10684: Add Arvados-specific search path to Go SDK TLSClientConfig.

diff --git a/sdk/go/arvadosclient/arvadosclient.go b/sdk/go/arvadosclient/arvadosclient.go
index 5f24c7107d72798621b4a3110030981297489fc9..be036c0219589521041679a3f3173c2fdd10ab94 100644 (file)
--- a/sdk/go/arvadosclient/arvadosclient.go
+++ b/sdk/go/arvadosclient/arvadosclient.go
@@ -5,10 +5,12 @@ package arvadosclient
 import (
        "bytes"
        "crypto/tls"
+       "crypto/x509"
        "encoding/json"
        "errors"
        "fmt"
        "io"
+       "io/ioutil"
        "net/http"
        "net/url"
        "os"
@@ -103,22 +105,51 @@ type ArvadosClient struct {
        Retries int
 }
 
+var CertFiles = []string{
+       "/etc/arvados/ca-certificates.crt",   // Arvados specific
+       "/etc/ssl/certs/ca-certificates.crt", // Debian
+       "/etc/pki/tls/certs/ca-bundle.crt",   // Red Hat
+}
+
+// SetupRootCAs loads a set of root certificates into TLSClientConfig by
+// searching a default list of locations.
+func SetupRootCAs(tlsClientConfig *tls.Config) error {
+       // Container may not have certificates installed, so need to look for
+       // /etc/arvados/ca-certificates.crt in addition to normal system certs.
+
+       certs := x509.NewCertPool()
+       for _, file := range CertFiles {
+               data, err := ioutil.ReadFile(file)
+               if err == nil {
+                       certs.AppendCertsFromPEM(data)
+                       tlsClientConfig.RootCAs = certs
+                       return nil
+               }
+       }
+
+       return fmt.Errorf("Unable to find TLS root certificates to use, tried %v", CertFiles)
+}
+
 // New returns an ArvadosClient using the given arvados.Client
 // configuration. This is useful for callers who load arvados.Client
 // fields from configuration files but still need to use the
 // arvadosclient.ArvadosClient package.
 func New(c *arvados.Client) (*ArvadosClient, error) {
-       return &ArvadosClient{
+       tlsconfig := &tls.Config{InsecureSkipVerify: c.Insecure}
+       SetupRootCAs(tlsconfig)
+       ac := &ArvadosClient{
                Scheme:      "https",
                ApiServer:   c.APIHost,
                ApiToken:    c.AuthToken,
                ApiInsecure: c.Insecure,
                Client: &http.Client{Transport: &http.Transport{
-                       TLSClientConfig: &tls.Config{InsecureSkipVerify: c.Insecure}}},
+                       TLSClientConfig: tlsconfig}},
                External:          false,
                Retries:           2,
                lastClosedIdlesAt: time.Now(),
-       }, nil
+       }
+
+       return ac, nil
 }
 
 // MakeArvadosClient creates a new ArvadosClient using the standard
@@ -130,13 +161,16 @@ func MakeArvadosClient() (ac *ArvadosClient, err error) {
        insecure := matchTrue.MatchString(os.Getenv("ARVADOS_API_HOST_INSECURE"))
        external := matchTrue.MatchString(os.Getenv("ARVADOS_EXTERNAL_CLIENT"))
 
+       tlsconfig := &tls.Config{InsecureSkipVerify: insecure}
+       SetupRootCAs(tlsconfig)
+
        ac = &ArvadosClient{
                Scheme:      "https",
                ApiServer:   os.Getenv("ARVADOS_API_HOST"),
                ApiToken:    os.Getenv("ARVADOS_API_TOKEN"),
                ApiInsecure: insecure,
                Client: &http.Client{Transport: &http.Transport{
-                       TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure}}},
+                       TLSClientConfig: tlsconfig}},
                External: external,
                Retries:  2}
 

diff --git a/sdk/go/crunchrunner/crunchrunner.go b/sdk/go/crunchrunner/crunchrunner.go
index 5e0e101e7726b25d3791d137a7196d2b219782d6..936903607147abf9cb39e01fe0fa42d1567b535c 100644 (file)
--- a/sdk/go/crunchrunner/crunchrunner.go
+++ b/sdk/go/crunchrunner/crunchrunner.go
@@ -396,24 +396,6 @@ func main() {
                log.Fatal(err)
        }
 
-       // Container may not have certificates installed, so need to look for
-       // /etc/arvados/ca-certificates.crt in addition to normal system certs.
-       var certFiles = []string{
-               "/etc/ssl/certs/ca-certificates.crt", // Debian
-               "/etc/pki/tls/certs/ca-bundle.crt",   // Red Hat
-               "/etc/arvados/ca-certificates.crt",
-       }
-
-       certs := x509.NewCertPool()
-       for _, file := range certFiles {
-               data, err := ioutil.ReadFile(file)
-               if err == nil {
-                       log.Printf("Using TLS certificates at %v", file)
-                       certs.AppendCertsFromPEM(data)
-               }
-       }
-       api.Client.Transport.(*http.Transport).TLSClientConfig.RootCAs = certs
-
        jobUuid := os.Getenv("JOB_UUID")
        taskUuid := os.Getenv("TASK_UUID")
        tmpdir := os.Getenv("TASK_WORK")

diff --git a/sdk/go/keepclient/keepclient.go b/sdk/go/keepclient/keepclient.go
index 58f3ffb8348ff7b5f9d9588e6455ae7c9e9ff18a..b03a5fe5f61a6a8c2005df8c9f7ec2eb39b96074 100644 (file)
--- a/sdk/go/keepclient/keepclient.go
+++ b/sdk/go/keepclient/keepclient.go
@@ -99,11 +99,14 @@ func New(arv *arvadosclient.ArvadosClient) *KeepClient {
                }
        }
 
+       tlsconfig := &tls.Config{InsecureSkipVerify: arv.ApiInsecure}
+       arvadosclient.SetupRootCAs(tlsconfig)
+
        kc := &KeepClient{
                Arvados:       arv,
                Want_replicas: defaultReplicationLevel,
                Client: &http.Client{Transport: &http.Transport{
-                       TLSClientConfig: &tls.Config{InsecureSkipVerify: arv.ApiInsecure}}},
+                       TLSClientConfig: tlsconfig}},
                Retries: 2,
        }
        return kc