Merge pull request #4063 from chaosi-zju/operator

remove insecureSkipTLSVerify in operator
2023-10-28 10:42:31 +08:00 · 2023-10-28 10:42:31 +08:00 · f2c7d0b806
parent 761e22ec3c b27da00291
commit f2c7d0b806
7 changed files with 32 additions and 16 deletions
--- a/cmd/agent/app/agent.go
+++ b/cmd/agent/app/agent.go
@ -410,9 +410,8 @@ func generateClusterInControllerPlane(opts util.ClusterRegisterOption) (*cluster
 			cluster.Spec.Region = opts.ClusterRegion
 		}

-		if opts.ClusterConfig.TLSClientConfig.Insecure {
-			cluster.Spec.InsecureSkipTLSVerification = true
-		}
+		cluster.Spec.InsecureSkipTLSVerification = opts.ClusterConfig.TLSClientConfig.Insecure
+
 		if opts.ClusterConfig.Proxy != nil {
 			url, err := opts.ClusterConfig.Proxy(nil)
 			if err != nil {
--- a/operator/pkg/controlplane/metricsadapter/mainfests.go
+++ b/operator/pkg/controlplane/metricsadapter/mainfests.go
@ -35,6 +35,8 @@ spec:
        - --authentication-kubeconfig=/etc/karmada/kubeconfig
        - --authorization-kubeconfig=/etc/karmada/kubeconfig
        - --client-ca-file=/etc/karmada/pki/ca.crt
+        - --tls-cert-file=/etc/karmada/pki/karmada.crt
+        - --tls-private-key-file=/etc/karmada/pki/karmada.key
        - --audit-log-path=-
        - --audit-log-maxage=0
        - --audit-log-maxbackup=0
--- a/operator/pkg/karmadaresource/apiservice/apiservice.go
+++ b/operator/pkg/karmadaresource/apiservice/apiservice.go
@ -30,21 +30,23 @@ func init() {
 }

 // EnsureAggregatedAPIService creates aggregated APIService and a service
-func EnsureAggregatedAPIService(aggregatorClient *aggregator.Clientset, client clientset.Interface, name, namespace string) error {
+func EnsureAggregatedAPIService(aggregatorClient *aggregator.Clientset, client clientset.Interface, name, namespace, caBundle string) error {
 	if err := aggregatedApiserverService(client, name, namespace); err != nil {
 		return err
 	}

-	return aggregatedAPIService(aggregatorClient, name, namespace)
+	return aggregatedAPIService(aggregatorClient, name, namespace, caBundle)
 }

-func aggregatedAPIService(client *aggregator.Clientset, name, namespace string) error {
+func aggregatedAPIService(client *aggregator.Clientset, name, namespace, caBundle string) error {
 	apiServiceBytes, err := util.ParseTemplate(KarmadaAggregatedAPIService, struct {
 		Namespace   string
 		ServiceName string
+		CABundle    string
 	}{
 		Namespace:   namespace,
 		ServiceName: util.KarmadaAggregatedAPIServerName(name),
+		CABundle:    caBundle,
 	})
 	if err != nil {
 		return fmt.Errorf("error when parsing AggregatedApiserver APIService template: %w", err)
@ -79,15 +81,15 @@ func aggregatedApiserverService(client clientset.Interface, name, namespace stri
 }

 // EnsureMetricsAdapterAPIService creates APIService and a service for karmada-metrics-adapter
-func EnsureMetricsAdapterAPIService(aggregatorClient *aggregator.Clientset, client clientset.Interface, name, namespace string) error {
+func EnsureMetricsAdapterAPIService(aggregatorClient *aggregator.Clientset, client clientset.Interface, name, namespace, caBundle string) error {
 	if err := karmadaMetricsAdapterService(client, name, namespace); err != nil {
 		return err
 	}

-	return karmadaMetricsAdapterAPIService(aggregatorClient, name, namespace)
+	return karmadaMetricsAdapterAPIService(aggregatorClient, name, namespace, caBundle)
 }

-func karmadaMetricsAdapterAPIService(client *aggregator.Clientset, name, namespace string) error {
+func karmadaMetricsAdapterAPIService(client *aggregator.Clientset, name, namespace, caBundle string) error {
 	for _, gv := range constants.KarmadaMetricsAdapterAPIServices {
 		// The APIService name to metrics adapter is "$version.$group"
 		apiServiceName := fmt.Sprintf("%s.%s", gv.Version, gv.Group)
@ -95,12 +97,14 @@ func karmadaMetricsAdapterAPIService(client *aggregator.Clientset, name, namespa
 		apiServiceBytes, err := util.ParseTemplate(KarmadaMetricsAdapterAPIService, struct {
 			Name, Namespace             string
 			ServiceName, Group, Version string
+			CABundle                    string
 		}{
 			Name:        apiServiceName,
 			Namespace:   namespace,
 			Group:       gv.Group,
 			Version:     gv.Version,
 			ServiceName: util.KarmadaMetricsAdapterName(name),
+			CABundle:    caBundle,
 		})
 		if err != nil {
 			return fmt.Errorf("error when parsing KarmadaMetricsAdapter APIService %s template: %w", apiServiceName, err)
--- a/operator/pkg/karmadaresource/apiservice/manifest.go
+++ b/operator/pkg/karmadaresource/apiservice/manifest.go
@ -13,7 +13,7 @@ metadata:
 spec:
  group: cluster.karmada.io
  groupPriorityMinimum: 2000
-  insecureSkipTLSVerify: true
+  caBundle: {{ .CABundle }}
  service:
    name: {{ .ServiceName }}
    namespace: {{ .Namespace }}
@ -45,7 +45,7 @@ spec:
    namespace: {{ .Namespace }}
  group: {{ .Group }}
  version: {{ .Version }}
-  insecureSkipTLSVerify: true
+  caBundle: {{ .CABundle }}
  groupPriorityMinimum: 100
  versionPriority: 200
 `
--- a/operator/pkg/tasks/init/component.go
+++ b/operator/pkg/tasks/init/component.go
@ -1,6 +1,7 @@
 package tasks

 import (
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"time"
@ -185,7 +186,13 @@ func runDeployMetricAdapterAPIService(r workflow.RunData) error {
 		return err
 	}

-	err = apiservice.EnsureMetricsAdapterAPIService(client, data.KarmadaClient(), data.GetName(), data.GetNamespace())
+	cert := data.GetCert(constants.CaCertAndKeyName)
+	if len(cert.CertData()) == 0 {
+		return errors.New("unexpected empty ca cert data for aggregatedAPIService")
+	}
+	caBase64 := base64.StdEncoding.EncodeToString(cert.CertData())
+
+	err = apiservice.EnsureMetricsAdapterAPIService(client, data.KarmadaClient(), data.GetName(), data.GetNamespace(), caBase64)
 	if err != nil {
 		return fmt.Errorf("failed to apply karmada-metrics-adapter APIService resource to karmada controlplane, err: %w", err)
 	}
--- a/operator/pkg/tasks/init/karmadaresource.go
+++ b/operator/pkg/tasks/init/karmadaresource.go
@ -185,7 +185,13 @@ func runAPIService(r workflow.RunData) error {
 		return err
 	}

-	err = apiservice.EnsureAggregatedAPIService(client, data.KarmadaClient(), data.GetName(), data.GetNamespace())
+	cert := data.GetCert(constants.CaCertAndKeyName)
+	if len(cert.CertData()) == 0 {
+		return errors.New("unexpected empty ca cert data for aggregatedAPIService")
+	}
+	caBase64 := base64.StdEncoding.EncodeToString(cert.CertData())
+
+	err = apiservice.EnsureAggregatedAPIService(client, data.KarmadaClient(), data.GetName(), data.GetNamespace(), caBase64)
 	if err != nil {
 		return fmt.Errorf("failed to apply aggregated APIService resource to karmada controlplane, err: %w", err)
 	}
--- a/pkg/karmadactl/join/join.go
+++ b/pkg/karmadactl/join/join.go
@ -255,9 +255,7 @@ func generateClusterInControllerPlane(opts util.ClusterRegisterOption) (*cluster
 		clusterObj.Spec.Region = opts.ClusterRegion
 	}

-	if opts.ClusterConfig.TLSClientConfig.Insecure {
-		clusterObj.Spec.InsecureSkipTLSVerification = true
-	}
+	clusterObj.Spec.InsecureSkipTLSVerification = opts.ClusterConfig.TLSClientConfig.Insecure

 	if opts.ClusterConfig.Proxy != nil {
 		url, err := opts.ClusterConfig.Proxy(nil)