feat: Add ca to check the validation of the member clusters' server certificate #4183
Conversation
karmada-bot
added
the
kind/feature
karmada-bot
added
the
size/M
jwcesign
force-pushed
the
fix-insecure
branch
2 times, most recently
from
8ce3bd7
to
56e9649
Compare
jwcesign
force-pushed
the
fix-insecure
branch
from
56e9649
to
1362e7b
Compare
|
The unit test is failing, @jwcesign : |
| @@ -94,14 +102,39 @@ func NewThrottledUpgradeAwareProxyHandler(location *url.URL, transport http.Roun | |||
| return proxy.NewUpgradeAwareHandler(location, transport, wrapTransport, upgradeRequired, proxy.NewErrorResponder(responder)) | |||
| } | |||
|
|
|||
| func GetTlsConfigForCluster(ctx context.Context, cluster *clusterapis.Cluster, secretGetter SecretGetterFunc) (*tls.Config, error) { | |||
| if cluster.Spec.SecretRef == nil { | |||
There was a problem hiding this comment.
Can you remind me when the secret would not exist?
There was a problem hiding this comment.
From my point of view, it couldn't be empty. But I saw it's an optional field in the struct comment. Or I delete this field with kubectl.
There was a problem hiding this comment.
For Pull mode cluster, the karmada-agent may not set the secret, see the usage from karmada-agent:
--report-secrets strings
The secrets that are allowed to be reported to the Karmada control plane during registering. Valid values are 'KubeCredentials', 'KubeImpersonator' and 'None'. e.g
'KubeCredentials,KubeImpersonator' or 'None'. (default [KubeCredentials,KubeImpersonator])
There was a problem hiding this comment.
| if cluster.Spec.SecretRef == nil { | |
| // The secret is optional for a pull-mode cluster, if no secret just returns a config with root CA unset. | |
| if cluster.Spec.SecretRef == nil { |
Maybe we can have a comment here.
| return &tls.Config{ | ||
| RootCAs: caCertPool, | ||
| MinVersion: tls.VersionTLS13, | ||
| InsecureSkipVerify: cluster.Spec.InsecureSkipTLSVerification, //nolint:gosec |
There was a problem hiding this comment.
Can we remove the nolint:gosec now?
Same as above.
There was a problem hiding this comment.
If delete it, there is a lint error: cluster.Spec.InsecureSkipTLSVerification may be true.
But it's allowed to be true(if users want to do it).
There was a problem hiding this comment.
Before:
pkg/util/proxy/proxy.go:109:24: G402: TLS InsecureSkipVerify set true. (gosec)
InsecureSkipVerify: true,
After:
pkg/util/proxy/proxy.go:109:24: G402: TLS InsecureSkipVerify may be true. (gosec)
InsecureSkipVerify: cluster.Spec.InsecureSkipTLSVerification,
we might need a comment to explain it.
Signed-off-by: jwcesign <[email protected]>
jwcesign
force-pushed
the
fix-insecure
branch
from
1362e7b
to
d891cd0
Compare
karmada-bot
added
size/L
jwcesign
force-pushed
the
fix-insecure
branch
2 times, most recently
from
a360866
to
4e89504
Compare
| @@ -94,14 +102,39 @@ func NewThrottledUpgradeAwareProxyHandler(location *url.URL, transport http.Roun | |||
| return proxy.NewUpgradeAwareHandler(location, transport, wrapTransport, upgradeRequired, proxy.NewErrorResponder(responder)) | |||
| } | |||
|
|
|||
| func GetTlsConfigForCluster(ctx context.Context, cluster *clusterapis.Cluster, secretGetter SecretGetterFunc) (*tls.Config, error) { | |||
| if cluster.Spec.SecretRef == nil { | |||
There was a problem hiding this comment.
| if cluster.Spec.SecretRef == nil { | |
| // The secret is optional for a pull-mode cluster, if no secret just returns a config with root CA unset. | |
| if cluster.Spec.SecretRef == nil { |
Maybe we can have a comment here.
jwcesign
force-pushed
the
fix-insecure
branch
from
4e89504
to
473b2be
Compare
Codecov ReportAttention:
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #4183 +/- ##
==========================================
- Coverage 52.91% 52.86% -0.06%
==========================================
Files 239 239
Lines 23526 23571 +45
==========================================
+ Hits 12449 12460 +11
- Misses 10401 10434 +33
- Partials 676 677 +1
Flags with carried forward coverage won't be shown. Click here to find out more.
☔ View full report in Codecov by Sentry. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RainbowMango The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
karmada-bot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #4182
Special notes for your reviewer:
If I change the following line to false:
karmada/pkg/util/proxy/proxy.go
Line 79 in 3267155
It will have the following error in
karmada-aggregated-apiserver:And karmadactl couldn't list the pods in member clusters:
With this PR, everything works fine
Does this PR introduce a user-facing change?: