11
stdlibtls "crypto/tls"
16
"github.com/cosi-project/runtime/pkg/resource"
17
"github.com/cosi-project/runtime/pkg/state"
18
"github.com/siderolabs/crypto/tls"
19
"github.com/siderolabs/crypto/x509"
20
"github.com/siderolabs/gen/xslices"
22
"github.com/siderolabs/talos/pkg/machinery/resources/secrets"
26
type TLSConfig struct {
27
certificateProvider *certificateProvider
28
watchCh <-chan state.Event
32
func NewTLSConfig(ctx context.Context, resources state.State) (*TLSConfig, error) {
33
watchCh := make(chan state.Event)
35
if err := resources.Watch(ctx, resource.NewMetadata(secrets.NamespaceName, secrets.APIType, secrets.APIID, resource.VersionUndefined), watchCh); err != nil {
36
return nil, fmt.Errorf("error setting up watch: %w", err)
40
provider := &certificateProvider{}
48
case event = <-watchCh:
52
case state.Created, state.Updated:
54
case state.Destroyed, state.Bootstrapped:
58
return nil, fmt.Errorf("error watching for API certificates: %w", event.Error)
61
apiCerts := event.Resource.(*secrets.API)
63
if err := provider.Update(apiCerts); err != nil {
68
certificateProvider: provider,
75
func (tlsConfig *TLSConfig) Watch(ctx context.Context, onUpdate func()) error {
82
case event = <-tlsConfig.watchCh:
86
case state.Created, state.Updated:
88
case state.Destroyed, state.Bootstrapped:
92
return fmt.Errorf("error watching API certificates: %w", event.Error)
95
apiCerts := event.Resource.(*secrets.API)
97
if err := tlsConfig.certificateProvider.Update(apiCerts); err != nil {
98
return fmt.Errorf("failed updating cert: %v", err)
108
func (tlsConfig *TLSConfig) ServerConfig() (*stdlibtls.Config, error) {
110
tls.WithClientAuthType(tls.Mutual),
111
tls.WithDynamicClientCA(tlsConfig.certificateProvider),
112
tls.WithServerCertificateProvider(tlsConfig.certificateProvider),
117
func (tlsConfig *TLSConfig) ClientConfig() (*stdlibtls.Config, error) {
118
if !tlsConfig.certificateProvider.HasClientCertificate() {
122
ca, err := tlsConfig.certificateProvider.GetCA()
124
return nil, fmt.Errorf("failed to get root CA: %w", err)
128
tls.WithClientAuthType(tls.Mutual),
129
tls.WithCACertPEM(ca),
130
tls.WithClientCertificateProvider(tlsConfig.certificateProvider),
134
type certificateProvider struct {
138
caCertPool *stdx509.CertPool
139
clientCert, serverCert *stdlibtls.Certificate
142
func (p *certificateProvider) Update(apiCerts *secrets.API) error {
146
serverCert, err := stdlibtls.X509KeyPair(apiCerts.TypedSpec().Server.Crt, apiCerts.TypedSpec().Server.Key)
148
return fmt.Errorf("failed to parse server cert and key into a TLS Certificate: %w", err)
151
p.serverCert = &serverCert
155
apiCerts.TypedSpec().AcceptedCAs,
156
func(cert *x509.PEMEncodedCertificate) []byte {
163
p.caCertPool = stdx509.NewCertPool()
164
if !p.caCertPool.AppendCertsFromPEM(p.ca) {
165
return fmt.Errorf("failed to parse CA certs into a CertPool")
168
if apiCerts.TypedSpec().Client != nil {
169
clientCert, err := stdlibtls.X509KeyPair(apiCerts.TypedSpec().Client.Crt, apiCerts.TypedSpec().Client.Key)
171
return fmt.Errorf("failed to parse client cert and key into a TLS Certificate: %w", err)
174
p.clientCert = &clientCert
182
func (p *certificateProvider) GetCA() ([]byte, error) {
189
func (p *certificateProvider) GetCACertPool() (*stdx509.CertPool, error) {
193
return p.caCertPool, nil
196
func (p *certificateProvider) GetCertificate(h *stdlibtls.ClientHelloInfo) (*stdlibtls.Certificate, error) {
200
return p.serverCert, nil
203
func (p *certificateProvider) HasClientCertificate() bool {
207
return p.clientCert != nil
210
func (p *certificateProvider) GetClientCertificate(*stdlibtls.CertificateRequestInfo) (*stdlibtls.Certificate, error) {
214
return p.clientCert, nil