Support empty root CA for konnectivity

Kubernetes-commit: 55b89a6451d253532ede0736d7bc8af62f396596

pkg/apis/apiserver/types.go

@@ -114,13 +114,13 @@ type TCPTransport struct {
 
 	// TLSConfig is the config needed to use TLS when connecting to konnectivity server
 	// +optional
-	TLSConfig *TLSConfig `json:"tlsConfig,omitempty"`
+	TLSConfig *TLSConfig
 }
 
 // UDSTransport provides the information to connect to konnectivity server via UDS
 type UDSTransport struct {
 	// UDSName is the name of the unix domain socket to connect to konnectivity server
-	// This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity/konnectivity-server.socket)
+	// This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket)
 	UDSName string
 }
 
@@ -129,22 +129,23 @@ type UDSTransport struct {
 type TLSConfig struct {
 	// caBundle is the file location of the CA to be used to determine trust with the konnectivity server.
 	// Must be absent/empty HTTPConnect using the plain http
-	// Must be configured for HTTPConnect using the https protocol
+	// If absent while using the HTTPConnect protocol with HTTPS
+	// default to system trust roots
 	// Misconfiguration will cause an error
 	// +optional
-	CABundle string `json:"caBundle,omitempty"`
+	CABundle string
 
 	// clientKey is the file location of the client key to authenticate with the konnectivity server
 	// Must be absent/empty HTTPConnect using the plain http
 	// Must be configured for HTTPConnect using the https protocol
 	// Misconfiguration will cause an error
 	// +optional
-	ClientKey string `json:"clientKey,omitempty"`
+	ClientKey string
 
 	// clientCert is the file location of the client certificate to authenticate with the konnectivity server
 	// Must be absent/empty HTTPConnect using the plain http
 	// Must be configured for HTTPConnect using the https protocol
 	// Misconfiguration will cause an error
 	// +optional
-	ClientCert string `json:"clientCert,omitempty"`
+	ClientCert string
 }

pkg/apis/apiserver/v1alpha1/types.go

@@ -110,17 +110,17 @@ type Transport struct {
 type TCPTransport struct {
 	// URL is the location of the konnectivity server to connect to.
 	// As an example it might be "https://127.0.0.1:8131"
-	URL string
+	URL string `json:"url,omitempty"`
 
 	// TLSConfig is the config needed to use TLS when connecting to konnectivity server
 	// +optional
-	TLSConfig *TLSConfig
+	TLSConfig *TLSConfig `json:"tlsConfig,omitempty"`
 }
 
 // UDSTransport provides the information to connect to konnectivity server via UDS
 type UDSTransport struct {
 	// UDSName is the name of the unix domain socket to connect to konnectivity server
-	UDSName string
+	UDSName string `json:"udsName,omitempty"`
 }
 
 // TLSConfig provides the authentication information to connect to konnectivity server
@@ -128,14 +128,14 @@ type UDSTransport struct {
 type TLSConfig struct {
 	// caBundle is the file location of the CA to be used to determine trust with the konnectivity server.
 	// Must be absent/empty HTTPConnect using the plain http
-	// Must be configured for HTTPConnect using the https protocol
+	// If absent while using the HTTPConnect protocol with HTTPS
+	// default to system trust roots
 	// Misconfiguration will cause an error
 	// +optional
 	CABundle string `json:"caBundle,omitempty"`
 
 	// clientKey is the file location of the client key to be used in mtls handshakes with the konnectivity server.
 	// Must be absent/empty HTTPConnect using the plain http
-	// Must be configured for HTTPConnect using the https protocol
 	// Misconfiguration will cause an error
 	// +optional
 	ClientKey string `json:"clientKey,omitempty"`

pkg/server/egressselector/config.go

@@ -148,16 +148,13 @@ func validateTCPConnection(connection apiserver.Connection, fldPath *field.Path)
 			"nil",
 			"TLSConfig config should be present for HTTPConnect via tcp"))
 	} else if strings.HasPrefix(connection.Transport.TCP.URL, "https://") {
-		if connection.Transport.TCP.TLSConfig.CABundle == "" {
-			allErrs = append(allErrs, field.Invalid(
-				fldPath.Child("tlsConfig", "caBundle"),
-				"nil",
-				"HTTPConnect via https requires caBundle"))
-		} else if exists, err := path.Exists(path.CheckFollowSymlink, connection.Transport.TCP.TLSConfig.CABundle); exists == false || err != nil {
-			allErrs = append(allErrs, field.Invalid(
-				fldPath.Child("tlsConfig", "caBundle"),
-				connection.Transport.TCP.TLSConfig.CABundle,
-				"HTTPConnect ca bundle does not exist"))
+		if connection.Transport.TCP.TLSConfig.CABundle != "" {
+			if exists, err := path.Exists(path.CheckFollowSymlink, connection.Transport.TCP.TLSConfig.CABundle); exists == false || err != nil {
+				allErrs = append(allErrs, field.Invalid(
+					fldPath.Child("tlsConfig", "caBundle"),
+					connection.Transport.TCP.TLSConfig.CABundle,
+					"HTTPConnect ca bundle does not exist"))
+			}
 		}
 		if connection.Transport.TCP.TLSConfig.ClientCert == "" {
 			allErrs = append(allErrs, field.Invalid(

pkg/server/egressselector/egress_selector.go

@@ -138,13 +138,17 @@ func createConnectTCPDialer(tcpTransport *apiserver.TCPTransport) (utilnet.DialF
 		return nil, fmt.Errorf("failed to read key pair %s & %s, got %v", clientCert, clientKey, err)
 	}
 	certPool := x509.NewCertPool()
-	certBytes, err := ioutil.ReadFile(caCert)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read cert file %s, got %v", caCert, err)
-	}
-	ok := certPool.AppendCertsFromPEM(certBytes)
-	if !ok {
-		return nil, fmt.Errorf("failed to append CA cert to the cert pool")
+	if caCert != "" {
+		certBytes, err := ioutil.ReadFile(caCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read cert file %s, got %v", caCert, err)
+		}
+		ok := certPool.AppendCertsFromPEM(certBytes)
+		if !ok {
+			return nil, fmt.Errorf("failed to append CA cert to the cert pool")
+		}
+	} else {
+		certPool = nil
 	}
 	contextDialer := func(ctx context.Context, network, addr string) (net.Conn, error) {
 		klog.V(4).Infof("Sending request to %q.", addr)