert/key pair
-// Certs and Key could be either a file path, or the file content itself
-type Certificate struct {
-	CertFile FileOrContent
-	KeyFile  FileOrContent
-}
-
 // Retry contains request retry config
 type Retry struct {
 	Attempts int `description:"Number of attempts" export:"true"`