Skip to content

Commit 5095610

Browse files
openshift-merge-robotopenshift-merge-robot
authored
Merge pull request #770 from dmage/s3-system-certs
Bug 2007611: Merge S3 CA bundle with system CA bundle
2 parents e038fc4 + 1f909e2 commit 5095610

File tree

1 file changed

+39
-23
lines changed

1 file changed

+39
-23
lines changed

pkg/storage/s3/s3.go

Lines changed: 39 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@ package s3
33
import (
44
"bytes"
55
"context"
6+
"crypto/tls"
7+
"crypto/x509"
68
"fmt"
79
"io/ioutil"
810
"net"
@@ -11,7 +13,6 @@ import (
1113
"os"
1214
"path/filepath"
1315
"reflect"
14-
"strings"
1516
"time"
1617

1718
"github.com/aws/aws-sdk-go/aws"
@@ -22,6 +23,7 @@ import (
2223
"github.com/aws/aws-sdk-go/service/s3"
2324
"github.com/aws/aws-sdk-go/service/s3/s3manager"
2425
"golang.org/x/net/http/httpproxy"
26+
"golang.org/x/net/http2"
2527

2628
corev1 "k8s.io/api/core/v1"
2729
"k8s.io/apimachinery/pkg/api/errors"
@@ -236,27 +238,48 @@ func (d *driver) getS3Service() (*s3.S3, error) {
236238
return nil, err
237239
}
238240

241+
rootCAs, err := x509.SystemCertPool()
242+
if err != nil {
243+
return nil, fmt.Errorf("unable to load system root CA bundle: %w", err)
244+
}
245+
246+
userCABundle, err := d.getCABundle()
247+
if err != nil {
248+
return nil, err
249+
}
250+
rootCAs.AppendCertsFromPEM([]byte(userCABundle))
251+
252+
tr := &http.Transport{
253+
Proxy: func(req *http.Request) (*url.URL, error) {
254+
return httpproxy.FromEnvironment().ProxyFunc()(req.URL)
255+
},
256+
DialContext: (&net.Dialer{
257+
Timeout: 30 * time.Second,
258+
KeepAlive: 30 * time.Second,
259+
DualStack: true,
260+
}).DialContext,
261+
TLSClientConfig: &tls.Config{
262+
RootCAs: rootCAs,
263+
},
264+
MaxIdleConns: 100,
265+
IdleConnTimeout: 90 * time.Second,
266+
TLSHandshakeTimeout: 10 * time.Second,
267+
ExpectContinueTimeout: 1 * time.Second,
268+
ForceAttemptHTTP2: true,
269+
}
270+
271+
err = http2.ConfigureTransport(tr)
272+
if err != nil {
273+
return nil, fmt.Errorf("unable to configure http2 transport: %w", err)
274+
}
275+
239276
// A custom HTTPClient is used here since the default HTTPClients ProxyFromEnvironment
240277
// uses a cache which won't let us update the proxy env vars
241278
awsOptions := session.Options{
242279
Config: aws.Config{
243280
Region: &d.Config.Region,
244281
HTTPClient: &http.Client{
245-
Transport: &http.Transport{
246-
Proxy: func(req *http.Request) (*url.URL, error) {
247-
return httpproxy.FromEnvironment().ProxyFunc()(req.URL)
248-
},
249-
DialContext: (&net.Dialer{
250-
Timeout: 30 * time.Second,
251-
KeepAlive: 30 * time.Second,
252-
DualStack: true,
253-
}).DialContext,
254-
ForceAttemptHTTP2: true,
255-
MaxIdleConns: 100,
256-
IdleConnTimeout: 90 * time.Second,
257-
TLSHandshakeTimeout: 10 * time.Second,
258-
ExpectContinueTimeout: 1 * time.Second,
259-
},
282+
Transport: tr,
260283
},
261284
},
262285
SharedConfigState: session.SharedConfigEnable,
@@ -276,13 +299,6 @@ func (d *driver) getS3Service() (*s3.S3, error) {
276299

277300
awsOptions.Config.WithEndpointResolver(d.endpointsResolver)
278301

279-
switch caBundle, err := d.getCABundle(); {
280-
case err != nil:
281-
return nil, err
282-
case caBundle != "":
283-
awsOptions.CustomCABundle = strings.NewReader(caBundle)
284-
}
285-
286302
sess, err := session.NewSessionWithOptions(awsOptions)
287303
if err != nil {
288304
return nil, err

0 commit comments

Comments
 (0)