From dc6d1278a62645bf9cdc468632befbd346c92dab Mon Sep 17 00:00:00 2001 From: Zhiwei Yin Date: Mon, 8 Jan 2024 22:42:32 +0800 Subject: [PATCH] fix cabundle (#173) Signed-off-by: Zhiwei Yin --- pkg/proxyagent/agent/agent.go | 9 +-- pkg/proxyagent/agent/agent_test.go | 67 +++++++++++++++++-- .../templates/addon-agent-deployment.yaml | 4 +- 3 files changed, 66 insertions(+), 14 deletions(-) diff --git a/pkg/proxyagent/agent/agent.go b/pkg/proxyagent/agent/agent.go index fc7b1baf..abbd1c36 100644 --- a/pkg/proxyagent/agent/agent.go +++ b/pkg/proxyagent/agent/agent.go @@ -424,13 +424,8 @@ func toAgentAddOnChartValues(caCertData []byte) func(config addonv1alpha1.AddOnD "NO_PROXY": proxyConfig.NoProxy, } - if proxyConfig.HTTPSProxy != "" && len(proxyConfig.CABundle) != 0 { - rawProxyCaCert, err := base64.StdEncoding.DecodeString(string(proxyConfig.CABundle)) - if err != nil { - return nil, fmt.Errorf("faield to decdoe proxy env ca. %v", err) - } - - caCert, err := common.MergeCertificateData(rawProxyCaCert, caCertData) + if strings.HasPrefix(proxyConfig.HTTPSProxy, "https") && len(proxyConfig.CABundle) != 0 { + caCert, err := common.MergeCertificateData(proxyConfig.CABundle, caCertData) if err != nil { return nil, fmt.Errorf("faield to merge proxy env ca. %v", err) } diff --git a/pkg/proxyagent/agent/agent_test.go b/pkg/proxyagent/agent/agent_test.go index 0fee2083..9a1f134e 100644 --- a/pkg/proxyagent/agent/agent_test.go +++ b/pkg/proxyagent/agent/agent_test.go @@ -8,6 +8,7 @@ import ( "crypto/rsa" "crypto/x509" "crypto/x509/pkix" + "encoding/base64" "encoding/pem" mathrand "math/rand" "net" @@ -621,7 +622,7 @@ func TestNewAgentAddon(t *testing.T) { envCount = len(container.Env) } } - assert.Equal(t, 0, envCount) + assert.Equal(t, 1, envCount) caSecret := getCASecret(manifests) assert.NotNil(t, caSecret) caCrt := string(caSecret.Data["ca.crt"]) @@ -675,7 +676,7 @@ func TestNewAgentAddon(t *testing.T) { }, }, { - name: "with addon deployment config including proxy config", + name: "with addon deployment config including https proxy config", cluster: newCluster(clusterName, true), addon: func() *addonv1alpha1.ManagedClusterAddOn { addOn := newAddOn(addOnName, clusterName) @@ -686,7 +687,7 @@ func TestNewAgentAddon(t *testing.T) { return addOn }(), managedProxyConfigs: []runtimeclient.Object{newManagedProxyConfig(managedProxyConfigName, proxyv1alpha1.EntryPointTypePortForward)}, - addOndDeploymentConfigs: []runtime.Object{newAddOnDeploymentConfigWithProxy(addOndDeployConfigName, clusterName)}, + addOndDeploymentConfigs: []runtime.Object{newAddOnDeploymentConfigWithHttpsProxy(addOndDeployConfigName, clusterName)}, v1CSRSupported: true, enableKubeApiProxy: true, verifyManifests: func(t *testing.T, manifests []runtime.Object) { @@ -708,6 +709,40 @@ func TestNewAgentAddon(t *testing.T) { assert.Equal(t, 2, count) }, }, + { + name: "with addon deployment config including http proxy config", + cluster: newCluster(clusterName, true), + addon: func() *addonv1alpha1.ManagedClusterAddOn { + addOn := newAddOn(addOnName, clusterName) + addOn.Status.ConfigReferences = []addonv1alpha1.ConfigReference{ + newManagedProxyConfigReference(managedProxyConfigName), + newAddOndDeploymentConfigReference(addOndDeployConfigName, clusterName), + } + return addOn + }(), + managedProxyConfigs: []runtimeclient.Object{newManagedProxyConfig(managedProxyConfigName, proxyv1alpha1.EntryPointTypePortForward)}, + addOndDeploymentConfigs: []runtime.Object{newAddOnDeploymentConfigWithHttpProxy(addOndDeployConfigName, clusterName)}, + v1CSRSupported: true, + enableKubeApiProxy: true, + verifyManifests: func(t *testing.T, manifests []runtime.Object) { + assert.Len(t, manifests, len(expectedManifestNames)) + assert.ElementsMatch(t, expectedManifestNames, manifestNames(manifests)) + agentDeploy := getAgentDeployment(manifests) + assert.NotNil(t, agentDeploy) + envCount := 0 + for _, container := range agentDeploy.Spec.Template.Spec.Containers { + if container.Name == "proxy-agent" { + envCount = len(container.Env) + } + } + assert.Equal(t, 4, envCount) + caSecret := getCASecret(manifests) + assert.NotNil(t, caSecret) + caCrt := string(caSecret.Data["ca.crt"]) + count := strings.Count(caCrt, "-----BEGIN CERTIFICATE-----") + assert.Equal(t, 1, count) + }, + }, } for _, c := range cases { @@ -930,7 +965,8 @@ func newAddOnDeploymentConfigWithCustomizedServiceDomain(name, namespace, servic var fakeCA = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRFQ0ZHSG5lTUpBQ1NjR2lRSnA2K1RYa0NKRVBTVitNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1ERXgKRmpBVUJnTlZCQW9NRFU5d1pXNVRhR2xtZENCQlEwMHhGekFWQmdOVkJBTU1EbmQzZHk1eVpXUm9ZWFF1WTI5dApNQjRYRFRJek1URXhNakV5TURZME4xb1hEVEkwTVRFeE1URXlNRFkwTjFvd01URVdNQlFHQTFVRUNnd05UM0JsCmJsTm9hV1owSUVGRFRURVhNQlVHQTFVRUF3d09kM2QzTG5KbFpHaGhkQzVqYjIwd2dnRWlNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUXZMbHFjYXpYZmxXNXgzcVFDSE52ZjNqTFNCY0QrY3pCczFoMApUV0p2TWEvWVd2T2MrK3VNWXg2OW1RaXRCWEFaMEsyUVpQa1BYK2lEc244Mk9mNklYTUpUSVpmZk1Wb3g4UmtqCkNlQ00vdlNaMzExVGlwa0NkaGVTbnp0WElhek1hN0ZZS3BVT2htYTF3L2RReFcvcnIwandwRG9TMFUvN0xhWGwKNHF2bUF4Wk1iSHVWaFk2S0RZSGJ2MEdKYWdqekJtVkpieTZlMFg3MkozL05ZME1KT2plYklrOTEydjBXZ1pUKwo3UWU0a29scVY1MkQvaUhYV0xFUzhXMWQrMFZUbnlRaFAzY3RvNWp3TFZyWnQ2NDFZL0lRc2ZNQ0w1bGdhVTF0Cm9UMlcvQ3F1amw5aCt0UCt2SG1rNk5JZXk2RUNIdm1MV0xLbU5nblp2M0d0bVdnZEFnTUJBQUV3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFKSjBnd0UxSUR4SlNzaUd1TGxDMlVGV2J3U0RHMUVEK3VlQWYvRDRlV0VSWFZDUAo4aVdZZC9RckdsakYxNGxvZllHb280Vk5PL28xQWJQS2gveXB4UW16REdrVE1NaGg2WFg1bExob3RZWHZERlM2CmlkQXk5TFpiWDFUQnV5UEcwNmorbkI4eEtEY3F4aFNLYTlNb0trck9XcmtGbnFZS2syQzIyZGRvZVlZdlRjR2cKK2JmZ3RSWFJRUFdQRmt2NDR5MGlMZVh0S0VMbHBQMkMyQW5JQkU4b2hzY0JiYnloVmptem5YS1dFSTg3T0xmUgoxNDJBOWoydlVVQW80T0o5d1JCei8raDFXUXkyL3prclVUMW90MFdienY1cy91YmlUQkRpSjlQQ0k4YkZmZXplCnpDbCthbEE5aUFJdGt4OVdZS2pzaDFuVHEzTnJwVWM0MXBJWlFBQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" -func newAddOnDeploymentConfigWithProxy(name, namespace string) *addonv1alpha1.AddOnDeploymentConfig { +func newAddOnDeploymentConfigWithHttpsProxy(name, namespace string) *addonv1alpha1.AddOnDeploymentConfig { + rawProxyCaCert, _ := base64.StdEncoding.DecodeString(fakeCA) return &addonv1alpha1.AddOnDeploymentConfig{ ObjectMeta: metav1.ObjectMeta{ Name: name, @@ -944,7 +980,28 @@ func newAddOnDeploymentConfigWithProxy(name, namespace string) *addonv1alpha1.Ad ProxyConfig: addonv1alpha1.ProxyConfig{ HTTPProxy: "http://192.168.1.1", HTTPSProxy: "https://192.168.1.1", - CABundle: []byte(fakeCA), + CABundle: rawProxyCaCert, + NoProxy: "localhost", + }, + }, + } +} +func newAddOnDeploymentConfigWithHttpProxy(name, namespace string) *addonv1alpha1.AddOnDeploymentConfig { + rawProxyCaCert, _ := base64.StdEncoding.DecodeString(fakeCA) + return &addonv1alpha1.AddOnDeploymentConfig{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: addonv1alpha1.AddOnDeploymentConfigSpec{ + NodePlacement: &addonv1alpha1.NodePlacement{ + Tolerations: tolerations, + NodeSelector: nodeSelector, + }, + ProxyConfig: addonv1alpha1.ProxyConfig{ + HTTPProxy: "http://192.168.1.1", + HTTPSProxy: "http://192.168.1.1", + CABundle: rawProxyCaCert, NoProxy: "localhost", }, }, diff --git a/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml b/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml index d392fec7..7eb49da1 100644 --- a/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml +++ b/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml @@ -67,13 +67,13 @@ spec: {{- if .Values.proxyConfig.HTTPS_PROXY }} - name: HTTPS_PROXY value: {{ .Values.proxyConfig.HTTPS_PROXY }} - - name: ROOT_CA_CERT - value: "/etc/ca/ca.crt" {{- end }} {{- if .Values.proxyConfig.NO_PROXY }} - name: NO_PROXY value: {{ .Values.proxyConfig.NO_PROXY }} {{- end }} + - name: ROOT_CA_CERT + value: "/etc/ca/ca.crt" volumeMounts: - name: ca mountPath: /etc/ca