From 8d76b6e5737e5ec2037aed919a43d34d45e2ad13 Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Fri, 2 Jun 2023 13:56:30 +0300 Subject: [PATCH] Use API internal name as TLS server name in kubeconfig --- pkg/kubeconfig/create_kubecfg.go | 1 + pkg/kubeconfig/create_kubecfg_test.go | 108 ++++++++++++++------------ pkg/kubeconfig/kubecfg_builder.go | 19 +---- 3 files changed, 64 insertions(+), 64 deletions(-) diff --git a/pkg/kubeconfig/create_kubecfg.go b/pkg/kubeconfig/create_kubecfg.go index 1b151ac74e..09ebed5972 100644 --- a/pkg/kubeconfig/create_kubecfg.go +++ b/pkg/kubeconfig/create_kubecfg.go @@ -85,6 +85,7 @@ func BuildKubecfg(ctx context.Context, cluster *kops.Cluster, keyStore fi.Keysto b.Context = clusterName b.Server = server + b.TLSServerName = cluster.APIInternalName() // add the CA Cert to the kubeconfig only if we didn't specify a certificate for the LB // or if we're using admin credentials and the secondary port diff --git a/pkg/kubeconfig/create_kubecfg_test.go b/pkg/kubeconfig/create_kubecfg_test.go index e8338f74bb..0b068491c7 100644 --- a/pkg/kubeconfig/create_kubecfg_test.go +++ b/pkg/kubeconfig/create_kubecfg_test.go @@ -191,10 +191,11 @@ func TestBuildKubecfg(t *testing.T) { user: "", }, want: &KubeconfigBuilder{ - Context: "testcluster", - Server: "https://testcluster.test.com", - CACerts: []byte(nextCertificate + certData), - User: "testcluster", + Context: "testcluster", + Server: "https://testcluster.test.com", + TLSServerName: "api.internal.testcluster", + CACerts: []byte(nextCertificate + certData), + User: "testcluster", }, wantClientCert: true, }, @@ -206,10 +207,11 @@ func TestBuildKubecfg(t *testing.T) { admin: DefaultKubecfgAdminLifetime, }, want: &KubeconfigBuilder{ - Context: "testcluster", - Server: "https://elbHostName:8443", - CACerts: []byte(nextCertificate + certData), - User: "testcluster", + Context: "testcluster", + Server: "https://elbHostName:8443", + TLSServerName: "api.internal.testcluster", + CACerts: []byte(nextCertificate + certData), + User: "testcluster", }, wantClientCert: true, }, @@ -221,10 +223,11 @@ func TestBuildKubecfg(t *testing.T) { admin: DefaultKubecfgAdminLifetime, }, want: &KubeconfigBuilder{ - Context: "testcluster", - Server: "https://elbHostName", - CACerts: nil, - User: "testcluster", + Context: "testcluster", + Server: "https://elbHostName", + TLSServerName: "api.internal.testcluster", + CACerts: nil, + User: "testcluster", }, wantClientCert: true, }, @@ -236,10 +239,11 @@ func TestBuildKubecfg(t *testing.T) { admin: 0, }, want: &KubeconfigBuilder{ - Context: "testcluster", - Server: "https://testcluster.test.com", - CACerts: []byte(nextCertificate + certData), - User: "testcluster", + Context: "testcluster", + Server: "https://testcluster.test.com", + TLSServerName: "api.internal.testcluster", + CACerts: []byte(nextCertificate + certData), + User: "testcluster", }, wantClientCert: false, }, @@ -252,10 +256,11 @@ func TestBuildKubecfg(t *testing.T) { user: "myuser", }, want: &KubeconfigBuilder{ - Context: "testcluster", - Server: "https://testcluster.test.com", - CACerts: []byte(nextCertificate + certData), - User: "myuser", + Context: "testcluster", + Server: "https://testcluster.test.com", + TLSServerName: "api.internal.testcluster", + CACerts: []byte(nextCertificate + certData), + User: "myuser", }, wantClientCert: false, }, @@ -268,10 +273,11 @@ func TestBuildKubecfg(t *testing.T) { user: "", }, want: &KubeconfigBuilder{ - Context: "emptyMasterPublicNameCluster", - Server: "https://api.emptyMasterPublicNameCluster", - CACerts: []byte(nextCertificate + certData), - User: "emptyMasterPublicNameCluster", + Context: "emptyMasterPublicNameCluster", + Server: "https://api.emptyMasterPublicNameCluster", + TLSServerName: "api.internal.emptyMasterPublicNameCluster", + CACerts: []byte(nextCertificate + certData), + User: "emptyMasterPublicNameCluster", }, wantClientCert: false, }, @@ -282,10 +288,11 @@ func TestBuildKubecfg(t *testing.T) { status: fakeStatus, }, want: &KubeconfigBuilder{ - Context: "testgossipcluster.k8s.local", - Server: "https://elbHostName", - CACerts: []byte(nextCertificate + certData), - User: "testgossipcluster.k8s.local", + Context: "testgossipcluster.k8s.local", + Server: "https://elbHostName", + TLSServerName: "api.internal.testgossipcluster.k8s.local", + CACerts: []byte(nextCertificate + certData), + User: "testgossipcluster.k8s.local", }, wantClientCert: false, }, @@ -298,10 +305,11 @@ func TestBuildKubecfg(t *testing.T) { useKopsAuthenticationPlugin: true, }, want: &KubeconfigBuilder{ - Context: "testcluster", - Server: "https://testcluster.test.com", - CACerts: []byte(nextCertificate + certData), - User: "testcluster", + Context: "testcluster", + Server: "https://testcluster.test.com", + TLSServerName: "api.internal.testcluster", + CACerts: []byte(nextCertificate + certData), + User: "testcluster", AuthenticationExec: []string{ "kops", "helpers", @@ -321,10 +329,11 @@ func TestBuildKubecfg(t *testing.T) { internal: true, }, want: &KubeconfigBuilder{ - Context: "testcluster", - Server: "https://api.internal.testcluster", - CACerts: []byte(nextCertificate + certData), - User: "testcluster", + Context: "testcluster", + Server: "https://api.internal.testcluster", + TLSServerName: "api.internal.testcluster", + CACerts: []byte(nextCertificate + certData), + User: "testcluster", }, wantClientCert: true, }, @@ -336,10 +345,11 @@ func TestBuildKubecfg(t *testing.T) { admin: DefaultKubecfgAdminLifetime, }, want: &KubeconfigBuilder{ - Context: "testgossipcluster.k8s.local", - Server: "https://elbHostName:8443", - CACerts: []byte(nextCertificate + certData), - User: "testgossipcluster.k8s.local", + Context: "testgossipcluster.k8s.local", + Server: "https://elbHostName:8443", + TLSServerName: "api.internal.testgossipcluster.k8s.local", + CACerts: []byte(nextCertificate + certData), + User: "testgossipcluster.k8s.local", }, wantClientCert: true, }, @@ -352,10 +362,11 @@ func TestBuildKubecfg(t *testing.T) { internal: true, }, want: &KubeconfigBuilder{ - Context: "testcluster", - Server: "https://api.internal.testcluster", - CACerts: []byte(nextCertificate + certData), - User: "testcluster", + Context: "testcluster", + Server: "https://api.internal.testcluster", + TLSServerName: "api.internal.testcluster", + CACerts: []byte(nextCertificate + certData), + User: "testcluster", }, wantClientCert: true, }, @@ -368,10 +379,11 @@ func TestBuildKubecfg(t *testing.T) { internal: true, }, want: &KubeconfigBuilder{ - Context: "testcluster", - Server: "https://api.internal.testcluster", - CACerts: []byte(nextCertificate + certData), - User: "testcluster", + Context: "testcluster", + Server: "https://api.internal.testcluster", + TLSServerName: "api.internal.testcluster", + CACerts: []byte(nextCertificate + certData), + User: "testcluster", }, wantClientCert: false, }, diff --git a/pkg/kubeconfig/kubecfg_builder.go b/pkg/kubeconfig/kubecfg_builder.go index 0220791681..e12421828c 100644 --- a/pkg/kubeconfig/kubecfg_builder.go +++ b/pkg/kubeconfig/kubecfg_builder.go @@ -19,7 +19,6 @@ package kubeconfig import ( "fmt" - "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" clientcmdapi "k8s.io/client-go/tools/clientcmd/api" "k8s.io/klog/v2" @@ -28,7 +27,8 @@ import ( // KubeconfigBuilder builds a kubecfg file // This logic previously lives in the bash scripts (create-kubeconfig in cluster/common.sh) type KubeconfigBuilder struct { - Server string + Server string + TLSServerName string Context string Namespace string @@ -77,20 +77,6 @@ func (b *KubeconfigBuilder) DeleteKubeConfig(configAccess clientcmd.ConfigAccess return nil } -// Create new Rest Client -func (c *KubeconfigBuilder) BuildRestConfig() (*rest.Config, error) { - restConfig := &rest.Config{ - Host: c.Server, - } - restConfig.CAData = c.CACerts - restConfig.CertData = c.ClientCert - restConfig.KeyData = c.ClientKey - restConfig.Username = c.KubeUser - restConfig.Password = c.KubePassword - - return restConfig, nil -} - // Write out a new kubeconfig func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) error { config, err := configAccess.GetStartingConfig() @@ -108,6 +94,7 @@ func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) er cluster = clientcmdapi.NewCluster() } cluster.Server = b.Server + cluster.TLSServerName = b.TLSServerName cluster.CertificateAuthorityData = b.CACerts if config.Clusters == nil {