feat: add tls support to konnect client

Kong · Jan 29, 2024 · 2e02a4f · 2e02a4f
1 parent 1c0db2d
commit 2e02a4f
Showing 1 changed file with 51 additions and 35 deletions.
diff --git a/pkg/utils/types.go b/pkg/utils/types.go
@@ -95,12 +95,7 @@ type KongClientConfig struct {
 	Address   string
 	Workspace string
 
-	TLSServerName string
-
-	TLSCACert string
-
-	TLSSkipVerify bool
-	Debug         bool
+	Debug bool
 
 	SkipWorkspaceCrud bool
 
@@ -112,12 +107,10 @@ type KongClientConfig struct {
 
 	CookieJarPath string
 
-	TLSClientCert string
-
-	TLSClientKey string
-
 	// whether or not the client should retry on 429s
 	Retryable bool
+
+	TLSConfig TLSConfig
 }
 
 type KonnectConfig struct {
@@ -131,6 +124,16 @@ type KonnectConfig struct {
 	Headers []string
 
 	ControlPlaneName string
+
+	TLSConfig TLSConfig
+}
+
+type TLSConfig struct {
+	ServerName string
+	CACert     string
+	ClientCert string
+	ClientKey  string
+	SkipVerify bool
 }
 
 // ForWorkspace returns a copy of KongClientConfig that produces a KongClient for the workspace specified by argument.
@@ -209,30 +212,9 @@ func getRetryableClient(client *http.Client) *http.Client {
 
 // GetKongClient returns a Kong client
 func GetKongClient(opt KongClientConfig) (*kong.Client, error) {
-	var tlsConfig tls.Config
-	if opt.TLSSkipVerify {
-		tlsConfig.InsecureSkipVerify = true //nolint:gosec
-	}
-	if opt.TLSServerName != "" {
-		tlsConfig.ServerName = opt.TLSServerName
-	}
-
-	if opt.TLSCACert != "" {
-		certPool := x509.NewCertPool()
-		ok := certPool.AppendCertsFromPEM([]byte(opt.TLSCACert))
-		if !ok {
-			return nil, fmt.Errorf("failed to load TLSCACert")
-		}
-		tlsConfig.RootCAs = certPool
-	}
-
-	if opt.TLSClientCert != "" && opt.TLSClientKey != "" {
-		// Read the key pair to create certificate
-		cert, err := tls.X509KeyPair([]byte(opt.TLSClientCert), []byte(opt.TLSClientKey))
-		if err != nil {
-			return nil, fmt.Errorf("failed to load client certificate: %w", err)
-		}
-		tlsConfig.Certificates = []tls.Certificate{cert}
+	tlsConfig, err := getTLSConfig(opt.TLSConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load TLS config: %w", err)
 	}
 
 	clientTimeout = time.Duration(opt.Timeout) * time.Second
@@ -241,7 +223,7 @@ func GetKongClient(opt KongClientConfig) (*kong.Client, error) {
 		c = HTTPClient()
 	}
 	defaultTransport := http.DefaultTransport.(*http.Transport)
-	defaultTransport.TLSClientConfig = &tlsConfig
+	defaultTransport.TLSClientConfig = tlsConfig
 	c.Transport = defaultTransport
 	address := CleanAddress(opt.Address)
 
@@ -296,13 +278,47 @@ func parseHeaders(headers []string) (http.Header, error) {
 	return res, nil
 }
 
+func getTLSConfig(opt TLSConfig) (*tls.Config, error) {
+	var tlsConfig tls.Config
+	if opt.SkipVerify {
+		tlsConfig.InsecureSkipVerify = true //nolint:gosec
+	}
+	if opt.ServerName != "" {
+		tlsConfig.ServerName = opt.ServerName
+	}
+
+	if opt.CACert != "" {
+		certPool := x509.NewCertPool()
+		ok := certPool.AppendCertsFromPEM([]byte(opt.CACert))
+		if !ok {
+			return nil, fmt.Errorf("failed to load TLSCACert")
+		}
+		tlsConfig.RootCAs = certPool
+	}
+
+	if opt.ClientCert != "" && opt.ClientKey != "" {
+		// Read the key pair to create certificate
+		cert, err := tls.X509KeyPair([]byte(opt.ClientCert), []byte(opt.ClientKey))
+		if err != nil {
+			return nil, fmt.Errorf("failed to load client certificate: %w", err)
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
+	return &tlsConfig, nil
+}
+
 func GetKonnectClient(httpClient *http.Client, config KonnectConfig) (*konnect.Client,
 	error,
 ) {
 	address := CleanAddress(config.Address)
 
 	if httpClient == nil {
+		tlsConfig, err := getTLSConfig(config.TLSConfig)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load TLS config: %w", err)
+		}
 		defaultTransport := http.DefaultTransport.(*http.Transport)
+		defaultTransport.TLSClientConfig = tlsConfig
 		defaultTransport.Proxy = http.ProxyFromEnvironment
 		httpClient = http.DefaultClient
 		httpClient.Transport = defaultTransport