kmsv2: fixed issue with an invalid authority header being sent by the KMSv2 service

2025-08-09 12:07:47 +00:00 · 2024-08-26 14:43:02 -10:00 · 2024-08-26 14:43:02 -10:00 · 618ca85bc9
commit 618ca85bc9
parent 9682c62148
2 changed files with 12 additions and 1 deletions
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go
@ -58,6 +58,7 @@ func NewGRPCService(ctx context.Context, endpoint, providerName string, callTime
 	s := &gRPCService{callTimeout: callTimeout}
 	s.connection, err = grpc.Dial(
 		addr,
+		grpc.WithAuthority("localhost"),
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithDefaultCallOptions(grpc.WaitForReady(true)),
 		grpc.WithContextDialer(
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2/kms_plugin_mock.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2/kms_plugin_mock.go
@ -31,6 +31,7 @@ import (

 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"

 	"k8s.io/apimachinery/pkg/util/wait"
@ -61,7 +62,16 @@ type Base64Plugin struct {

 // NewBase64Plugin is a constructor for Base64Plugin.
 func NewBase64Plugin(t testing.TB, socketPath string) *Base64Plugin {
-	server := grpc.NewServer()
+	server := grpc.NewServer(
+		grpc.UnaryInterceptor(
+			func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+				if val := metadata.ValueFromIncomingContext(ctx, ":authority"); len(val) != 1 || val[0] != "localhost" {
+					t.Errorf("wanted localhost authority, got: %v", val)
+				}
+				return handler(ctx, req)
+			},
+		),
+	)
 	result := &Base64Plugin{
 		grpcServer: server,
 		mu:         &sync.Mutex{},