Enable tls by default and load system CA in additional to provided CA (…

…#24)

* Enable tls by default and load system CA if available

agent/main.go

@@ -150,6 +150,6 @@ func main() {
 
 	log.Fatal(nginx.Run(config.Nginx, map[string]interface{}{
 		"port":            *agentRegistryPort,
-		"registry_backup": config.RegistryBackup,
-	}))
+		"registry_backup": config.RegistryBackup},
+		nginx.WithTLS(config.TLS)))
 }

build-index/tagclient/client.go

@@ -50,23 +50,23 @@ func (c *singleClient) Put(tag string, d core.Digest) error {
 	_, err := httputil.Put(
 		fmt.Sprintf("http://%s/tags/%s/digest/%s", c.addr, url.PathEscape(tag), d.String()),
 		httputil.SendTimeout(30*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }
 
 func (c *singleClient) PutAndReplicate(tag string, d core.Digest) error {
 	_, err := httputil.Put(
 		fmt.Sprintf("http://%s/tags/%s/digest/%s?replicate=true", c.addr, url.PathEscape(tag), d.String()),
 		httputil.SendTimeout(30*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }
 
 func (c *singleClient) Get(tag string) (core.Digest, error) {
 	resp, err := httputil.Get(
 		fmt.Sprintf("http://%s/tags/%s", c.addr, url.PathEscape(tag)),
 		httputil.SendTimeout(10*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		if httputil.IsNotFound(err) {
 			return core.Digest{}, ErrTagNotFound
@@ -89,7 +89,7 @@ func (c *singleClient) Has(tag string) (bool, error) {
 	_, err := httputil.Head(
 		fmt.Sprintf("http://%s/tags/%s", c.addr, url.PathEscape(tag)),
 		httputil.SendTimeout(10*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		if httputil.IsNotFound(err) {
 			return false, nil
@@ -103,7 +103,7 @@ func (c *singleClient) List(prefix string) ([]string, error) {
 	resp, err := httputil.Get(
 		fmt.Sprintf("http://%s/list/%s", c.addr, prefix),
 		httputil.SendTimeout(60*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		return nil, err
 	}
@@ -120,7 +120,7 @@ func (c *singleClient) ListRepository(repo string) ([]string, error) {
 	resp, err := httputil.Get(
 		fmt.Sprintf("http://%s/repositories/%s/tags", c.addr, url.PathEscape(repo)),
 		httputil.SendTimeout(60*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		return nil, err
 	}
@@ -141,7 +141,7 @@ func (c *singleClient) Replicate(tag string) error {
 	_, err := httputil.Post(
 		fmt.Sprintf("http://%s/remotes/tags/%s", c.addr, url.PathEscape(tag)),
 		httputil.SendTimeout(15*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }
 
@@ -165,7 +165,7 @@ func (c *singleClient) DuplicateReplicate(
 		httputil.SendBody(bytes.NewReader(b)),
 		httputil.SendTimeout(10*time.Second),
 		httputil.SendRetry(),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }
 
@@ -186,15 +186,15 @@ func (c *singleClient) DuplicatePut(tag string, d core.Digest, delay time.Durati
 		httputil.SendBody(bytes.NewReader(b)),
 		httputil.SendTimeout(10*time.Second),
 		httputil.SendRetry(),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }
 
 func (c *singleClient) Origin() (string, error) {
 	resp, err := httputil.Get(
 		fmt.Sprintf("http://%s/origin", c.addr),
 		httputil.SendTimeout(5*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		return "", err
 	}

config/agent/test.template

@@ -29,15 +29,14 @@ build_index:
 tls:
   name: kraken
   ca:
-    enabled: true
+    disabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

config/build-index/test.template

@@ -46,15 +46,13 @@ nginx:
 tls:
   name: kraken
   ca:
-    enabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

config/origin/test.template

@@ -29,15 +29,13 @@ writeback:
 tls:
   name: kraken
   ca:
-    enabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

config/proxy/test.template

@@ -14,15 +14,14 @@ nginx:
 tls:
   name: kraken
   ca:
-    enabled: false
+    disabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

config/tracker/test.template

@@ -19,15 +19,13 @@ nginx:
 tls:
   name: kraken
   ca:
-    enabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

examples/devcluster/config/agent/development.yaml

@@ -23,15 +23,14 @@ registry:
 tls:
   name: kraken
   ca:
-    enabled: true
+    disabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

examples/devcluster/config/build-index/development.yaml

@@ -42,15 +42,13 @@ nginx:
 tls:
   name: kraken
   ca:
-    enabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

examples/devcluster/config/origin/development.yaml

@@ -23,15 +23,13 @@ writeback:
 tls:
   name: kraken
   ca:
-    enabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

examples/devcluster/config/proxy/development.yaml

@@ -16,15 +16,14 @@ nginx:
 tls:
   name: kraken
   ca:
-    enabled: false
+    disabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

examples/devcluster/config/tracker/development.yaml

@@ -20,15 +20,13 @@ nginx:
 tls:
   name: kraken
   ca:
-    enabled: true
     cert:
       path: /etc/kraken/tls/ca/server.crt
     key:
       path: /etc/kraken/tls/ca/server.key
     passphrase:
       path: /etc/kraken/tls/ca/passphrase
   client:
-    enabled: true
     cert:
       path: /etc/kraken/tls/client/client.crt
     key:

lib/healthcheck/checker.go

@@ -24,6 +24,6 @@ func (c defaultChecker) Check(ctx context.Context, addr string) error {
 	_, err := httputil.Get(
 		fmt.Sprintf("http://%s/health", addr),
 		httputil.SendContext(ctx),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }

nginx/nginx.go

@@ -69,7 +69,7 @@ func Run(config Config, params map[string]interface{}, opts ...Option) error {
 	for _, opt := range opts {
 		opt(&config)
 	}
-	if !config.tls.CA.Enabled {
+	if config.tls.CA.Disabled {
 		log.Warn("Server TLS is disabled")
 	} else {
 		for _, f := range []string{
@@ -98,7 +98,7 @@ func Run(config Config, params map[string]interface{}, opts ...Option) error {
 
 	src, err := populateTemplate("base", map[string]interface{}{
 		"site":                string(site),
-		"ssl_enabled":         config.tls.CA.Enabled,
+		"ssl_enabled":         !config.tls.CA.Disabled,
 		"ssl_certificate":     config.tls.CA.Cert.Path,
 		"ssl_certificate_key": config.tls.CA.Key.Path,
 		"ssl_password_file":   config.tls.CA.Passphrase.Path,

origin/blobclient/client.go

@@ -87,7 +87,7 @@ func (c *HTTPClient) Locations(d core.Digest) ([]string, error) {
 	r, err := httputil.Get(
 		fmt.Sprintf("http://%s/blobs/%s/locations", c.addr, d),
 		httputil.SendTimeout(5*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		return nil, err
 	}
@@ -123,7 +123,7 @@ func (c *HTTPClient) stat(namespace string, d core.Digest, local bool) (*core.Bl
 	r, err := httputil.Head(
 		u,
 		httputil.SendTimeout(15*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		if httputil.IsNotFound(err) {
 			return nil, ErrBlobNotFound
@@ -146,7 +146,7 @@ func (c *HTTPClient) DeleteBlob(d core.Digest) error {
 	_, err := httputil.Delete(
 		fmt.Sprintf("http://%s/internal/blobs/%s", c.addr, d),
 		httputil.SendAcceptedCodes(http.StatusAccepted),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }
 
@@ -180,7 +180,7 @@ func (c *HTTPClient) DuplicateUploadBlob(
 func (c *HTTPClient) DownloadBlob(namespace string, d core.Digest, dst io.Writer) error {
 	r, err := httputil.Get(
 		fmt.Sprintf("http://%s/namespace/%s/blobs/%s", c.addr, url.PathEscape(namespace), d),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		return err
 	}
@@ -198,7 +198,7 @@ func (c *HTTPClient) ReplicateToRemote(namespace string, d core.Digest, remoteDN
 	_, err := httputil.Post(
 		fmt.Sprintf("http://%s/namespace/%s/blobs/%s/remote/%s",
 			c.addr, url.PathEscape(namespace), d, remoteDNS),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }
 
@@ -211,7 +211,7 @@ func (c *HTTPClient) GetMetaInfo(namespace string, d core.Digest) (*core.MetaInf
 		fmt.Sprintf("http://%s/internal/namespace/%s/blobs/%s/metainfo",
 			c.addr, url.PathEscape(namespace), d),
 		httputil.SendTimeout(15*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		return nil, err
 	}
@@ -232,7 +232,7 @@ func (c *HTTPClient) GetMetaInfo(namespace string, d core.Digest) (*core.MetaInf
 func (c *HTTPClient) OverwriteMetaInfo(d core.Digest, pieceLength int64) error {
 	_, err := httputil.Post(
 		fmt.Sprintf("http://%s/internal/blobs/%s/metainfo?piece_length=%d", c.addr, d, pieceLength),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }
 
@@ -242,7 +242,7 @@ func (c *HTTPClient) GetPeerContext() (core.PeerContext, error) {
 	r, err := httputil.Get(
 		fmt.Sprintf("http://%s/internal/peercontext", c.addr),
 		httputil.SendTimeout(5*time.Second),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	if err != nil {
 		return pctx, err
 	}
@@ -260,7 +260,7 @@ func (c *HTTPClient) ForceCleanup(ttl time.Duration) error {
 	_, err := httputil.Post(
 		fmt.Sprintf("http://%s/forcecleanup?%s", c.addr, v.Encode()),
 		httputil.SendTimeout(2*time.Minute),
-		httputil.SendTLSTransport(c.tls))
+		httputil.SendTLS(c.tls))
 	return err
 }