Use gocertifi instead of random ca-certs.

This commit is contained in:
Tom Wilkie
2015-10-23 16:16:48 +00:00
parent f3b66428db
commit 0288b3151b
3 changed files with 31 additions and 18 deletions

View File

@@ -29,16 +29,13 @@ docker/weave:
curl -L git.io/weave -o docker/weave
chmod u+x docker/weave
$(SCOPE_EXPORT): backend $(DOCKER_DISTRIB) docker/weave $(RUNSVINIT) docker/Dockerfile docker/run-app docker/run-probe docker/entrypoint.sh docker/ca-certificates.crt
$(SCOPE_EXPORT): backend $(DOCKER_DISTRIB) docker/weave $(RUNSVINIT) docker/Dockerfile docker/run-app docker/run-probe docker/entrypoint.sh
@if [ -z '$(DOCKER_SQUASH)' ] ; then echo "Please install docker-squash by running 'make deps' (and make sure GOPATH/bin is in your PATH)." && exit 1 ; fi
cp $(APP_EXE) $(PROBE_EXE) docker/
cp $(DOCKER_DISTRIB) docker/docker.tgz
$(SUDO) docker build -t $(SCOPE_IMAGE) docker/
$(SUDO) docker save $(SCOPE_IMAGE):latest | sudo $(DOCKER_SQUASH) -t $(SCOPE_IMAGE) | tee $@ | $(SUDO) docker load
docker/ca-certificates.crt: /etc/ssl/certs/ca-certificates.crt
cp $? $@
$(RUNSVINIT): vendor/runsvinit/*.go
go build -o $@ github.com/weaveworks/scope/vendor/runsvinit

View File

@@ -10,6 +10,5 @@ ADD ./weave /usr/bin/
COPY ./scope-app ./scope-probe ./runsvinit ./entrypoint.sh /home/weave/
COPY ./run-app /etc/service/app/run
COPY ./run-probe /etc/service/probe/run
COPY ./ca-certificates.crt /etc/ssl/certs/
EXPOSE 4040
ENTRYPOINT ["/home/weave/entrypoint.sh"]

View File

@@ -8,6 +8,8 @@ import (
"net/http"
"time"
"github.com/certifi/gocertifi"
"github.com/weaveworks/scope/common/sanitize"
)
@@ -19,22 +21,43 @@ type HTTPPublisher struct {
client *http.Client
}
var fastClient = &http.Client{
Timeout: 5 * time.Second,
func getHTTPTransport(insecure bool) (*http.Transport, error) {
if insecure {
return &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}, nil
}
certPool, err := gocertifi.CACerts()
if err != nil {
return nil, err
}
return &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: certPool,
},
}, nil
}
// NewHTTPPublisher returns an HTTPPublisher ready for use.
func NewHTTPPublisher(target, token, probeID string, insecure bool) (string, *HTTPPublisher, error) {
httpTransport, err := getHTTPTransport(insecure)
if err != nil {
return "", nil, err
}
p := &HTTPPublisher{
url: sanitize.URL("", 0, "/api/report")(target),
token: token,
probeID: probeID,
client: http.DefaultClient,
client: &http.Client{
Transport: httpTransport,
},
}
client := fastClient
if insecure {
allowInsecure(fastClient)
allowInsecure(p.client)
client := &http.Client{
Timeout: 5 * time.Second,
Transport: httpTransport,
}
req, err := p.authorizedRequest("GET", sanitize.URL("", 0, "/api")(target), nil)
if err != nil {
@@ -97,12 +120,6 @@ func AuthorizationHeader(token string) string {
return fmt.Sprintf("Scope-Probe token=%s", token)
}
func allowInsecure(c *http.Client) {
c.Transport = &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
}
// ScopeProbeIDHeader is the header we use to carry the probe's unique ID. The
// ID is currently set to the probe's hostname. It's designed to deduplicate
// reports from the same probe to the same receiver, in case the probe is