mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-10-18 21:29:50 +00:00
91774fc936
Uses github.com/libopenstorage/secrets to communicate with Vault. This removes the need for maintaining our own limited Vault APIs. By adding the new dependency, several other packages got updated in the process. Unused indirect dependencies have been removed from go.mod. Signed-off-by: Niels de Vos <ndevos@redhat.com>
45 lines
1.4 KiB
Markdown
45 lines
1.4 KiB
Markdown
# rootcerts
|
|
|
|
Functions for loading root certificates for TLS connections.
|
|
|
|
-----
|
|
|
|
Go's standard library `crypto/tls` provides a common mechanism for configuring
|
|
TLS connections in `tls.Config`. The `RootCAs` field on this struct is a pool
|
|
of certificates for the client to use as a trust store when verifying server
|
|
certificates.
|
|
|
|
This library contains utility functions for loading certificates destined for
|
|
that field, as well as one other important thing:
|
|
|
|
When the `RootCAs` field is `nil`, the standard library attempts to load the
|
|
host's root CA set. This behavior is OS-specific, and the Darwin
|
|
implementation contains [a bug that prevents trusted certificates from the
|
|
System and Login keychains from being loaded][1]. This library contains
|
|
Darwin-specific behavior that works around that bug.
|
|
|
|
[1]: https://github.com/golang/go/issues/14514
|
|
|
|
## Example Usage
|
|
|
|
Here's a snippet demonstrating how this library is meant to be used:
|
|
|
|
```go
|
|
func httpClient() (*http.Client, error)
|
|
tlsConfig := &tls.Config{}
|
|
err := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{
|
|
CAFile: os.Getenv("MYAPP_CAFILE"),
|
|
CAPath: os.Getenv("MYAPP_CAPATH"),
|
|
Certificate: os.Getenv("MYAPP_CERTIFICATE"),
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
c := cleanhttp.DefaultClient()
|
|
t := cleanhttp.DefaultTransport()
|
|
t.TLSClientConfig = tlsConfig
|
|
c.Transport = t
|
|
return c, nil
|
|
}
|
|
```
|