kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use API internal name as TLS server name in kubeconfig

This commit is contained in:
Ciprian Hacman 2023-06-02 13:56:30 +03:00
parent b0c5b8ee98
commit 8d76b6e573
3 changed files with 64 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubeconfig/create_kubecfg.go
View File

@ -85,6 +85,7 @@ func BuildKubecfg(ctx context.Context, cluster *kops.Cluster, keyStore fi.Keysto
b.Context = clusterName b.Context = clusterName
b.Server = server b.Server = server
b.TLSServerName = cluster.APIInternalName()
// add the CA Cert to the kubeconfig only if we didn't specify a certificate for the LB // add the CA Cert to the kubeconfig only if we didn't specify a certificate for the LB
// or if we're using admin credentials and the secondary port // or if we're using admin credentials and the secondary port

108
pkg/kubeconfig/create_kubecfg_test.go
View File

@ -191,10 +191,11 @@ func TestBuildKubecfg(t *testing.T) {
user: "", user: "",
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testcluster", Context: "testcluster",
Server: "https://testcluster.test.com", Server: "https://testcluster.test.com",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testcluster",
User: "testcluster", CACerts: []byte(nextCertificate + certData),
User: "testcluster",
}, },
wantClientCert: true, wantClientCert: true,
}, },
@ -206,10 +207,11 @@ func TestBuildKubecfg(t *testing.T) {
admin: DefaultKubecfgAdminLifetime, admin: DefaultKubecfgAdminLifetime,
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testcluster", Context: "testcluster",
Server: "https://elbHostName:8443", Server: "https://elbHostName:8443",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testcluster",
User: "testcluster", CACerts: []byte(nextCertificate + certData),
User: "testcluster",
}, },
wantClientCert: true, wantClientCert: true,
}, },
@ -221,10 +223,11 @@ func TestBuildKubecfg(t *testing.T) {
admin: DefaultKubecfgAdminLifetime, admin: DefaultKubecfgAdminLifetime,
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testcluster", Context: "testcluster",
Server: "https://elbHostName", Server: "https://elbHostName",
CACerts: nil, TLSServerName: "api.internal.testcluster",
User: "testcluster", CACerts: nil,
User: "testcluster",
}, },
wantClientCert: true, wantClientCert: true,
}, },
@ -236,10 +239,11 @@ func TestBuildKubecfg(t *testing.T) {
admin: 0, admin: 0,
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testcluster", Context: "testcluster",
Server: "https://testcluster.test.com", Server: "https://testcluster.test.com",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testcluster",
User: "testcluster", CACerts: []byte(nextCertificate + certData),
User: "testcluster",
}, },
wantClientCert: false, wantClientCert: false,
}, },
@ -252,10 +256,11 @@ func TestBuildKubecfg(t *testing.T) {
user: "myuser", user: "myuser",
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testcluster", Context: "testcluster",
Server: "https://testcluster.test.com", Server: "https://testcluster.test.com",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testcluster",
User: "myuser", CACerts: []byte(nextCertificate + certData),
User: "myuser",
}, },
wantClientCert: false, wantClientCert: false,
}, },
@ -268,10 +273,11 @@ func TestBuildKubecfg(t *testing.T) {
user: "", user: "",
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "emptyMasterPublicNameCluster", Context: "emptyMasterPublicNameCluster",
Server: "https://api.emptyMasterPublicNameCluster", Server: "https://api.emptyMasterPublicNameCluster",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.emptyMasterPublicNameCluster",
User: "emptyMasterPublicNameCluster", CACerts: []byte(nextCertificate + certData),
User: "emptyMasterPublicNameCluster",
}, },
wantClientCert: false, wantClientCert: false,
}, },
@ -282,10 +288,11 @@ func TestBuildKubecfg(t *testing.T) {
status: fakeStatus, status: fakeStatus,
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testgossipcluster.k8s.local", Context: "testgossipcluster.k8s.local",
Server: "https://elbHostName", Server: "https://elbHostName",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testgossipcluster.k8s.local",
User: "testgossipcluster.k8s.local", CACerts: []byte(nextCertificate + certData),
User: "testgossipcluster.k8s.local",
}, },
wantClientCert: false, wantClientCert: false,
}, },
@ -298,10 +305,11 @@ func TestBuildKubecfg(t *testing.T) {
useKopsAuthenticationPlugin: true, useKopsAuthenticationPlugin: true,
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testcluster", Context: "testcluster",
Server: "https://testcluster.test.com", Server: "https://testcluster.test.com",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testcluster",
User: "testcluster", CACerts: []byte(nextCertificate + certData),
User: "testcluster",
AuthenticationExec: []string{ AuthenticationExec: []string{
"kops", "kops",
"helpers", "helpers",
@ -321,10 +329,11 @@ func TestBuildKubecfg(t *testing.T) {
internal: true, internal: true,
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testcluster", Context: "testcluster",
Server: "https://api.internal.testcluster", Server: "https://api.internal.testcluster",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testcluster",
User: "testcluster", CACerts: []byte(nextCertificate + certData),
User: "testcluster",
}, },
wantClientCert: true, wantClientCert: true,
}, },
@ -336,10 +345,11 @@ func TestBuildKubecfg(t *testing.T) {
admin: DefaultKubecfgAdminLifetime, admin: DefaultKubecfgAdminLifetime,
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testgossipcluster.k8s.local", Context: "testgossipcluster.k8s.local",
Server: "https://elbHostName:8443", Server: "https://elbHostName:8443",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testgossipcluster.k8s.local",
User: "testgossipcluster.k8s.local", CACerts: []byte(nextCertificate + certData),
User: "testgossipcluster.k8s.local",
}, },
wantClientCert: true, wantClientCert: true,
}, },
@ -352,10 +362,11 @@ func TestBuildKubecfg(t *testing.T) {
internal: true, internal: true,
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testcluster", Context: "testcluster",
Server: "https://api.internal.testcluster", Server: "https://api.internal.testcluster",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testcluster",
User: "testcluster", CACerts: []byte(nextCertificate + certData),
User: "testcluster",
}, },
wantClientCert: true, wantClientCert: true,
}, },
@ -368,10 +379,11 @@ func TestBuildKubecfg(t *testing.T) {
internal: true, internal: true,
}, },
want: &KubeconfigBuilder{ want: &KubeconfigBuilder{
Context: "testcluster", Context: "testcluster",
Server: "https://api.internal.testcluster", Server: "https://api.internal.testcluster",
CACerts: []byte(nextCertificate + certData), TLSServerName: "api.internal.testcluster",
User: "testcluster", CACerts: []byte(nextCertificate + certData),
User: "testcluster",
}, },
wantClientCert: false, wantClientCert: false,
}, },

19
pkg/kubeconfig/kubecfg_builder.go
View File

@ -19,7 +19,6 @@ package kubeconfig
import ( import (
"fmt" "fmt"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api" clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
"k8s.io/klog/v2" "k8s.io/klog/v2"
@ -28,7 +27,8 @@ import (
// KubeconfigBuilder builds a kubecfg file // KubeconfigBuilder builds a kubecfg file
// This logic previously lives in the bash scripts (create-kubeconfig in cluster/common.sh) // This logic previously lives in the bash scripts (create-kubeconfig in cluster/common.sh)
type KubeconfigBuilder struct { type KubeconfigBuilder struct {
Server string Server string
TLSServerName string
Context string Context string
Namespace string Namespace string
@ -77,20 +77,6 @@ func (b *KubeconfigBuilder) DeleteKubeConfig(configAccess clientcmd.ConfigAccess
return nil return nil
} }
// Create new Rest Client
func (c *KubeconfigBuilder) BuildRestConfig() (*rest.Config, error) {
restConfig := &rest.Config{
Host: c.Server,
}
restConfig.CAData = c.CACerts
restConfig.CertData = c.ClientCert
restConfig.KeyData = c.ClientKey
restConfig.Username = c.KubeUser
restConfig.Password = c.KubePassword
return restConfig, nil
}
// Write out a new kubeconfig // Write out a new kubeconfig
func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) error { func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) error {
config, err := configAccess.GetStartingConfig() config, err := configAccess.GetStartingConfig()
@ -108,6 +94,7 @@ func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) er
cluster = clientcmdapi.NewCluster() cluster = clientcmdapi.NewCluster()
} }
cluster.Server = b.Server cluster.Server = b.Server
cluster.TLSServerName = b.TLSServerName
cluster.CertificateAuthorityData = b.CACerts cluster.CertificateAuthorityData = b.CACerts
if config.Clusters == nil { if config.Clusters == nil {