Skip to content

Commit

Permalink
Merge pull request #4371 from CharlesQQ/proxy-fix
Browse files Browse the repository at this point in the history
fix(util/proxy): fix tls.config when secret.spec.caBundle is nil
  • Loading branch information
karmada-bot authored Dec 9, 2023
2 parents fdbb322 + fca22c2 commit e2c6ece
Showing 1 changed file with 5 additions and 8 deletions.
13 changes: 5 additions & 8 deletions pkg/util/proxy/proxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,13 +137,10 @@ func GetTlsConfigForCluster(ctx context.Context, cluster *clusterapis.Cluster, s
if err != nil {
return nil, err
}
caBundle, err := getClusterCABundle(cluster.Name, caSecret)
if err != nil {
return nil, fmt.Errorf("failed to get CA bundle for cluster %s: %v", cluster.Name, err)
}
caBundle := getClusterCABundle(caSecret)

caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM([]byte(caBundle))
caCertPool.AppendCertsFromPEM(caBundle)
return &tls.Config{
RootCAs: caCertPool,
MinVersion: tls.VersionTLS13,
Expand Down Expand Up @@ -221,12 +218,12 @@ func ImpersonateToken(clusterName string, secret *corev1.Secret) (string, error)
return string(token), nil
}

func getClusterCABundle(clusterName string, secret *corev1.Secret) (string, error) {
func getClusterCABundle(secret *corev1.Secret) []byte {
caBundle, found := secret.Data[clusterapis.SecretCADataKey]
if !found {
return "", fmt.Errorf("the CA bundle of cluster %s is empty", clusterName)
return []byte{}
}
return string(caBundle), nil
return caBundle
}

// SkipGroup tells whether the input group can be skipped during impersonate.
Expand Down

0 comments on commit e2c6ece

Please sign in to comment.