diff --git a/cmd/pomerium-cli/kubernetes.go b/cmd/pomerium-cli/kubernetes.go index b34e75475..4ac5fdace 100644 --- a/cmd/pomerium-cli/kubernetes.go +++ b/cmd/pomerium-cli/kubernetes.go @@ -2,6 +2,9 @@ package main import ( "context" + "crypto/tls" + "crypto/x509" + "encoding/base64" "encoding/json" "fmt" "io" @@ -19,7 +22,20 @@ import ( jose "gopkg.in/square/go-jose.v2" ) +var kubernetesExecCredentialOption struct { + disableTLSVerification bool + alternateCAPath string + caCert string +} + func init() { + flags := kubernetesExecCredentialCmd.Flags() + flags.BoolVar(&kubernetesExecCredentialOption.disableTLSVerification, "disable-tls-verification", false, + "disables TLS verification") + flags.StringVar(&kubernetesExecCredentialOption.alternateCAPath, "alternate-ca-path", "", + "path to CA certificate to use for HTTP requests") + flags.StringVar(&kubernetesExecCredentialOption.caCert, "ca-cert", "", + "base64-encoded CA TLS certificate to use for HTTP requests") kubernetesCmd.AddCommand(kubernetesExecCredentialCmd) rootCmd.AddCommand(kubernetesCmd) } @@ -97,6 +113,11 @@ func runHTTPServer(ctx context.Context, li net.Listener, incomingJWT chan string go func() { _ = srv.Shutdown(ctx) }() }), } + // shutdown the server when ctx is done. + go func() { + <-ctx.Done() + _ = srv.Shutdown(ctx) + }() err := srv.Serve(li) if err == http.ErrServerClosed { err = nil @@ -112,12 +133,42 @@ func runOpenBrowser(ctx context.Context, li net.Listener, serverURL *url.URL) er }.Encode(), }) + ctx, clearTimeout := context.WithTimeout(ctx, 10*time.Second) + defer clearTimeout() + req, err := http.NewRequestWithContext(ctx, "GET", dst.String(), nil) if err != nil { return err } - res, err := http.DefaultClient.Do(req) + transport := &http.Transport{ + TLSClientConfig: &tls.Config{}, + } + if kubernetesExecCredentialOption.disableTLSVerification { + transport.TLSClientConfig.InsecureSkipVerify = true + } + if kubernetesExecCredentialOption.alternateCAPath != "" { + data, err := ioutil.ReadFile(kubernetesExecCredentialOption.alternateCAPath) + if err != nil { + return fmt.Errorf("error reading CA certificate: %w", err) + } + transport.TLSClientConfig.RootCAs = x509.NewCertPool() + transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data) + } + if kubernetesExecCredentialOption.caCert != "" { + data, err := base64.StdEncoding.DecodeString(kubernetesExecCredentialOption.caCert) + if err != nil { + return fmt.Errorf("error reading CA certificate: %w", err) + } + transport.TLSClientConfig.RootCAs = x509.NewCertPool() + transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data) + } + + client := &http.Client{ + Transport: transport, + } + + res, err := client.Do(req) if err != nil { return fmt.Errorf("failed to get login url: %w", err) } diff --git a/go.sum b/go.sum index 9cd234b1c..f8c4d1f4a 100644 --- a/go.sum +++ b/go.sum @@ -589,6 +589,7 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200115085410-6d4e4cb37c7d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=