Skip to content

Commit

Permalink
feat: add tls support to konnect client
Browse files Browse the repository at this point in the history
  • Loading branch information
GGabriele committed Feb 1, 2024
1 parent 1c0db2d commit a013b4a
Show file tree
Hide file tree
Showing 4 changed files with 133 additions and 44 deletions.
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ require (
github.com/hashicorp/go-memdb v1.3.4
github.com/hashicorp/go-retryablehttp v0.7.5
github.com/hexops/gotextdiff v1.0.3
github.com/kong/deck v1.32.0
github.com/kong/deck v1.32.2-0.20240130093755-1b708da921f5
github.com/kong/go-kong v0.51.1-0.20240125175037-0c077f5b9ac7
github.com/shirou/gopsutil/v3 v3.23.12
github.com/shirou/gopsutil/v3 v3.24.1
github.com/ssgelm/cookiejarparser v1.0.1
github.com/stretchr/testify v1.8.4
github.com/xeipuuv/gojsonschema v1.2.0
Expand Down
9 changes: 4 additions & 5 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -182,8 +182,8 @@ github.com/klauspost/cpuid/v2 v2.0.10/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuOb
github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y70BU=
github.com/klauspost/cpuid/v2 v2.2.3/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
github.com/kong/deck v1.32.0 h1:ujLpVoBGToXxLiDOaFWrutUIUCLxm1oSJU4EX1CFWJE=
github.com/kong/deck v1.32.0/go.mod h1:ptH2oAsaczpcxUs0npmDL6RCER6vleFBII9Kc3rSFZ8=
github.com/kong/deck v1.32.2-0.20240130093755-1b708da921f5 h1:BKuzSnX0pwKPPiSsZgKHM+jAGTSV05Dt9NxnrgqCpXE=
github.com/kong/deck v1.32.2-0.20240130093755-1b708da921f5/go.mod h1:oV/8tP95DcK4/JUn0x3hoi9YSPMT63SdsAMKFBGQ2bQ=
github.com/kong/go-apiops v0.1.29 h1:c+AB8MmGIr+K01Afm4GB2xaOmJnD/8KWMJQkr9qssnc=
github.com/kong/go-apiops v0.1.29/go.mod h1:ZNdiTZyVrAssB4wjEYWV7BfpcV9UME9LxnDDZhMPuNU=
github.com/kong/go-kong v0.51.1-0.20240125175037-0c077f5b9ac7 h1:/iV93Gwv410lIeJx8VCfCA4fpuvSuTw2LqZpDXsIE9Q=
Expand Down Expand Up @@ -287,8 +287,8 @@ github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPO
github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
github.com/shirou/gopsutil/v3 v3.23.12 h1:z90NtUkp3bMtmICZKpC4+WaknU1eXtp5vtbQ11DgpE4=
github.com/shirou/gopsutil/v3 v3.23.12/go.mod h1:1FrWgea594Jp7qmjHUUPlJDTPgcsb9mGnXDxavtikzM=
github.com/shirou/gopsutil/v3 v3.24.1 h1:R3t6ondCEvmARp3wxODhXMTLC/klMa87h2PHUw5m7QI=
github.com/shirou/gopsutil/v3 v3.24.1/go.mod h1:UU7a2MSBQa+kW1uuDq8DeEBS8kmrnQwsv2b5O513rwU=
github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
Expand Down Expand Up @@ -423,7 +423,6 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
Expand Down
108 changes: 73 additions & 35 deletions pkg/utils/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,12 +95,7 @@ type KongClientConfig struct {
Address string
Workspace string

TLSServerName string

TLSCACert string

TLSSkipVerify bool
Debug bool
Debug bool

SkipWorkspaceCrud bool

Expand All @@ -112,12 +107,10 @@ type KongClientConfig struct {

CookieJarPath string

TLSClientCert string

TLSClientKey string

// whether or not the client should retry on 429s
Retryable bool

TLSConfig TLSConfig
}

type KonnectConfig struct {
Expand All @@ -131,6 +124,16 @@ type KonnectConfig struct {
Headers []string

ControlPlaneName string

TLSConfig TLSConfig
}

type TLSConfig struct {
ServerName string
CACert string
ClientCert string
ClientKey string
SkipVerify bool
}

// ForWorkspace returns a copy of KongClientConfig that produces a KongClient for the workspace specified by argument.
Expand Down Expand Up @@ -209,30 +212,9 @@ func getRetryableClient(client *http.Client) *http.Client {

// GetKongClient returns a Kong client
func GetKongClient(opt KongClientConfig) (*kong.Client, error) {
var tlsConfig tls.Config
if opt.TLSSkipVerify {
tlsConfig.InsecureSkipVerify = true //nolint:gosec
}
if opt.TLSServerName != "" {
tlsConfig.ServerName = opt.TLSServerName
}

if opt.TLSCACert != "" {
certPool := x509.NewCertPool()
ok := certPool.AppendCertsFromPEM([]byte(opt.TLSCACert))
if !ok {
return nil, fmt.Errorf("failed to load TLSCACert")
}
tlsConfig.RootCAs = certPool
}

if opt.TLSClientCert != "" && opt.TLSClientKey != "" {
// Read the key pair to create certificate
cert, err := tls.X509KeyPair([]byte(opt.TLSClientCert), []byte(opt.TLSClientKey))
if err != nil {
return nil, fmt.Errorf("failed to load client certificate: %w", err)
}
tlsConfig.Certificates = []tls.Certificate{cert}
tlsConfig, err := getTLSConfig(opt.TLSConfig)
if err != nil {
return nil, fmt.Errorf("failed to load TLS config: %w", err)
}

clientTimeout = time.Duration(opt.Timeout) * time.Second
Expand All @@ -241,7 +223,7 @@ func GetKongClient(opt KongClientConfig) (*kong.Client, error) {
c = HTTPClient()
}
defaultTransport := http.DefaultTransport.(*http.Transport)
defaultTransport.TLSClientConfig = &tlsConfig
defaultTransport.TLSClientConfig = tlsConfig
c.Transport = defaultTransport
address := CleanAddress(opt.Address)

Expand Down Expand Up @@ -296,13 +278,47 @@ func parseHeaders(headers []string) (http.Header, error) {
return res, nil
}

func getTLSConfig(opt TLSConfig) (*tls.Config, error) {
var tlsConfig tls.Config
if opt.SkipVerify {
tlsConfig.InsecureSkipVerify = true //nolint:gosec
}
if opt.ServerName != "" {
tlsConfig.ServerName = opt.ServerName
}

if opt.CACert != "" {
certPool := x509.NewCertPool()
ok := certPool.AppendCertsFromPEM([]byte(opt.CACert))
if !ok {
return nil, fmt.Errorf("failed to load TLSCACert")
}
tlsConfig.RootCAs = certPool
}

if opt.ClientCert != "" && opt.ClientKey != "" {
// Read the key pair to create certificate
cert, err := tls.X509KeyPair([]byte(opt.ClientCert), []byte(opt.ClientKey))
if err != nil {
return nil, fmt.Errorf("failed to load client certificate: %w", err)
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
return &tlsConfig, nil
}

func GetKonnectClient(httpClient *http.Client, config KonnectConfig) (*konnect.Client,
error,
) {
address := CleanAddress(config.Address)

if httpClient == nil {
tlsConfig, err := getTLSConfig(config.TLSConfig)
if err != nil {
return nil, fmt.Errorf("failed to load TLS config: %w", err)
}
defaultTransport := http.DefaultTransport.(*http.Transport)
defaultTransport.TLSClientConfig = tlsConfig
defaultTransport.Proxy = http.ProxyFromEnvironment
httpClient = http.DefaultClient
httpClient.Transport = defaultTransport
Expand Down Expand Up @@ -345,3 +361,25 @@ func HTTPClient() *http.Client {
},
}
}

func HTTPClientWithTLSConfig(opt TLSConfig) (*http.Client, error) {
httpClient := &http.Client{
Timeout: clientTimeout,
Transport: &http.Transport{
DialContext: (&net.Dialer{Timeout: clientTimeout}).DialContext,
TLSHandshakeTimeout: clientTimeout,
Proxy: http.ProxyFromEnvironment,
},
}

tlsConfig, err := getTLSConfig(opt)
if err != nil {
return nil, fmt.Errorf("failed to load TLS config: %w", err)
}
defaultTransport := http.DefaultTransport.(*http.Transport)
defaultTransport.TLSClientConfig = tlsConfig
defaultTransport.Proxy = http.ProxyFromEnvironment
httpClient = http.DefaultClient
httpClient.Transport = defaultTransport
return httpClient, nil
}
56 changes: 54 additions & 2 deletions tests/integration/sync_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,24 @@ var (
},
}

plugin36 = []*kong.Plugin{
{
Name: kong.String("basic-auth"),
Protocols: []*string{
kong.String("grpc"),
kong.String("grpcs"),
kong.String("http"),
kong.String("https"),
},
Enabled: kong.Bool(true),
Config: kong.Configuration{
"anonymous": "58076db2-28b6-423b-ba39-a797193017f7",
"hide_credentials": false,
"realm": string("service"),
},
},
}

plugin_on_entities = []*kong.Plugin{ //nolint:revive,stylecheck
{
Name: kong.String("prometheus"),
Expand Down Expand Up @@ -1537,7 +1555,7 @@ func Test_Sync_BasicAuth_Plugin_From_2_0_5_Till_2_8_0(t *testing.T) {
}

// test scope:
// - 3.x
// - >=3.0 <3.6.0
func Test_Sync_BasicAuth_Plugin_From_3x(t *testing.T) {
// setup stage
client, err := getTestClient()
Expand All @@ -1561,7 +1579,41 @@ func Test_Sync_BasicAuth_Plugin_From_3x(t *testing.T) {
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
runWhenKongOrKonnect(t, ">=3.0.0")
runWhenKongOrKonnect(t, ">=3.0.0 <3.6.0")
setup(t)

sync(tc.kongFile)
testKongState(t, client, false, tc.expectedState, nil)
})
}
}

// test scope:
// - 3.6+
func Test_Sync_BasicAuth_Plugin_From_36(t *testing.T) {
// setup stage
client, err := getTestClient()
if err != nil {
t.Fatalf(err.Error())
}

tests := []struct {
name string
kongFile string
initialKongFile string
expectedState utils.KongRawState
}{
{
name: "create a plugin",
kongFile: "testdata/sync/003-create-a-plugin/kong3x.yaml",
expectedState: utils.KongRawState{
Plugins: plugin36,
},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
runWhenKongOrKonnect(t, ">=3.6.0")
setup(t)

sync(tc.kongFile)
Expand Down

0 comments on commit a013b4a

Please sign in to comment.