github/client-go
1
0
Fork 0
mirror of https://github.com/kubernetes/client-go.git synced 2025-06-26 15:12:06 +00:00
Code Issues Projects Releases Wiki Activity

Overriding CA file should override skip TLS and CA data

Browse Source 
Kubernetes-commit: 857572168e79430af2dbf05e9d4705dfb3f0d99b
This commit is contained in:
Jordan Liggitt 2019-10-06 13:40:21 -04:00 committed by Kubernetes Publisher
parent b1fd789501
commit 24302e441b
2 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
tools/clientcmd/client_config.go
View File

@ -449,13 +449,15 @@ func (config *DirectClientConfig) getCluster() (clientcmdapi.Cluster, error) {
return clientcmdapi.Cluster{}, fmt.Errorf("cluster %q does not exist", clusterInfoName) return clientcmdapi.Cluster{}, fmt.Errorf("cluster %q does not exist", clusterInfoName)
} }
mergo.MergeWithOverwrite(mergedClusterInfo, config.overrides.ClusterInfo) mergo.MergeWithOverwrite(mergedClusterInfo, config.overrides.ClusterInfo)
// An override of --insecure-skip-tls-verify=true and no accompanying CA/CA data should clear already-set CA/CA data // * An override of --insecure-skip-tls-verify=true and no accompanying CA/CA data should clear already-set CA/CA data
// otherwise, a kubeconfig containing a CA reference would return an error that "CA and insecure-skip-tls-verify couldn't both be set" // otherwise, a kubeconfig containing a CA reference would return an error that "CA and insecure-skip-tls-verify couldn't both be set".
// * An override of --certificate-authority should also override TLS skip settings and CA data, otherwise existing CA data will take precedence.
caLen := len(config.overrides.ClusterInfo.CertificateAuthority) caLen := len(config.overrides.ClusterInfo.CertificateAuthority)
caDataLen := len(config.overrides.ClusterInfo.CertificateAuthorityData) caDataLen := len(config.overrides.ClusterInfo.CertificateAuthorityData)
if config.overrides.ClusterInfo.InsecureSkipTLSVerify && caLen == 0 && caDataLen == 0 { if config.overrides.ClusterInfo.InsecureSkipTLSVerify || caLen > 0 || caDataLen > 0 {
mergedClusterInfo.CertificateAuthority = "" mergedClusterInfo.InsecureSkipTLSVerify = config.overrides.ClusterInfo.InsecureSkipTLSVerify
mergedClusterInfo.CertificateAuthorityData = nil mergedClusterInfo.CertificateAuthority = config.overrides.ClusterInfo.CertificateAuthority
mergedClusterInfo.CertificateAuthorityData = config.overrides.ClusterInfo.CertificateAuthorityData
} }
return *mergedClusterInfo, nil return *mergedClusterInfo, nil

26
tools/clientcmd/client_config_test.go
View File

@ -148,7 +148,7 @@ func TestInsecureOverridesCA(t *testing.T) {
actualCfg, err := clientBuilder.ClientConfig() actualCfg, err := clientBuilder.ClientConfig()
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Fatalf("Unexpected error: %v", err)
} }
matchBoolArg(true, actualCfg.Insecure, t) matchBoolArg(true, actualCfg.Insecure, t)
@ -156,6 +156,30 @@ func TestInsecureOverridesCA(t *testing.T) {
matchByteArg(nil, actualCfg.TLSClientConfig.CAData, t) matchByteArg(nil, actualCfg.TLSClientConfig.CAData, t)
} }
func TestCAOverridesCAData(t *testing.T) {
file, err := ioutil.TempFile("", "my.ca")
if err != nil {
t.Fatalf("could not create tempfile: %v", err)
}
defer os.Remove(file.Name())
config := createCAValidTestConfig()
clientBuilder := NewNonInteractiveClientConfig(*config, "clean", &ConfigOverrides{
ClusterInfo: clientcmdapi.Cluster{
CertificateAuthority: file.Name(),
},
}, nil)
actualCfg, err := clientBuilder.ClientConfig()
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
matchBoolArg(false, actualCfg.Insecure, t)
matchStringArg(file.Name(), actualCfg.TLSClientConfig.CAFile, t)
matchByteArg(nil, actualCfg.TLSClientConfig.CAData, t)
}
func TestMergeContext(t *testing.T) { func TestMergeContext(t *testing.T) {
const namespace = "overridden-namespace" const namespace = "overridden-namespace"