fix

Signed-off-by: Yaroslav Borbat <[email protected]>
deckhouse · Mar 5, 2024 · 217beeb · 217beeb
1 parent 0a1b89d
commit 217beeb
Showing 1 changed file with 68 additions and 10 deletions.
diff --git a/images/virt-artifact/patches/011-virt-api-authentication.patch b/images/virt-artifact/patches/011-virt-api-authentication.patch
@@ -24,16 +24,76 @@ index 5cbb8197f..82f6f9238 100644
 +		return cache.NewSharedIndexInformer(lw, &k8sv1.ConfigMap{}, f.defaultResync, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
 +	})
 +}
+diff --git a/pkg/util/tls/tls.go b/pkg/util/tls/tls.go
+index e9e140548..e2a349012 100644
+--- a/pkg/util/tls/tls.go
++++ b/pkg/util/tls/tls.go
+@@ -132,6 +132,55 @@ func SetupTLSWithCertManager(caManager ClientCAManager, certManager certificate.
+ 	return tlsConfig
+ }
+
++func SetupTLSWithVirtualizationCAManager(caManager, virtualizationCAManager ClientCAManager, certManager certificate.Manager, clientAuth tls.ClientAuthType, clusterConfig *virtconfig.ClusterConfig) *tls.Config {
++	tlsConfig := &tls.Config{
++		GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, err error) {
++			cert := certManager.Current()
++			if cert == nil {
++				return nil, fmt.Errorf(noSrvCertMessage)
++			}
++			return cert, nil
++		},
++		GetConfigForClient: func(hi *tls.ClientHelloInfo) (*tls.Config, error) {
++			cert := certManager.Current()
++			if cert == nil {
++				return nil, fmt.Errorf(noSrvCertMessage)
++			}
++
++			clientCAPool, err := caManager.GetCurrent()
++			if err != nil {
++				log.Log.Reason(err).Error("Failed to get requestheader client CA")
++				return nil, err
++			}
++
++			virtualizationCA, err := virtualizationCAManager.GetCurrentRaw()
++			if err != nil {
++				log.Log.Reason(err).Error("Failed to get CA from config-map virtualization-ca")
++				return nil, err
++			}
++
++			clientCAPool.AppendCertsFromPEM(virtualizationCA)
++
++			kv := clusterConfig.GetConfigFromKubeVirtCR()
++			tlsConfig := getTLSConfiguration(kv)
++			ciphers := CipherSuiteIds(tlsConfig.Ciphers)
++			minTLSVersion := TLSVersion(tlsConfig.MinTLSVersion)
++			config := &tls.Config{
++				CipherSuites: ciphers,
++				MinVersion:   minTLSVersion,
++				Certificates: []tls.Certificate{*cert},
++				ClientCAs:    clientCAPool,
++				ClientAuth:   clientAuth,
++			}
++
++			config.BuildNameToCertificate()
++			return config, nil
++		},
++	}
++	tlsConfig.BuildNameToCertificate()
++	return tlsConfig
++}
++
+ func SetupTLSForVirtHandlerServer(caManager ClientCAManager, certManager certificate.Manager, externallyManaged bool, clusterConfig *virtconfig.ClusterConfig) *tls.Config {
+ 	// #nosec cause: InsecureSkipVerify: true
+ 	// resolution: Neither the client nor the server should validate anything itself, `VerifyPeerCertificate` is still executed
 diff --git a/pkg/virt-api/api.go b/pkg/virt-api/api.go
-index 120f2d68f..f0dc14e8e 100644
+index 120f2d68f..4b82edd13 100644
 --- a/pkg/virt-api/api.go
 +++ b/pkg/virt-api/api.go
 @@ -884,7 +884,7 @@ func (app *virtAPIApp) registerMutatingWebhook(informers *webhooks.Informers) {
  	})
  }
 
 -func (app *virtAPIApp) setupTLS(k8sCAManager kvtls.ClientCAManager, kubevirtCAManager kvtls.ClientCAManager) {
-+func (app *virtAPIApp) setupTLS(virtualizationCAManager, kubevirtCAManager kvtls.ClientCAManager) {
++func (app *virtAPIApp) setupTLS(k8sCAManager, kubevirtCAManager, virtualizationCAManager kvtls.ClientCAManager) {
 
  	// A VerifyClientCertIfGiven request means we're not guaranteed
  	// a client has been authenticated unless they provide a peer
@@ -42,27 +102,25 @@ index 120f2d68f..f0dc14e8e 100644
  	// if the TLS handshake requests it. As a result, the TLS handshake fails
  	// and our aggregated endpoint never becomes available.
 -	app.tlsConfig = kvtls.SetupTLSWithCertManager(k8sCAManager, app.certmanager, tls.VerifyClientCertIfGiven, app.clusterConfig)
-+	app.tlsConfig = kvtls.SetupTLSWithCertManager(virtualizationCAManager, app.certmanager, tls.VerifyClientCertIfGiven, app.clusterConfig)
++	app.tlsConfig = kvtls.SetupTLSWithVirtualizationCAManager(k8sCAManager, virtualizationCAManager, app.certmanager, tls.VerifyClientCertIfGiven, app.clusterConfig)
  	app.handlerTLSConfiguration = kvtls.SetupTLSForVirtHandlerClients(kubevirtCAManager, app.handlerCertManager, app.externallyManaged)
  }
 
-@@ -917,12 +917,12 @@ func (app *virtAPIApp) startTLS(informerFactory controller.KubeInformerFactory)
- 		syscall.SIGQUIT,
- 	)
+@@ -919,10 +919,12 @@ func (app *virtAPIApp) startTLS(informerFactory controller.KubeInformerFactory)
 
--	authConfigMapInformer := informerFactory.ApiAuthConfigMap()
+ 	authConfigMapInformer := informerFactory.ApiAuthConfigMap()
  	kubevirtCAConfigInformer := informerFactory.KubeVirtCAConfigMap()
 +	virtualizationCAConfigInformer := informerFactory.VirtualizationCA()
 
--	k8sCAManager := kvtls.NewKubernetesClientCAManager(authConfigMapInformer.GetStore())
+ 	k8sCAManager := kvtls.NewKubernetesClientCAManager(authConfigMapInformer.GetStore())
  	kubevirtCAInformer := kvtls.NewCAManager(kubevirtCAConfigInformer.GetStore(), app.namespace, app.caConfigMapName)
 -	app.setupTLS(k8sCAManager, kubevirtCAInformer)
 +	virtualizationCAInformer := kvtls.NewCAManager(virtualizationCAConfigInformer.GetStore(), app.namespace, "virtualization-ca")
-+	app.setupTLS(virtualizationCAInformer, kubevirtCAInformer)
++	app.setupTLS(k8sCAManager, kubevirtCAInformer, virtualizationCAInformer)
 
  	app.Compose()
 
-@@ -1007,6 +1007,7 @@ func (app *virtAPIApp) Run() {
+@@ -1007,6 +1009,7 @@ func (app *virtAPIApp) Run() {
 
  	kubeInformerFactory.ApiAuthConfigMap()
  	kubeInformerFactory.KubeVirtCAConfigMap()