From 859003a940b8c48569f5064efcf4c14d8444ce1a Mon Sep 17 00:00:00 2001
From: JulienBalestra <julien.balestra@datadoghq.com>
Date: Tue, 28 Aug 2018 11:02:56 +0200
Subject: [PATCH] stream: struct for x509 key pair, update the docs, error
 management

Signed-off-by: JulienBalestra <julien.balestra@datadoghq.com>
---
 docs/config.md          | 10 +++++++++-
 pkg/config/config.go    | 26 ++++++++++++++++++--------
 pkg/server/streaming.go |  9 +++++++--
 3 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/docs/config.md b/docs/config.md
index 8fa77b55b..61b49f1bb 100644
--- a/docs/config.md
+++ b/docs/config.md
@@ -24,8 +24,16 @@ The explanation and default value of each configuration item are as follows:
   # systemd_cgroup enables systemd cgroup support.
   systemd_cgroup = false
 
-  # enable_tls_streaming enables the TLS streaming support.
+  # enable_tls_streaming enables the TLS streaming support. 
+  # It generates a self-sign certificate unless the following x509_key_pair_streaming are both set.
   enable_tls_streaming = false
+  
+  # "plugins.cri.x509_key_pair_streaming" constains a x509 valid key pair to stream with tls.
+  [plugins.cri.x509_key_pair_streaming]
+    # tls_cert_file is the filepath to the certificate paired with the "tls_key_file"
+    tls_cert_file = ""
+    # tls_key_file is the filepath to the private key paired with the "tls_cert_file"
+    tls_key_file = ""
 
   # max_container_log_line_size is the maximum log line size in bytes for a container.
   # Log line longer than the limit will be split into multiple lines. -1 means no
diff --git a/pkg/config/config.go b/pkg/config/config.go
index a5f27f48e..49288b59a 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -114,16 +114,22 @@ type PluginConfig struct {
 	SystemdCgroup bool `toml:"systemd_cgroup" json:"systemdCgroup"`
 	// EnableTLSStreaming indicates to enable the TLS streaming support.
 	EnableTLSStreaming bool `toml:"enable_tls_streaming" json:"enableTLSStreaming"`
-	// TLSCertFileStreaming is the path to a certificate file
-	TLSCertFileStreaming string `toml:"tls_cert_file_streaming" json:"tlsCertFileStreaming"`
-	// TLSKeyFileStreaming is the path to a private key file
-	TLSKeyFileStreaming string `toml:"tls_key_file_streaming" json:"tlsKeyFileStreaming"`
+	// X509KeyPairStreaming is a x509 key pair used for TLS streaming
+	X509KeyPairStreaming `toml:"x509_key_pair_streaming" json:"x509KeyPairStreaming"`
 	// MaxContainerLogLineSize is the maximum log line size in bytes for a container.
 	// Log line longer than the limit will be split into multiple lines. Non-positive
 	// value means no limit.
 	MaxContainerLogLineSize int `toml:"max_container_log_line_size" json:"maxContainerLogSize"`
 }
 
+// X509KeyPairStreaming contains the x509 configuration for streaming
+type X509KeyPairStreaming struct {
+	// TLSCertFile is the path to a certificate file
+	TLSCertFile string `toml:"tls_cert_file" json:"tlsCertFile"`
+	// TLSKeyFile is the path to a private key file
+	TLSKeyFile string `toml:"tls_key_file" json:"tlsKeyFile"`
+}
+
 // Config contains all configurations for cri server.
 type Config struct {
 	// PluginConfig is the config for CRI plugin.
@@ -156,10 +162,14 @@ func DefaultConfig() PluginConfig {
 			},
 			NoPivot: false,
 		},
-		StreamServerAddress:     "127.0.0.1",
-		StreamServerPort:        "0",
-		EnableSelinux:           false,
-		EnableTLSStreaming:      false,
+		StreamServerAddress: "127.0.0.1",
+		StreamServerPort:    "0",
+		EnableSelinux:       false,
+		EnableTLSStreaming:  false,
+		X509KeyPairStreaming: X509KeyPairStreaming{
+			TLSKeyFile:  "",
+			TLSCertFile: "",
+		},
 		SandboxImage:            "k8s.gcr.io/pause:3.1",
 		StatsCollectPeriod:      10,
 		SystemdCgroup:           false,
diff --git a/pkg/server/streaming.go b/pkg/server/streaming.go
index 255b7c9a6..8d732eb60 100644
--- a/pkg/server/streaming.go
+++ b/pkg/server/streaming.go
@@ -46,10 +46,13 @@ func newStreamServer(c *criService, addr, port string) (streaming.Server, error)
 	config.Addr = net.JoinHostPort(addr, port)
 	run := newStreamRuntime(c)
 	if !c.config.EnableTLSStreaming {
+		if c.config.X509KeyPairStreaming.TLSCertFile != "" || c.config.X509KeyPairStreaming.TLSKeyFile != "" {
+			return nil, errors.Errorf("X509KeyPairStreaming.TLSCertFile and/or X509KeyPairStreaming.TLSKeyFile are set but EnableTLSStreaming is not set")
+		}
 		return streaming.NewServer(config, run)
 	}
-	if c.config.TLSCertFileStreaming != "" && c.config.TLSKeyFileStreaming != "" {
-		tlsCert, err := tls.LoadX509KeyPair(c.config.TLSCertFileStreaming, c.config.TLSKeyFileStreaming)
+	if c.config.X509KeyPairStreaming.TLSCertFile != "" && c.config.X509KeyPairStreaming.TLSKeyFile != "" {
+		tlsCert, err := tls.LoadX509KeyPair(c.config.X509KeyPairStreaming.TLSCertFile, c.config.X509KeyPairStreaming.TLSKeyFile)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to load x509 key pair for stream server")
 		}
@@ -57,6 +60,8 @@ func newStreamServer(c *criService, addr, port string) (streaming.Server, error)
 			Certificates: []tls.Certificate{tlsCert},
 		}
 		return streaming.NewServer(config, run)
+	} else if c.config.X509KeyPairStreaming.TLSCertFile != "" || c.config.X509KeyPairStreaming.TLSKeyFile != "" {
+		return nil, errors.Errorf("must set both X509KeyPairStreaming.TLSCertFile and X509KeyPairStreaming.TLSKeyFile")
 	}
 	// generating self-sign certs
 	tlsCert, err := newTLSCert()