Use API internal name as TLS server name in kubeconfig

2023-06-02 13:56:30 +03:00 · 2023-06-02 13:56:30 +03:00 · 8d76b6e573
parent b0c5b8ee98
commit 8d76b6e573
3 changed files with 64 additions and 64 deletions
--- a/pkg/kubeconfig/create_kubecfg.go
+++ b/pkg/kubeconfig/create_kubecfg.go
@ -85,6 +85,7 @@ func BuildKubecfg(ctx context.Context, cluster *kops.Cluster, keyStore fi.Keysto

 	b.Context = clusterName
 	b.Server = server
+	b.TLSServerName = cluster.APIInternalName()

 	// add the CA Cert to the kubeconfig only if we didn't specify a certificate for the LB
 	//  or if we're using admin credentials and the secondary port
--- a/pkg/kubeconfig/create_kubecfg_test.go
+++ b/pkg/kubeconfig/create_kubecfg_test.go
@ -191,10 +191,11 @@ func TestBuildKubecfg(t *testing.T) {
 				user:    "",
 			},
 			want: &KubeconfigBuilder{
-				Context: "testcluster",
-				Server:  "https://testcluster.test.com",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "testcluster",
+				Context:       "testcluster",
+				Server:        "https://testcluster.test.com",
+				TLSServerName: "api.internal.testcluster",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "testcluster",
 			},
 			wantClientCert: true,
 		},
@ -206,10 +207,11 @@ func TestBuildKubecfg(t *testing.T) {
 				admin:   DefaultKubecfgAdminLifetime,
 			},
 			want: &KubeconfigBuilder{
-				Context: "testcluster",
-				Server:  "https://elbHostName:8443",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "testcluster",
+				Context:       "testcluster",
+				Server:        "https://elbHostName:8443",
+				TLSServerName: "api.internal.testcluster",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "testcluster",
 			},
 			wantClientCert: true,
 		},
@ -221,10 +223,11 @@ func TestBuildKubecfg(t *testing.T) {
 				admin:   DefaultKubecfgAdminLifetime,
 			},
 			want: &KubeconfigBuilder{
-				Context: "testcluster",
-				Server:  "https://elbHostName",
-				CACerts: nil,
-				User:    "testcluster",
+				Context:       "testcluster",
+				Server:        "https://elbHostName",
+				TLSServerName: "api.internal.testcluster",
+				CACerts:       nil,
+				User:          "testcluster",
 			},
 			wantClientCert: true,
 		},
@ -236,10 +239,11 @@ func TestBuildKubecfg(t *testing.T) {
 				admin:   0,
 			},
 			want: &KubeconfigBuilder{
-				Context: "testcluster",
-				Server:  "https://testcluster.test.com",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "testcluster",
+				Context:       "testcluster",
+				Server:        "https://testcluster.test.com",
+				TLSServerName: "api.internal.testcluster",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "testcluster",
 			},
 			wantClientCert: false,
 		},
@ -252,10 +256,11 @@ func TestBuildKubecfg(t *testing.T) {
 				user:    "myuser",
 			},
 			want: &KubeconfigBuilder{
-				Context: "testcluster",
-				Server:  "https://testcluster.test.com",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "myuser",
+				Context:       "testcluster",
+				Server:        "https://testcluster.test.com",
+				TLSServerName: "api.internal.testcluster",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "myuser",
 			},
 			wantClientCert: false,
 		},
@ -268,10 +273,11 @@ func TestBuildKubecfg(t *testing.T) {
 				user:    "",
 			},
 			want: &KubeconfigBuilder{
-				Context: "emptyMasterPublicNameCluster",
-				Server:  "https://api.emptyMasterPublicNameCluster",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "emptyMasterPublicNameCluster",
+				Context:       "emptyMasterPublicNameCluster",
+				Server:        "https://api.emptyMasterPublicNameCluster",
+				TLSServerName: "api.internal.emptyMasterPublicNameCluster",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "emptyMasterPublicNameCluster",
 			},
 			wantClientCert: false,
 		},
@ -282,10 +288,11 @@ func TestBuildKubecfg(t *testing.T) {
 				status:  fakeStatus,
 			},
 			want: &KubeconfigBuilder{
-				Context: "testgossipcluster.k8s.local",
-				Server:  "https://elbHostName",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "testgossipcluster.k8s.local",
+				Context:       "testgossipcluster.k8s.local",
+				Server:        "https://elbHostName",
+				TLSServerName: "api.internal.testgossipcluster.k8s.local",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "testgossipcluster.k8s.local",
 			},
 			wantClientCert: false,
 		},
@ -298,10 +305,11 @@ func TestBuildKubecfg(t *testing.T) {
 				useKopsAuthenticationPlugin: true,
 			},
 			want: &KubeconfigBuilder{
-				Context: "testcluster",
-				Server:  "https://testcluster.test.com",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "testcluster",
+				Context:       "testcluster",
+				Server:        "https://testcluster.test.com",
+				TLSServerName: "api.internal.testcluster",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "testcluster",
 				AuthenticationExec: []string{
 					"kops",
 					"helpers",
@ -321,10 +329,11 @@ func TestBuildKubecfg(t *testing.T) {
 				internal: true,
 			},
 			want: &KubeconfigBuilder{
-				Context: "testcluster",
-				Server:  "https://api.internal.testcluster",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "testcluster",
+				Context:       "testcluster",
+				Server:        "https://api.internal.testcluster",
+				TLSServerName: "api.internal.testcluster",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "testcluster",
 			},
 			wantClientCert: true,
 		},
@ -336,10 +345,11 @@ func TestBuildKubecfg(t *testing.T) {
 				admin:   DefaultKubecfgAdminLifetime,
 			},
 			want: &KubeconfigBuilder{
-				Context: "testgossipcluster.k8s.local",
-				Server:  "https://elbHostName:8443",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "testgossipcluster.k8s.local",
+				Context:       "testgossipcluster.k8s.local",
+				Server:        "https://elbHostName:8443",
+				TLSServerName: "api.internal.testgossipcluster.k8s.local",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "testgossipcluster.k8s.local",
 			},
 			wantClientCert: true,
 		},
@ -352,10 +362,11 @@ func TestBuildKubecfg(t *testing.T) {
 				internal: true,
 			},
 			want: &KubeconfigBuilder{
-				Context: "testcluster",
-				Server:  "https://api.internal.testcluster",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "testcluster",
+				Context:       "testcluster",
+				Server:        "https://api.internal.testcluster",
+				TLSServerName: "api.internal.testcluster",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "testcluster",
 			},
 			wantClientCert: true,
 		},
@ -368,10 +379,11 @@ func TestBuildKubecfg(t *testing.T) {
 				internal: true,
 			},
 			want: &KubeconfigBuilder{
-				Context: "testcluster",
-				Server:  "https://api.internal.testcluster",
-				CACerts: []byte(nextCertificate + certData),
-				User:    "testcluster",
+				Context:       "testcluster",
+				Server:        "https://api.internal.testcluster",
+				TLSServerName: "api.internal.testcluster",
+				CACerts:       []byte(nextCertificate + certData),
+				User:          "testcluster",
 			},
 			wantClientCert: false,
 		},
--- a/pkg/kubeconfig/kubecfg_builder.go
+++ b/pkg/kubeconfig/kubecfg_builder.go
@ -19,7 +19,6 @@ package kubeconfig
 import (
 	"fmt"

-	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/klog/v2"
@ -28,7 +27,8 @@ import (
 // KubeconfigBuilder builds a kubecfg file
 // This logic previously lives in the bash scripts (create-kubeconfig in cluster/common.sh)
 type KubeconfigBuilder struct {
-	Server string
+	Server        string
+	TLSServerName string

 	Context   string
 	Namespace string
@ -77,20 +77,6 @@ func (b *KubeconfigBuilder) DeleteKubeConfig(configAccess clientcmd.ConfigAccess
 	return nil
 }

-// Create new Rest Client
-func (c *KubeconfigBuilder) BuildRestConfig() (*rest.Config, error) {
-	restConfig := &rest.Config{
-		Host: c.Server,
-	}
-	restConfig.CAData = c.CACerts
-	restConfig.CertData = c.ClientCert
-	restConfig.KeyData = c.ClientKey
-	restConfig.Username = c.KubeUser
-	restConfig.Password = c.KubePassword
-
-	return restConfig, nil
-}
-
 // Write out a new kubeconfig
 func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) error {
 	config, err := configAccess.GetStartingConfig()
@ -108,6 +94,7 @@ func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) er
 			cluster = clientcmdapi.NewCluster()
 		}
 		cluster.Server = b.Server
+		cluster.TLSServerName = b.TLSServerName
 		cluster.CertificateAuthorityData = b.CACerts

 		if config.Clusters == nil {