Adding HTTPS support for managed cluster

kubernetes-sigs · Aug 16, 2023 · cfac689 · cfac689
1 parent 3b81e27
commit cfac689
Show file tree

Hide file tree

Showing 7 changed files with 152 additions and 0 deletions.
diff --git a/api/v1beta1/azuremanagedcontrolplane_types.go b/api/v1beta1/azuremanagedcontrolplane_types.go
@@ -186,6 +186,23 @@ type AzureManagedControlPlaneSpec struct {
 	// For authentication with Azure Container Registry.
 	// +optional
 	KubeletUserAssignedIdentity string `json:"kubeletUserAssignedIdentity,omitempty"`
+
+	// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+	// Immutable.
+	// +optional
+	HTTPProxyConfig *HTTPProxyConfig `json:"httpProxyConfig,omitempty"`
+}
+
+// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+type HTTPProxyConfig struct {
+	// HTTPProxy - The HTTP proxy server endpoint to use.
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+	// HTTPSProxy - The HTTPS proxy server endpoint to use.
+	HTTPSProxy *string `json:"httpsProxy,omitempty"`
+	// NoProxy - The endpoints that should not go through proxy.
+	NoProxy *[]string `json:"noProxy,omitempty"`
+	// TrustedCa - Alternative CA cert to use for connecting to proxy servers.
+	TrustedCa *string `json:"trustedCa,omitempty"`
 }
 
 // AADProfile - AAD integration managed by AKS.

diff --git a/api/v1beta1/azuremanagedcontrolplane_webhook.go b/api/v1beta1/azuremanagedcontrolplane_webhook.go
@@ -199,6 +199,13 @@ func (mw *azureManagedControlPlaneWebhook) ValidateUpdate(ctx context.Context, o
 		allErrs = append(allErrs, err)
 	}
 
+	if err := webhookutils.ValidateImmutable(
+		field.NewPath("Spec", "HTTPProxyConfig"),
+		old.Spec.HTTPProxyConfig,
+		m.Spec.HTTPProxyConfig); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	if err := webhookutils.ValidateImmutable(
 		field.NewPath("Spec", "AzureEnvironment"),
 		old.Spec.AzureEnvironment,

diff --git a/api/v1beta1/azuremanagedcontrolplane_webhook_test.go b/api/v1beta1/azuremanagedcontrolplane_webhook_test.go
@@ -1302,6 +1302,36 @@ func TestAzureManagedControlPlane_ValidateUpdate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "AzureManagedControlPlane HTTPProxyConfig is immutable",
+			oldAMCP: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					HTTPProxyConfig: &HTTPProxyConfig{
+						HTTPProxy:  pointer.String("http://1.2.3.4:8080"),
+						HTTPSProxy: pointer.String("https://5.6.7.8:8443"),
+						NoProxy:    &[]string{"endpoint1", "endpoint2"},
+						TrustedCa:  pointer.String("ca"),
+					},
+				},
+			},
+			amcp: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					HTTPProxyConfig: &HTTPProxyConfig{
+						HTTPProxy:  pointer.String("http://10.20.3.4:8080"),
+						HTTPSProxy: pointer.String("https://5.6.7.8:8443"),
+						NoProxy:    &[]string{"endpoint1", "endpoint2"},
+						TrustedCa:  pointer.String("ca"),
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/azure/scope/managedcontrolplane.go b/azure/scope/managedcontrolplane.go
@@ -565,6 +565,15 @@ func (s *ManagedControlPlaneScope) ManagedClusterSpec() azure.ResourceSpecGetter
 		}
 	}
 
+	if s.ControlPlane.Spec.HTTPProxyConfig != nil {
+		managedClusterSpec.HTTPProxyConfig = &managedclusters.HTTPProxyConfig{
+			HTTPProxy:  s.ControlPlane.Spec.HTTPProxyConfig.HTTPProxy,
+			HTTPSProxy: s.ControlPlane.Spec.HTTPProxyConfig.HTTPSProxy,
+			NoProxy:    s.ControlPlane.Spec.HTTPProxyConfig.NoProxy,
+			TrustedCa:  s.ControlPlane.Spec.HTTPProxyConfig.TrustedCa,
+		}
+	}
+
 	return &managedClusterSpec
 }
 

diff --git a/azure/services/managedclusters/spec.go b/azure/services/managedclusters/spec.go
@@ -113,6 +113,21 @@ type ManagedClusterSpec struct {
 
 	// KubeletUserAssignedIdentity is the user-assigned identity for kubelet to authenticate to ACR.
 	KubeletUserAssignedIdentity string
+
+	// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+	HTTPProxyConfig *HTTPProxyConfig
+}
+
+// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
+type HTTPProxyConfig struct {
+	// HTTPProxy - The HTTP proxy server endpoint to use.
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+	// HTTPSProxy - The HTTPS proxy server endpoint to use.
+	HTTPSProxy *string `json:"httpsProxy,omitempty"`
+	// NoProxy - The endpoints that should not go through proxy.
+	NoProxy *[]string `json:"noProxy,omitempty"`
+	// TrustedCa - Alternative CA cert to use for connecting to proxy servers.
+	TrustedCa *string `json:"trustedCa,omitempty"`
 }
 
 // AADProfile is Azure Active Directory configuration to integrate with AKS, for aad authentication.
@@ -414,6 +429,15 @@ func (s *ManagedClusterSpec) Parameters(ctx context.Context, existing interface{
 		}
 	}
 
+	if s.HTTPProxyConfig != nil {
+		managedCluster.HTTPProxyConfig = &containerservice.ManagedClusterHTTPProxyConfig{
+			HTTPProxy:  s.HTTPProxyConfig.HTTPProxy,
+			HTTPSProxy: s.HTTPProxyConfig.HTTPSProxy,
+			NoProxy:    s.HTTPProxyConfig.NoProxy,
+			TrustedCa:  s.HTTPProxyConfig.TrustedCa,
+		}
+	}
+
 	if existing != nil {
 		existingMC, ok := existing.(containerservice.ManagedCluster)
 		if !ok {

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml
@@ -244,6 +244,27 @@ spec:
                   DNS service. It must be within the Kubernetes service address range
                   specified in serviceCidr. Immutable.
                 type: string
+              httpProxyConfig:
+                description: HTTPProxyConfig is the HTTP proxy configuration for the
+                  cluster. Immutable.
+                properties:
+                  httpProxy:
+                    description: HTTPProxy - The HTTP proxy server endpoint to use.
+                    type: string
+                  httpsProxy:
+                    description: HTTPSProxy - The HTTPS proxy server endpoint to use.
+                    type: string
+                  noProxy:
+                    description: NoProxy - The endpoints that should not go through
+                      proxy.
+                    items:
+                      type: string
+                    type: array
+                  trustedCa:
+                    description: TrustedCa - Alternative CA cert to use for connecting
+                      to proxy servers.
+                    type: string
+                type: object
               identity:
                 description: Identity configuration used by the AKS control plane.
                 properties: