Support base64 encoded and PEM encoded certs (#3751)

Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>

Support base64 encoded and PEM encoded certs (#3751)
f46adb95 · Maksim Nabokikh · GitHub · 4bb97c73 · f46adb95 · f46adb95
Unverified Commit f46adb95 authored 7 months ago by Maksim Nabokikh Committed by GitHub 7 months ago
--- a/pkg/httpclient/httpclient.go
+++ b/pkg/httpclient/httpclient.go
@@ -3,6 +3,7 @@ package httpclient
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"fmt"
 	"net"
 	"net/http"
@@ -10,6 +11,26 @@ import (
 	"time"
 )
+func extractCAs(input []string) [][]byte {
+	result := make([][]byte, 0, len(input))
+	for _, ca := range input {
+		if ca == "" {
+			continue
+		}
+		pemData, err := os.ReadFile(ca)
+		if err != nil {
+			pemData, err = base64.StdEncoding.DecodeString(ca)
+			if err != nil {
+				pemData = []byte(ca)
+			}
+		}
+		result = append(result, pemData)
+	}
+	return result
+}
 func NewHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, error) {
 	pool, err := x509.SystemCertPool()
 	if err != nil {
@@ -17,13 +38,11 @@ func NewHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, err
 	}
 	tlsConfig := tls.Config{RootCAs: pool, InsecureSkipVerify: insecureSkipVerify}
-	for _, rootCA := range rootCAs {
+	for index, rootCABytes := range extractCAs(rootCAs) {
-		rootCABytes, err := os.ReadFile(rootCA)
-		if err != nil {
-			return nil, fmt.Errorf("failed to read root-ca: %v", err)
-		}
 		if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
-			return nil, fmt.Errorf("no certs found in root CA file %q", rootCA)
+			return nil, fmt.Errorf("rootCAs.%d is not in PEM format, certificate must be "+
+				"a PEM encoded string, a base64 encoded bytes that contain PEM encoded string, "+
+				"or a path to a PEM encoded certificate", index)
 		}
 	}

--- a/pkg/httpclient/httpclient_test.go
+++ b/pkg/httpclient/httpclient_test.go
@@ -2,10 +2,12 @@ package httpclient_test
 import (
 	"crypto/tls"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
 	"github.com/stretchr/testify/assert"
@@ -20,18 +22,31 @@ func TestRootCAs(t *testing.T) {
 	assert.Nil(t, err)
 	defer ts.Close()
-	rootCAs := []string{"testdata/rootCA.pem"}
+	runTest := func(name string, certs []string) {
-	testClient, err := httpclient.NewHTTPClient(rootCAs, false)
+		t.Run(name, func(t *testing.T) {
-	assert.Nil(t, err)
+			rootCAs := certs
+			testClient, err := httpclient.NewHTTPClient(rootCAs, false)
+			assert.Nil(t, err)
-	res, err := testClient.Get(ts.URL)
+			res, err := testClient.Get(ts.URL)
-	assert.Nil(t, err)
+			assert.Nil(t, err)
-	greeting, err := io.ReadAll(res.Body)
+			greeting, err := io.ReadAll(res.Body)
-	res.Body.Close()
+			res.Body.Close()
-	assert.Nil(t, err)
+			assert.Nil(t, err)
-	assert.Equal(t, "Hello, client", string(greeting))
+			assert.Equal(t, "Hello, client", string(greeting))
+		})
+	}
+	runTest("From file", []string{"testdata/rootCA.pem"})
+	content, err := os.ReadFile("testdata/rootCA.pem")
+	assert.NoError(t, err)
+	runTest("From string", []string{string(content)})
+	contentStr := base64.StdEncoding.EncodeToString(content)
+	runTest("From bytes", []string{contentStr})
 }
 func TestInsecureSkipVerify(t *testing.T) {