improve ca cert error message, use GetCertPool for databroker storage (#1666)

2025-05-28 16:37:24 +02:00 · 2020-12-09 11:16:39 -07:00 · 2020-12-09 11:16:39 -07:00 · d18e8c661d
commit d18e8c661d
parent 82c7d1ee7a
4 changed files with 19 additions and 30 deletions
--- a/cmd/pomerium-cli/kubernetes.go
+++ b/cmd/pomerium-cli/kubernetes.go
@ -3,8 +3,6 @@ package main
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@ -20,6 +18,8 @@ import (
 	"golang.org/x/crypto/ssh/terminal"
 	"golang.org/x/sync/errgroup"
 	jose "gopkg.in/square/go-jose.v2"
+
+	"github.com/pomerium/pomerium/pkg/cryptutil"
 )

 var kubernetesExecCredentialOption struct {
@ -148,21 +148,12 @@ func runOpenBrowser(ctx context.Context, li net.Listener, serverURL *url.URL) er
 	if kubernetesExecCredentialOption.disableTLSVerification {
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	}
-	if kubernetesExecCredentialOption.alternateCAPath != "" {
-		data, err := ioutil.ReadFile(kubernetesExecCredentialOption.alternateCAPath)
-		if err != nil {
-			return fmt.Errorf("error reading CA certificate: %w", err)
-		}
-		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
-		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
-	}
-	if kubernetesExecCredentialOption.caCert != "" {
-		data, err := base64.StdEncoding.DecodeString(kubernetesExecCredentialOption.caCert)
-		if err != nil {
-			return fmt.Errorf("error reading CA certificate: %w", err)
-		}
-		transport.TLSClientConfig.RootCAs = x509.NewCertPool()
-		transport.TLSClientConfig.RootCAs.AppendCertsFromPEM(data)
+	transport.TLSClientConfig.RootCAs, err = cryptutil.GetCertPool(
+		kubernetesExecCredentialOption.caCert,
+		kubernetesExecCredentialOption.alternateCAPath,
+	)
+	if err != nil {
+		return err
 	}

 	client := &http.Client{