func createServerCredentials()

in grpc-xds/control-plane-go/pkg/server/server.go [226:285]

• 56 lines of code
• 8 McCabe index (conditional complexity)

func createServerCredentials(logger logr.Logger, xdsFeatures *xds.Features) (*transportCredentials, error) {
	if !xdsFeatures.EnableControlPlaneTLS {
		logger.V(2).Info("using insecure credentials for the control plane server")
		return &transportCredentials{
			TransportCredentials: insecure.NewCredentials(),
		}, nil
	}
	logger.V(2).Info("using mTLS with automatic certificate reloading for the control plane server")
	identityOptions := pemfile.Options{
		CertFile:        "/var/run/secrets/workload-spiffe-credentials/certificates.pem",
		KeyFile:         "/var/run/secrets/workload-spiffe-credentials/private_key.pem",
		RefreshDuration: 600 * time.Second,
	}
	identityProvider, err := pemfile.NewProvider(identityOptions)
	if err != nil {
		return nil, fmt.Errorf("could not create a new certificate provider for identityOptions=%+v: %w", identityOptions, err)
	}
	providers := []certprovider.Provider{identityProvider}

	options := &advancedtls.Options{
		IdentityOptions: advancedtls.IdentityCertificateOptions{
			IdentityProvider: identityProvider,
		},
		AdditionalPeerVerification: func(params *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) {
			// Not actually checking anything, just logging the client's SPIFFE ID.
			// SPIFFE certificates must have exactly one URI SAN.
			if len(params.Leaf.URIs) == 1 && params.Leaf.URIs[0] != nil {
				logger.V(2).Info("Client TLS certificate", "spiffeID", *params.Leaf.URIs[0])
			}
			return &advancedtls.PostHandshakeVerificationResults{}, nil
		},
		RequireClientCert: false,
		VerificationType:  advancedtls.CertVerification,
	}

	if xdsFeatures.RequireControlPlaneClientCerts {
		rootOptions := pemfile.Options{
			RootFile:        "/var/run/secrets/workload-spiffe-credentials/ca_certificates.pem",
			RefreshDuration: 600 * time.Second,
		}
		rootProvider, err := pemfile.NewProvider(rootOptions)
		if err != nil {
			return nil, fmt.Errorf("could not create a new certificate provider for rootOptions=%+v: %w", rootOptions, err)
		}
		providers = append(providers, rootProvider)
		options.RootOptions = advancedtls.RootCertificateOptions{
			RootProvider: rootProvider,
		}
		options.RequireClientCert = true
	}
	logger.Info("advancedtls", "options", options)
	serverCredentials, err := advancedtls.NewServerCreds(options)
	if err != nil {
		return nil, fmt.Errorf("could not create server credentials from options %+v: %w", options, err)
	}
	return &transportCredentials{
		TransportCredentials: serverCredentials,
		providers:            providers,
	}, err
}