Adding HTTPS support for managed cluster

kubernetes-sigs · Aug 16, 2023 · 7eb5cec · 7eb5cec
1 parent 0c70abe
commit 7eb5cec
Show file tree

Hide file tree

Showing 7 changed files with 166 additions and 0 deletions.
diff --git a/api/v1beta1/azuremanagedcontrolplane_types.go b/api/v1beta1/azuremanagedcontrolplane_types.go
@@ -186,6 +186,30 @@ type AzureManagedControlPlaneSpec struct {
 	// For authentication with Azure Container Registry.
 	// +optional
 	KubeletUserAssignedIdentity string `json:"kubeletUserAssignedIdentity,omitempty"`
+
+	// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+	// Immutable.
+	// +optional
+	HTTPProxyConfig *HTTPProxyConfig `json:"httpProxyConfig,omitempty"`
+}
+
+// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+type HTTPProxyConfig struct {
+	// HTTPProxy is the HTTP proxy server endpoint to use.
+	// +optional
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+
+	// HTTPSProxy is the HTTPS proxy server endpoint to use.
+	// +optional
+	HTTPSProxy *string `json:"httpsProxy,omitempty"`
+
+	// NoProxy indicates the endpoints that should not go through proxy.
+	// +optional
+	NoProxy []string `json:"noProxy,omitempty"`
+
+	// TrustedCA is the alternative CA cert to use for connecting to proxy servers.
+	// +optional
+	TrustedCA *string `json:"trustedCa,omitempty"`
 }
 
 // AADProfile - AAD integration managed by AKS.

diff --git a/api/v1beta1/azuremanagedcontrolplane_webhook.go b/api/v1beta1/azuremanagedcontrolplane_webhook.go
@@ -200,6 +200,13 @@ func (mw *azureManagedControlPlaneWebhook) ValidateUpdate(ctx context.Context, o
 		allErrs = append(allErrs, err)
 	}
 
+	if err := webhookutils.ValidateImmutable(
+		field.NewPath("Spec", "HTTPProxyConfig"),
+		old.Spec.HTTPProxyConfig,
+		m.Spec.HTTPProxyConfig); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	if err := webhookutils.ValidateImmutable(
 		field.NewPath("Spec", "AzureEnvironment"),
 		old.Spec.AzureEnvironment,

diff --git a/api/v1beta1/azuremanagedcontrolplane_webhook_test.go b/api/v1beta1/azuremanagedcontrolplane_webhook_test.go
@@ -1387,6 +1387,36 @@ func TestAzureManagedControlPlane_ValidateUpdate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "AzureManagedControlPlane HTTPProxyConfig is immutable",
+			oldAMCP: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					HTTPProxyConfig: &HTTPProxyConfig{
+						HTTPProxy:  ptr.To("http://1.2.3.4:8080"),
+						HTTPSProxy: ptr.To("https://5.6.7.8:8443"),
+						NoProxy:    &[]string{"endpoint1", "endpoint2"},
+						TrustedCA:  ptr.To("ca"),
+					},
+				},
+			},
+			amcp: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					HTTPProxyConfig: &HTTPProxyConfig{
+						HTTPProxy:  ptr.To("http://10.20.3.4:8080"),
+						HTTPSProxy: ptr.To("https://5.6.7.8:8443"),
+						NoProxy:    &[]string{"endpoint1", "endpoint2"},
+						TrustedCA:  ptr.To("ca"),
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	client := mockClient{ReturnError: false}
 	for _, tc := range tests {

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/azure/scope/managedcontrolplane.go b/azure/scope/managedcontrolplane.go
@@ -565,6 +565,15 @@ func (s *ManagedControlPlaneScope) ManagedClusterSpec() azure.ResourceSpecGetter
 		}
 	}
 
+	if s.ControlPlane.Spec.HTTPProxyConfig != nil {
+		managedClusterSpec.HTTPProxyConfig = &managedclusters.HTTPProxyConfig{
+			HTTPProxy:  s.ControlPlane.Spec.HTTPProxyConfig.HTTPProxy,
+			HTTPSProxy: s.ControlPlane.Spec.HTTPProxyConfig.HTTPSProxy,
+			NoProxy:    s.ControlPlane.Spec.HTTPProxyConfig.NoProxy,
+			TrustedCA:  s.ControlPlane.Spec.HTTPProxyConfig.TrustedCA,
+		}
+	}
+
 	return &managedClusterSpec
 }
 

diff --git a/azure/services/managedclusters/spec.go b/azure/services/managedclusters/spec.go
@@ -113,6 +113,24 @@ type ManagedClusterSpec struct {
 
 	// KubeletUserAssignedIdentity is the user-assigned identity for kubelet to authenticate to ACR.
 	KubeletUserAssignedIdentity string
+
+	// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+	HTTPProxyConfig *HTTPProxyConfig
+}
+
+// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+type HTTPProxyConfig struct {
+	// HTTPProxy is the HTTP proxy server endpoint to use.
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+
+	// HTTPSProxy is the HTTPS proxy server endpoint to use.
+	HTTPSProxy *string `json:"httpsProxy,omitempty"`
+
+	// NoProxy is the endpoints that should not go through proxy.
+	NoProxy []string `json:"noProxy,omitempty"`
+
+	// TrustedCA is the Alternative CA cert to use for connecting to proxy servers.
+	TrustedCA *string `json:"trustedCa,omitempty"`
 }
 
 // AADProfile is Azure Active Directory configuration to integrate with AKS, for aad authentication.
@@ -414,6 +432,18 @@ func (s *ManagedClusterSpec) Parameters(ctx context.Context, existing interface{
 		}
 	}
 
+	if s.HTTPProxyConfig != nil {
+		managedCluster.HTTPProxyConfig = &containerservice.ManagedClusterHTTPProxyConfig{
+			HTTPProxy:  s.HTTPProxyConfig.HTTPProxy,
+			HTTPSProxy: s.HTTPProxyConfig.HTTPSProxy,
+			TrustedCa:  s.HTTPProxyConfig.TrustedCA,
+		}
+	}
+
+	if s.HTTPProxyConfig.NoProxy != nil {
+		managedCluster.HTTPProxyConfig.NoProxy = &s.HTTPProxyConfig.NoProxy
+	}
+
 	if existing != nil {
 		existingMC, ok := existing.(containerservice.ManagedCluster)
 		if !ok {

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml
@@ -244,6 +244,28 @@ spec:
                   DNS service. It must be within the Kubernetes service address range
                   specified in serviceCidr. Immutable.
                 type: string
+              httpProxyConfig:
+                description: HTTPProxyConfig is the HTTP proxy configuration for the
+                  cluster. Immutable.
+                properties:
+                  httpProxy:
+                    description: HTTPProxy is the HTTP proxy server endpoint to use.
+                    type: string
+                  httpsProxy:
+                    description: HTTPSProxy is the HTTPS proxy server endpoint to
+                      use.
+                    type: string
+                  noProxy:
+                    description: NoProxy indicates the endpoints that should not go
+                      through proxy.
+                    items:
+                      type: string
+                    type: array
+                  trustedCa:
+                    description: TrustedCA is the alternative CA cert to use for connecting
+                      to proxy servers.
+                    type: string
+                type: object
               identity:
                 description: Identity configuration used by the AKS control plane.
                 properties: