Skip to content

Commit

Permalink
fix cabundle (#173)
Browse files Browse the repository at this point in the history
Signed-off-by: Zhiwei Yin <[email protected]>
  • Loading branch information
zhiweiyin318 authored Jan 8, 2024
1 parent 86d392e commit dc6d127
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 14 deletions.
9 changes: 2 additions & 7 deletions pkg/proxyagent/agent/agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -424,13 +424,8 @@ func toAgentAddOnChartValues(caCertData []byte) func(config addonv1alpha1.AddOnD
"NO_PROXY": proxyConfig.NoProxy,
}

if proxyConfig.HTTPSProxy != "" && len(proxyConfig.CABundle) != 0 {
rawProxyCaCert, err := base64.StdEncoding.DecodeString(string(proxyConfig.CABundle))
if err != nil {
return nil, fmt.Errorf("faield to decdoe proxy env ca. %v", err)
}

caCert, err := common.MergeCertificateData(rawProxyCaCert, caCertData)
if strings.HasPrefix(proxyConfig.HTTPSProxy, "https") && len(proxyConfig.CABundle) != 0 {
caCert, err := common.MergeCertificateData(proxyConfig.CABundle, caCertData)
if err != nil {
return nil, fmt.Errorf("faield to merge proxy env ca. %v", err)
}
Expand Down
67 changes: 62 additions & 5 deletions pkg/proxyagent/agent/agent_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/pem"
mathrand "math/rand"
"net"
Expand Down Expand Up @@ -621,7 +622,7 @@ func TestNewAgentAddon(t *testing.T) {
envCount = len(container.Env)
}
}
assert.Equal(t, 0, envCount)
assert.Equal(t, 1, envCount)
caSecret := getCASecret(manifests)
assert.NotNil(t, caSecret)
caCrt := string(caSecret.Data["ca.crt"])
Expand Down Expand Up @@ -675,7 +676,7 @@ func TestNewAgentAddon(t *testing.T) {
},
},
{
name: "with addon deployment config including proxy config",
name: "with addon deployment config including https proxy config",
cluster: newCluster(clusterName, true),
addon: func() *addonv1alpha1.ManagedClusterAddOn {
addOn := newAddOn(addOnName, clusterName)
Expand All @@ -686,7 +687,7 @@ func TestNewAgentAddon(t *testing.T) {
return addOn
}(),
managedProxyConfigs: []runtimeclient.Object{newManagedProxyConfig(managedProxyConfigName, proxyv1alpha1.EntryPointTypePortForward)},
addOndDeploymentConfigs: []runtime.Object{newAddOnDeploymentConfigWithProxy(addOndDeployConfigName, clusterName)},
addOndDeploymentConfigs: []runtime.Object{newAddOnDeploymentConfigWithHttpsProxy(addOndDeployConfigName, clusterName)},
v1CSRSupported: true,
enableKubeApiProxy: true,
verifyManifests: func(t *testing.T, manifests []runtime.Object) {
Expand All @@ -708,6 +709,40 @@ func TestNewAgentAddon(t *testing.T) {
assert.Equal(t, 2, count)
},
},
{
name: "with addon deployment config including http proxy config",
cluster: newCluster(clusterName, true),
addon: func() *addonv1alpha1.ManagedClusterAddOn {
addOn := newAddOn(addOnName, clusterName)
addOn.Status.ConfigReferences = []addonv1alpha1.ConfigReference{
newManagedProxyConfigReference(managedProxyConfigName),
newAddOndDeploymentConfigReference(addOndDeployConfigName, clusterName),
}
return addOn
}(),
managedProxyConfigs: []runtimeclient.Object{newManagedProxyConfig(managedProxyConfigName, proxyv1alpha1.EntryPointTypePortForward)},
addOndDeploymentConfigs: []runtime.Object{newAddOnDeploymentConfigWithHttpProxy(addOndDeployConfigName, clusterName)},
v1CSRSupported: true,
enableKubeApiProxy: true,
verifyManifests: func(t *testing.T, manifests []runtime.Object) {
assert.Len(t, manifests, len(expectedManifestNames))
assert.ElementsMatch(t, expectedManifestNames, manifestNames(manifests))
agentDeploy := getAgentDeployment(manifests)
assert.NotNil(t, agentDeploy)
envCount := 0
for _, container := range agentDeploy.Spec.Template.Spec.Containers {
if container.Name == "proxy-agent" {
envCount = len(container.Env)
}
}
assert.Equal(t, 4, envCount)
caSecret := getCASecret(manifests)
assert.NotNil(t, caSecret)
caCrt := string(caSecret.Data["ca.crt"])
count := strings.Count(caCrt, "-----BEGIN CERTIFICATE-----")
assert.Equal(t, 1, count)
},
},
}

for _, c := range cases {
Expand Down Expand Up @@ -930,7 +965,8 @@ func newAddOnDeploymentConfigWithCustomizedServiceDomain(name, namespace, servic

var fakeCA = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRFQ0ZHSG5lTUpBQ1NjR2lRSnA2K1RYa0NKRVBTVitNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1ERXgKRmpBVUJnTlZCQW9NRFU5d1pXNVRhR2xtZENCQlEwMHhGekFWQmdOVkJBTU1EbmQzZHk1eVpXUm9ZWFF1WTI5dApNQjRYRFRJek1URXhNakV5TURZME4xb1hEVEkwTVRFeE1URXlNRFkwTjFvd01URVdNQlFHQTFVRUNnd05UM0JsCmJsTm9hV1owSUVGRFRURVhNQlVHQTFVRUF3d09kM2QzTG5KbFpHaGhkQzVqYjIwd2dnRWlNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUXZMbHFjYXpYZmxXNXgzcVFDSE52ZjNqTFNCY0QrY3pCczFoMApUV0p2TWEvWVd2T2MrK3VNWXg2OW1RaXRCWEFaMEsyUVpQa1BYK2lEc244Mk9mNklYTUpUSVpmZk1Wb3g4UmtqCkNlQ00vdlNaMzExVGlwa0NkaGVTbnp0WElhek1hN0ZZS3BVT2htYTF3L2RReFcvcnIwandwRG9TMFUvN0xhWGwKNHF2bUF4Wk1iSHVWaFk2S0RZSGJ2MEdKYWdqekJtVkpieTZlMFg3MkozL05ZME1KT2plYklrOTEydjBXZ1pUKwo3UWU0a29scVY1MkQvaUhYV0xFUzhXMWQrMFZUbnlRaFAzY3RvNWp3TFZyWnQ2NDFZL0lRc2ZNQ0w1bGdhVTF0Cm9UMlcvQ3F1amw5aCt0UCt2SG1rNk5JZXk2RUNIdm1MV0xLbU5nblp2M0d0bVdnZEFnTUJBQUV3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFKSjBnd0UxSUR4SlNzaUd1TGxDMlVGV2J3U0RHMUVEK3VlQWYvRDRlV0VSWFZDUAo4aVdZZC9RckdsakYxNGxvZllHb280Vk5PL28xQWJQS2gveXB4UW16REdrVE1NaGg2WFg1bExob3RZWHZERlM2CmlkQXk5TFpiWDFUQnV5UEcwNmorbkI4eEtEY3F4aFNLYTlNb0trck9XcmtGbnFZS2syQzIyZGRvZVlZdlRjR2cKK2JmZ3RSWFJRUFdQRmt2NDR5MGlMZVh0S0VMbHBQMkMyQW5JQkU4b2hzY0JiYnloVmptem5YS1dFSTg3T0xmUgoxNDJBOWoydlVVQW80T0o5d1JCei8raDFXUXkyL3prclVUMW90MFdienY1cy91YmlUQkRpSjlQQ0k4YkZmZXplCnpDbCthbEE5aUFJdGt4OVdZS2pzaDFuVHEzTnJwVWM0MXBJWlFBQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="

func newAddOnDeploymentConfigWithProxy(name, namespace string) *addonv1alpha1.AddOnDeploymentConfig {
func newAddOnDeploymentConfigWithHttpsProxy(name, namespace string) *addonv1alpha1.AddOnDeploymentConfig {
rawProxyCaCert, _ := base64.StdEncoding.DecodeString(fakeCA)
return &addonv1alpha1.AddOnDeploymentConfig{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -944,7 +980,28 @@ func newAddOnDeploymentConfigWithProxy(name, namespace string) *addonv1alpha1.Ad
ProxyConfig: addonv1alpha1.ProxyConfig{
HTTPProxy: "http://192.168.1.1",
HTTPSProxy: "https://192.168.1.1",
CABundle: []byte(fakeCA),
CABundle: rawProxyCaCert,
NoProxy: "localhost",
},
},
}
}
func newAddOnDeploymentConfigWithHttpProxy(name, namespace string) *addonv1alpha1.AddOnDeploymentConfig {
rawProxyCaCert, _ := base64.StdEncoding.DecodeString(fakeCA)
return &addonv1alpha1.AddOnDeploymentConfig{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
},
Spec: addonv1alpha1.AddOnDeploymentConfigSpec{
NodePlacement: &addonv1alpha1.NodePlacement{
Tolerations: tolerations,
NodeSelector: nodeSelector,
},
ProxyConfig: addonv1alpha1.ProxyConfig{
HTTPProxy: "http://192.168.1.1",
HTTPSProxy: "http://192.168.1.1",
CABundle: rawProxyCaCert,
NoProxy: "localhost",
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,13 +67,13 @@ spec:
{{- if .Values.proxyConfig.HTTPS_PROXY }}
- name: HTTPS_PROXY
value: {{ .Values.proxyConfig.HTTPS_PROXY }}
- name: ROOT_CA_CERT
value: "/etc/ca/ca.crt"
{{- end }}
{{- if .Values.proxyConfig.NO_PROXY }}
- name: NO_PROXY
value: {{ .Values.proxyConfig.NO_PROXY }}
{{- end }}
- name: ROOT_CA_CERT
value: "/etc/ca/ca.crt"
volumeMounts:
- name: ca
mountPath: /etc/ca
Expand Down

0 comments on commit dc6d127

Please sign in to comment.