[improve] let tlsoptions include std tlsconfig

Signed-off-by: lookupman <lookupman@163.com>
apache · Sep 28, 2024 · 984e11f · 984e11f
1 parent 630d5f8
commit 984e11f
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 19 deletions.
diff --git a/pulsar/client.go b/pulsar/client.go
@@ -129,6 +129,8 @@ type ClientOptions struct {
 	// TLSMaxVersion contains the maximum TLS version that is acceptable. See tls.Config MaxVersion for more information.
 	TLSMaxVersion uint16
 
+	StdTlsConfig *tls.Config
+
 	// Configure the net model for vpc user to connect the pulsar broker
 	ListenerName string
 

diff --git a/pulsar/client_impl.go b/pulsar/client_impl.go
@@ -97,6 +97,7 @@ func newClient(options ClientOptions) (Client, error) {
 			CipherSuites:            options.TLSCipherSuites,
 			MinVersion:              options.TLSMinVersion,
 			MaxVersion:              options.TLSMaxVersion,
+			StdTlsConfig:            options.StdTlsConfig,
 		}
 	default:
 		return nil, newError(InvalidConfiguration, fmt.Sprintf("Invalid URL scheme '%s'", url.Scheme))

diff --git a/pulsar/internal/connection.go b/pulsar/internal/connection.go
@@ -51,6 +51,7 @@ type TLSOptions struct {
 	CipherSuites            []uint16
 	MinVersion              uint16
 	MaxVersion              uint16
+	StdTlsConfig            *tls.Config
 }
 
 var (
@@ -1083,6 +1084,10 @@ func (c *connection) closed() bool {
 }
 
 func (c *connection) getTLSConfig() (*tls.Config, error) {
+	if c.tlsOptions.StdTlsConfig != nil {
+		return c.tlsOptions.StdTlsConfig, nil
+	}
+
 	tlsConfig := &tls.Config{
 		InsecureSkipVerify: c.tlsOptions.AllowInsecureConnection,
 		CipherSuites:       c.tlsOptions.CipherSuites,

diff --git a/pulsar/internal/http_client.go b/pulsar/internal/http_client.go
@@ -339,29 +339,33 @@ func responseError(resp *http.Response) error {
 func getDefaultTransport(tlsConfig *TLSOptions) (http.RoundTripper, error) {
 	transport := http.DefaultTransport.(*http.Transport)
 	if tlsConfig != nil {
-		cfg := &tls.Config{
-			InsecureSkipVerify: tlsConfig.AllowInsecureConnection,
-			CipherSuites:       tlsConfig.CipherSuites,
-			MinVersion:         tlsConfig.MinVersion,
-			MaxVersion:         tlsConfig.MaxVersion,
-		}
-		if len(tlsConfig.TrustCertsFilePath) > 0 {
-			rootCA, err := os.ReadFile(tlsConfig.TrustCertsFilePath)
-			if err != nil {
-				return nil, err
+		if tlsConfig.StdTlsConfig != nil {
+			transport.TLSClientConfig = tlsConfig.StdTlsConfig
+		} else {
+			cfg := &tls.Config{
+				InsecureSkipVerify: tlsConfig.AllowInsecureConnection,
+				CipherSuites:       tlsConfig.CipherSuites,
+				MinVersion:         tlsConfig.MinVersion,
+				MaxVersion:         tlsConfig.MaxVersion,
+			}
+			if len(tlsConfig.TrustCertsFilePath) > 0 {
+				rootCA, err := os.ReadFile(tlsConfig.TrustCertsFilePath)
+				if err != nil {
+					return nil, err
+				}
+				cfg.RootCAs = x509.NewCertPool()
+				cfg.RootCAs.AppendCertsFromPEM(rootCA)
 			}
-			cfg.RootCAs = x509.NewCertPool()
-			cfg.RootCAs.AppendCertsFromPEM(rootCA)
-		}
 
-		if tlsConfig.CertFile != "" && tlsConfig.KeyFile != "" {
-			cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
-			if err != nil {
-				return nil, errors.New(err.Error())
+			if tlsConfig.CertFile != "" && tlsConfig.KeyFile != "" {
+				cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
+				if err != nil {
+					return nil, errors.New(err.Error())
+				}
+				cfg.Certificates = []tls.Certificate{cert}
 			}
-			cfg.Certificates = []tls.Certificate{cert}
+			transport.TLSClientConfig = cfg
 		}
-		transport.TLSClientConfig = cfg
 	}
 	transport.MaxIdleConnsPerHost = 10
 	return transport, nil