ReadOnly filesystem error when loading certificates (#794)
Read-only file-system, ie: when console is running as container in kubernetes, was preventing console to run because of an error during creating directories Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
This commit is contained in:
Lenin Alevski
GitHub
@@ -23,6 +23,8 @@ import (
|
||||
"path/filepath"
|
||||
"time"
|
||||
|
||||
xcerts "github.com/minio/pkg/certs"
|
||||
|
||||
"github.com/go-openapi/loads"
|
||||
"github.com/jessevdk/go-flags"
|
||||
"github.com/minio/cli"
|
||||
@@ -135,9 +137,12 @@ func loadAllCerts(ctx *cli.Context) error {
|
||||
if err = certs.MkdirAllIgnorePerm(certs.GlobalCertsCADir.Get()); err != nil {
|
||||
return fmt.Errorf("unable to create certs CA directory at %s: with %w", certs.GlobalCertsCADir.Get(), err)
|
||||
}
|
||||
|
||||
var manager *xcerts.Manager
|
||||
// load the certificates and the CAs
|
||||
restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = certs.GetAllCertificatesAndCAs()
|
||||
restapi.GlobalRootCAs, restapi.GlobalPublicCerts, manager = certs.GetAllCertificatesAndCAs()
|
||||
restapi.GlobalTLSCertsManager = &certs.TLSCertsManager{
|
||||
Manager: manager,
|
||||
}
|
||||
|
||||
{
|
||||
// TLS flags from swagger server, used to support VMware vsphere operator version.
|
||||
@@ -146,8 +151,7 @@ func loadAllCerts(ctx *cli.Context) error {
|
||||
swaggerServerCACertificate := ctx.String("tls-ca")
|
||||
// load tls cert and key from swagger server tls-certificate and tls-key flags
|
||||
if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
|
||||
if err = certs.AddCertificate(context.Background(),
|
||||
restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); err != nil {
|
||||
if err = restapi.GlobalTLSCertsManager.AddCertificate(context.Background(), swaggerServerCertificate, swaggerServerCertificateKey); err != nil {
|
||||
return err
|
||||
}
|
||||
if x509Certs, err := certs.ParsePublicCertFile(swaggerServerCertificate); err == nil {
|
||||
@@ -170,8 +174,8 @@ func loadAllCerts(ctx *cli.Context) error {
|
||||
// StartServer starts the console service
|
||||
func StartServer(ctx *cli.Context) error {
|
||||
if err := loadAllCerts(ctx); err != nil {
|
||||
// Log this as a warning and continue running console without TLS certificates
|
||||
restapi.LogError("Unable to load certs: %v", err)
|
||||
return err
|
||||
}
|
||||
|
||||
var rctx restapi.Context
|
||||
|
||||
@@ -327,13 +327,18 @@ func GetAllCertificatesAndCAs() (*x509.CertPool, []*x509.Certificate, *xcerts.Ma
|
||||
return GlobalRootCAs, globalPublicCerts, globalTLSCertsManager
|
||||
}
|
||||
|
||||
// TLSCertsManager custom TLS Manager for SNI support
|
||||
type TLSCertsManager struct {
|
||||
*xcerts.Manager
|
||||
}
|
||||
|
||||
// AddCertificate check if Manager is initialized and then append a new certificate to it
|
||||
func AddCertificate(ctx context.Context, manager *xcerts.Manager, publicKey, privateKey string) (err error) {
|
||||
func (m *TLSCertsManager) AddCertificate(ctx context.Context, publicKey, privateKey string) (err error) {
|
||||
// If Cert Manager is not nil add more certificates
|
||||
if manager != nil {
|
||||
return manager.AddCertificate(publicKey, privateKey)
|
||||
if m.Manager != nil {
|
||||
return m.Manager.AddCertificate(publicKey, privateKey)
|
||||
}
|
||||
// Initialize cert manager
|
||||
manager, err = xcerts.NewManager(ctx, publicKey, privateKey, LoadX509KeyPair)
|
||||
m.Manager, err = xcerts.NewManager(ctx, publicKey, privateKey, LoadX509KeyPair)
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -24,7 +24,7 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/minio/pkg/certs"
|
||||
"github.com/minio/console/pkg/certs"
|
||||
"github.com/minio/pkg/env"
|
||||
)
|
||||
|
||||
@@ -276,7 +276,7 @@ var (
|
||||
// GlobalPublicCerts has certificates Console will use to serve clients
|
||||
GlobalPublicCerts []*x509.Certificate
|
||||
// GlobalTLSCertsManager custom TLS Manager for SNI support
|
||||
GlobalTLSCertsManager *certs.Manager
|
||||
GlobalTLSCertsManager *certs.TLSCertsManager
|
||||
)
|
||||
|
||||
// getK8sSAToken assumes the plugin is running inside a k8s pod and extract the current service account from the
|
||||
|
||||
@@ -21,6 +21,7 @@ package restapi
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"io"
|
||||
"io/fs"
|
||||
"net/http"
|
||||
@@ -141,13 +142,21 @@ func configureAPI(api *operations.ConsoleAPI) http.Handler {
|
||||
|
||||
// The TLS configuration before HTTPS server starts.
|
||||
func configureTLS(tlsConfig *tls.Config) {
|
||||
if GlobalRootCAs != nil {
|
||||
// Add the global public crts as part of global root CAs
|
||||
for _, publicCrt := range GlobalPublicCerts {
|
||||
GlobalRootCAs.AddCert(publicCrt)
|
||||
}
|
||||
tlsConfig.RootCAs = GlobalRootCAs
|
||||
if GlobalRootCAs == nil {
|
||||
GlobalRootCAs = &x509.CertPool{}
|
||||
}
|
||||
// Add the global public crts as part of global root CAs
|
||||
for _, publicCrt := range GlobalPublicCerts {
|
||||
// Add certificates to swagger TLS configuration
|
||||
tlsConfig.Certificates = append(tlsConfig.Certificates, tls.Certificate{
|
||||
Certificate: [][]byte{publicCrt.Raw},
|
||||
Leaf: publicCrt,
|
||||
})
|
||||
GlobalRootCAs.AddCert(publicCrt)
|
||||
}
|
||||
|
||||
tlsConfig.RootCAs = GlobalRootCAs
|
||||
|
||||
if GlobalTLSCertsManager != nil {
|
||||
tlsConfig.GetCertificate = GlobalTLSCertsManager.GetCertificate
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user