fix(util/proxy): fix tls.config when secret.spec.caBundle is nil

[CharlesQQ]

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #4370

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

`karmadactl`: Fixed return err in case of  secret.spec. caBundle is nil

[codecov-commenter]

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (09a43c6) 51.87% compared to head (fca22c2) 51.89%.
Report is 10 commits behind head on master.

Files	Patch %	Lines
pkg/util/proxy/proxy.go	0.00%	5 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4371      +/-   ##
==========================================
+ Coverage   51.87%   51.89%   +0.01%     
==========================================
  Files         243      243              
  Lines       24114    24112       -2     
==========================================
+ Hits        12509    12512       +3     
+ Misses      10922    10918       -4     
+ Partials      683      682       -1     

Flag	Coverage Δ
unittests	51.89% <0.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[XiShanYongYe-Chang]

/assign @jwcesign

[jwcesign]

Should we set the RootCAs even if InsecureSkipTLSVerification is true(If the caBundle exists)?

[CharlesQQ]

Should we set the RootCAs even if InsecureSkipTLSVerification is true(If the caBundle exists)?

en.., sure, It's a batter choice

[CharlesQQ]

/cc @jwcesign

[jwcesign]

lgtm

cc @chaosi-zju for double checking

[chaosi-zju]

hi, in your case, cluster.Spec.InsecureSkipTLSVerification=true and caBundle="", you code works fine.

But, if cluster.Spec.InsecureSkipTLSVerification=false and caBundle="", this case may be we should report error if caBundle is empty?

Otherwise, you see, caBundle is empty and we return &tls.Config{InsecureSkipVerify: false}, this is a invalid config.

[jwcesign]

if cluster.Spec.InsecureSkipTLSVerification=false and caBundle="", this case may be we should report error if caBundle is empty?

I think, if the ca in the container is correct, it will still work fine

[CharlesQQ]

hi, in your case, cluster.Spec.InsecureSkipTLSVerification=true and caBundle="", you code works fine.

But, if cluster.Spec.InsecureSkipTLSVerification=false and caBundle="", this case may be we should report error if caBundle is empty?

Otherwise, you see, caBundle is empty and we return &tls.Config{InsecureSkipVerify: false}, this is a invalid config.

got it!!!

[jwcesign]

How about this? @chaosi-zju @CharlesQQ

func getClusterCABundle(clusterName string, secret *corev1.Secret) []byte {
	caBundle, found := secret.Data[clusterapis.SecretCADataKey]
	if !found {
		return []byte{}
	}
	return caBundle
}

func GetTlsConfigForCluster(ctx context.Context, cluster *clusterapis.Cluster, secretGetter SecretGetterFunc) (*tls.Config, error) {
        ...
        caBundle := getClusterCABundle(cluster.Name, caSecret)
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caBundle)
	return &tls.Config{
		RootCAs:    caCertPool,
		MinVersion: tls.VersionTLS13,
		// Ignore false positive warning: "TLS InsecureSkipVerify may be true. (gosec)"
		// Whether to skip server certificate verification depends on the
		// configuration(.spec.insecureSkipTLSVerification, defaults to false) in a Cluster object.
		InsecureSkipVerify: cluster.Spec.InsecureSkipTLSVerification, //nolint:gosec
	}, nil

[chaosi-zju]

I think, if the ca in the container is correct, it will still work fine

I got your point.

How about this?

I think perfect.

[jwcesign]

Hi, @CharlesQQ
Can you help update this?

[CharlesQQ]

How about this? @chaosi-zju @CharlesQQ

func getClusterCABundle(clusterName string, secret *corev1.Secret) []byte {
	caBundle, found := secret.Data[clusterapis.SecretCADataKey]
	if !found {
		return []byte{}
	}
	return caBundle
}

func GetTlsConfigForCluster(ctx context.Context, cluster *clusterapis.Cluster, secretGetter SecretGetterFunc) (*tls.Config, error) {
        ...
        caBundle := getClusterCABundle(cluster.Name, caSecret)
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caBundle)
	return &tls.Config{
		RootCAs:    caCertPool,
		MinVersion: tls.VersionTLS13,
		// Ignore false positive warning: "TLS InsecureSkipVerify may be true. (gosec)"
		// Whether to skip server certificate verification depends on the
		// configuration(.spec.insecureSkipTLSVerification, defaults to false) in a Cluster object.
		InsecureSkipVerify: cluster.Spec.InsecureSkipTLSVerification, //nolint:gosec
	}, nil

motified!!!

[jwcesign]

Nice work! Thanks for your contribution.

/lgtm

[jwcesign]

/cc @RainbowMango

[XiShanYongYe-Chang]

Thanks @CharlesQQ
LGMT

I think this should affect user behavior. Can we add a release note to explain it?

[XiShanYongYe-Chang]

/kind bug

[CharlesQQ]

Thanks @CharlesQQ LGMT

I think this should affect user behavior. Can we add a release note to explain it?

Of cause

[XiShanYongYe-Chang]

/approve

[karmada-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: XiShanYongYe-Chang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/util/OWNERS [XiShanYongYe-Chang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment