Add TLS and CA Certificate support for wins

README.md

@@ -180,6 +180,25 @@ csi-proxy:
   kubeletPath: c:/etc/kubelet.exe
 ```
 
+#### Enabling Certificate Support for Wins
+
+Wins now supports consuming a certificate when it is required for pulling the CSI proxy tarball from a Rancher Server. 
+Common situations where this is required are airgapped Rancher environments and self-signed Rancher installations. 
+
+```yml
+tls-config:
+  insecure: <true/false>
+  certFilePath: <path to local certificate>
+```
+
+Example:
+
+```yml
+tls-config:
+  insecure: false
+  certFilePath: c:/etc/rancher/agent/ranchercert
+```
+
 ## Build
 
 ``` powershell

cmd/server/config/config.go

@@ -10,6 +10,7 @@ import (
 	"github.com/rancher/system-agent/pkg/config"
 	"github.com/rancher/wins/pkg/csiproxy"
 	"github.com/rancher/wins/pkg/defaults"
+	"github.com/rancher/wins/pkg/tls"
 )
 
 func DefaultConfig() *Config {
@@ -24,6 +25,9 @@ func DefaultConfig() *Config {
 			Mode:         "watching",
 			WatchingPath: defaults.UpgradeWatchingPath,
 		},
+		TLSConfig: &tls.TLSConfig{
+			CertFilePath: defaults.CertPath,
+		},
 	}
 }
 
@@ -35,6 +39,7 @@ type Config struct {
 	Upgrade     UpgradeConfig       `yaml:"upgrade" json:"upgrade"`
 	SystemAgent *config.AgentConfig `yaml:"systemagent" json:"systemagent"`
 	CSIProxy    *csiproxy.Config    `yaml:"csi-proxy" json:"csi-proxy"`
+	TLSConfig   *tls.TLSConfig      `yaml:"tls-config" json:"tls-config"`
 }
 
 func (c *Config) Validate() error {

pkg/csiproxy/csi.go

@@ -11,7 +11,9 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	winsConfig "github.com/rancher/wins/cmd/server/config"
 	"github.com/rancher/wins/pkg/concierge"
+	"github.com/rancher/wins/pkg/tls"
 )
 
 const (
@@ -89,6 +91,13 @@ func (p *Proxy) Enable() error {
 		return err
 	}
 	if !ok {
+		wc := winsConfig.Config{}
+		if wc.TLSConfig.CertFilePath != "" {
+			_, err := tls.SetupGenericTLSConfigFromFile(*wc.TLSConfig)
+			if err != nil {
+				return err
+			}
+		}
 		if err := p.download(); err != nil {
 			return err
 		}

pkg/defaults/variable.go

@@ -9,4 +9,5 @@ var (
 	AppCommit           = "0000000"
 	ConfigPath          = filepath.Join("c:/", "etc", "rancher", "wins", "config")
 	UpgradeWatchingPath = filepath.Join("c:/", "etc", "rancher", "wins", "wins.exe")
+	CertPath            = filepath.Join("c:/", "etc", "rancher", "agent", "ranchercert")
 )

pkg/tls/tls.go

@@ -0,0 +1,48 @@
+package tls
+
+import (
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/sirupsen/logrus"
+)
+
+type TLSConfig struct {
+	Insecure     *bool  `yaml:"insecure" json:"insecure"`
+	CertFilePath string `yaml:"CertFilePath" json:"CertFilePath"`
+}
+
+// SetupGenericTLSConfigFromFile returns a x509 system certificate pool containing the specified certificate file
+func SetupGenericTLSConfigFromFile(config TLSConfig) (*x509.CertPool, error) {
+	if config.CertFilePath == "" {
+		logrus.Info("[SetupGenericTLSConfigFromFile] specified certificate file path is empty, not modifying system certificate store")
+		return nil, nil
+	}
+
+	// Get the System certificate store, continue with a new/empty pool on error
+	systemCerts, err := x509.SystemCertPool()
+	if err != nil || systemCerts == nil {
+		logrus.Warnf("[SetupGenericTLSConfigFromFile] failed to return System Cert Pool, creating new one: %v", err)
+		systemCerts = x509.NewCertPool()
+	}
+
+	localCertPath, err := os.Stat(config.CertFilePath)
+	if err != nil {
+		return nil, fmt.Errorf("[SetupGenericTLSConfigFromFile] unable to read certificate %s from %s: %v", localCertPath.Name(), config.CertFilePath, err)
+	}
+
+	certs, err := ioutil.ReadFile(config.CertFilePath)
+	if err != nil {
+		return nil, fmt.Errorf("[SetupGenericTLSConfigFromFile] failed to read local cert file %q: %v", config.CertFilePath, err)
+	}
+
+	// Append the specified cert to the system pool
+	if ok := systemCerts.AppendCertsFromPEM(certs); !ok {
+		return nil, fmt.Errorf("[SetupGenericTLSConfigFromFile] unable to append cert %s to store, using system certs only", config.CertFilePath)
+	}
+
+	logrus.Infof("[SetupGenericTLSConfigFromFile] successfully loaded %s certificate into system cert store", config.CertFilePath)
+	return systemCerts, nil
+}