fix(tls): centralize the TLS configuration to ensure FIPS compliance BE-11979 (#960)

2025-08-05 05:45:22 +02:00 · 2025-08-01 22:23:59 -03:00 · 2025-08-01 22:23:59 -03:00 · 163aa57e5c
commit 163aa57e5c
parent 3eab294908
25 changed files with 454 additions and 112 deletions
--- a/api/http/proxy/factory/agent.go
+++ b/api/http/proxy/factory/agent.go
@ -43,7 +43,7 @@ func (factory *ProxyFactory) NewAgentProxy(endpoint *portainer.Endpoint) (*Proxy
 	httpTransport := &http.Transport{}

 	if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
-		config, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
+		config, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
 		if err != nil {
 			return nil, errors.WithMessage(err, "failed generating tls configuration")
 		}
--- a/api/http/proxy/factory/docker.go
+++ b/api/http/proxy/factory/docker.go
@ -50,7 +50,7 @@ func (factory *ProxyFactory) newDockerHTTPProxy(endpoint *portainer.Endpoint) (h
 	httpTransport := &http.Transport{}

 	if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
-		config, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
+		config, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
 		if err != nil {
 			return nil, err
 		}
--- a/api/http/proxy/factory/kubernetes.go
+++ b/api/http/proxy/factory/kubernetes.go
@ -7,7 +7,6 @@ import (
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/crypto"
 )

 func (factory *ProxyFactory) newKubernetesProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
@ -93,19 +92,19 @@ func (factory *ProxyFactory) newKubernetesAgentHTTPSProxy(endpoint *portainer.En
 		return nil, err
 	}

-	tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
-	if err != nil {
-		return nil, err
-	}
-
 	tokenCache := factory.kubernetesTokenCacheManager.GetOrCreateTokenCache(endpoint.ID)
 	tokenManager, err := kubernetes.NewTokenManager(kubecli, factory.dataStore, tokenCache, false)
 	if err != nil {
 		return nil, err
 	}

+	transport, err := kubernetes.NewAgentTransport(factory.signatureService, tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore, factory.jwtService)
+	if err != nil {
+		return nil, err
+	}
+
 	proxy := NewSingleHostReverseProxyWithHostHeader(remoteURL)
-	proxy.Transport = kubernetes.NewAgentTransport(factory.signatureService, tlsConfig, tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore, factory.jwtService)
+	proxy.Transport = transport

 	return proxy, nil
 }
--- a/api/http/proxy/factory/kubernetes/agent_transport.go
+++ b/api/http/proxy/factory/kubernetes/agent_transport.go
@ -1,11 +1,11 @@
 package kubernetes

 import (
-	"crypto/tls"
 	"net/http"
 	"strings"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 )
@ -16,7 +16,12 @@ type agentTransport struct {
 }

 // NewAgentTransport returns a new transport that can be used to send signed requests to a Portainer agent
-func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsConfig *tls.Config, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) *agentTransport {
+func NewAgentTransport(signatureService portainer.DigitalSignatureService, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) (*agentTransport, error) {
+	tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
+	if err != nil {
+		return nil, err
+	}
+
 	transport := &agentTransport{
 		baseTransport: newBaseTransport(
 			&http.Transport{
@ -31,7 +36,7 @@ func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsCo
 		signatureService: signatureService,
 	}

-	return transport
+	return transport, nil
 }

 // RoundTrip is the implementation of the the http.RoundTripper interface
--- a/api/http/proxy/factory/kubernetes/local_transport.go
+++ b/api/http/proxy/factory/kubernetes/local_transport.go
@ -15,7 +15,7 @@ type localTransport struct {

 // NewLocalTransport returns a new transport that can be used to send requests to the local Kubernetes API
 func NewLocalTransport(tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) (*localTransport, error) {
-	config, err := crypto.CreateTLSConfigurationFromBytes(nil, nil, nil, true, true)
+	config, err := crypto.CreateTLSConfigurationFromBytes(true, nil, nil, nil, true, true)
 	if err != nil {
 		return nil, err
 	}
--- a/api/http/proxy/factory/kubernetes/local_transport_test.go
+++ b/api/http/proxy/factory/kubernetes/local_transport_test.go
@ -0,0 +1,13 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewLocalTransport(t *testing.T) {
+	transport, err := NewLocalTransport(nil, nil, nil, nil, nil)
+	require.NoError(t, err)
+	require.True(t, transport.baseTransport.httpTransport.TLSClientConfig.InsecureSkipVerify)
+}