mirror of
https://github.com/weaveworks/scope.git
synced 2026-07-18 12:59:31 +00:00
Use gocertifi instead of random ca-certs.
This commit is contained in:
5
Makefile
5
Makefile
@@ -29,16 +29,13 @@ docker/weave:
|
||||
curl -L git.io/weave -o docker/weave
|
||||
chmod u+x docker/weave
|
||||
|
||||
$(SCOPE_EXPORT): backend $(DOCKER_DISTRIB) docker/weave $(RUNSVINIT) docker/Dockerfile docker/run-app docker/run-probe docker/entrypoint.sh docker/ca-certificates.crt
|
||||
$(SCOPE_EXPORT): backend $(DOCKER_DISTRIB) docker/weave $(RUNSVINIT) docker/Dockerfile docker/run-app docker/run-probe docker/entrypoint.sh
|
||||
@if [ -z '$(DOCKER_SQUASH)' ] ; then echo "Please install docker-squash by running 'make deps' (and make sure GOPATH/bin is in your PATH)." && exit 1 ; fi
|
||||
cp $(APP_EXE) $(PROBE_EXE) docker/
|
||||
cp $(DOCKER_DISTRIB) docker/docker.tgz
|
||||
$(SUDO) docker build -t $(SCOPE_IMAGE) docker/
|
||||
$(SUDO) docker save $(SCOPE_IMAGE):latest | sudo $(DOCKER_SQUASH) -t $(SCOPE_IMAGE) | tee $@ | $(SUDO) docker load
|
||||
|
||||
docker/ca-certificates.crt: /etc/ssl/certs/ca-certificates.crt
|
||||
cp $? $@
|
||||
|
||||
$(RUNSVINIT): vendor/runsvinit/*.go
|
||||
go build -o $@ github.com/weaveworks/scope/vendor/runsvinit
|
||||
|
||||
|
||||
@@ -10,6 +10,5 @@ ADD ./weave /usr/bin/
|
||||
COPY ./scope-app ./scope-probe ./runsvinit ./entrypoint.sh /home/weave/
|
||||
COPY ./run-app /etc/service/app/run
|
||||
COPY ./run-probe /etc/service/probe/run
|
||||
COPY ./ca-certificates.crt /etc/ssl/certs/
|
||||
EXPOSE 4040
|
||||
ENTRYPOINT ["/home/weave/entrypoint.sh"]
|
||||
|
||||
@@ -8,6 +8,8 @@ import (
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/certifi/gocertifi"
|
||||
|
||||
"github.com/weaveworks/scope/common/sanitize"
|
||||
)
|
||||
|
||||
@@ -19,22 +21,43 @@ type HTTPPublisher struct {
|
||||
client *http.Client
|
||||
}
|
||||
|
||||
var fastClient = &http.Client{
|
||||
Timeout: 5 * time.Second,
|
||||
func getHTTPTransport(insecure bool) (*http.Transport, error) {
|
||||
if insecure {
|
||||
return &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||
}, nil
|
||||
}
|
||||
|
||||
certPool, err := gocertifi.CACerts()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
RootCAs: certPool,
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
// NewHTTPPublisher returns an HTTPPublisher ready for use.
|
||||
func NewHTTPPublisher(target, token, probeID string, insecure bool) (string, *HTTPPublisher, error) {
|
||||
httpTransport, err := getHTTPTransport(insecure)
|
||||
if err != nil {
|
||||
return "", nil, err
|
||||
}
|
||||
|
||||
p := &HTTPPublisher{
|
||||
url: sanitize.URL("", 0, "/api/report")(target),
|
||||
token: token,
|
||||
probeID: probeID,
|
||||
client: http.DefaultClient,
|
||||
client: &http.Client{
|
||||
Transport: httpTransport,
|
||||
},
|
||||
}
|
||||
client := fastClient
|
||||
if insecure {
|
||||
allowInsecure(fastClient)
|
||||
allowInsecure(p.client)
|
||||
|
||||
client := &http.Client{
|
||||
Timeout: 5 * time.Second,
|
||||
Transport: httpTransport,
|
||||
}
|
||||
req, err := p.authorizedRequest("GET", sanitize.URL("", 0, "/api")(target), nil)
|
||||
if err != nil {
|
||||
@@ -97,12 +120,6 @@ func AuthorizationHeader(token string) string {
|
||||
return fmt.Sprintf("Scope-Probe token=%s", token)
|
||||
}
|
||||
|
||||
func allowInsecure(c *http.Client) {
|
||||
c.Transport = &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||
}
|
||||
}
|
||||
|
||||
// ScopeProbeIDHeader is the header we use to carry the probe's unique ID. The
|
||||
// ID is currently set to the probe's hostname. It's designed to deduplicate
|
||||
// reports from the same probe to the same receiver, in case the probe is
|
||||
|
||||
Reference in New Issue
Block a user