From c0af96ccc241a9402ceeaafc73c9f57f046a64b9 Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Thu, 17 Mar 2016 17:35:16 -0300 Subject: [PATCH] Make "--insecure-skip-tls-verify" work on all cases In the getting started example of AWS, the master uses an IP that is changed on stop/start. If you are playing with a cluster and stop and start the master, the IP is changed and you can't connect again, even using the "--insecure-skip-tls-verify" option. This patch fixes it and makes the option work on those cases too by making sure no CA/CAData is added when it shouldn't. --- .../unversioned/clientcmd/client_config.go | 8 ++++++ .../clientcmd/client_config_test.go | 25 +++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/pkg/client/unversioned/clientcmd/client_config.go b/pkg/client/unversioned/clientcmd/client_config.go index 9ff259edffe..533feb54afa 100644 --- a/pkg/client/unversioned/clientcmd/client_config.go +++ b/pkg/client/unversioned/clientcmd/client_config.go @@ -305,6 +305,14 @@ func (config *DirectClientConfig) getCluster() clientcmdapi.Cluster { mergo.Merge(&mergedClusterInfo, configClusterInfo) } mergo.Merge(&mergedClusterInfo, config.overrides.ClusterInfo) + // An override of --insecure-skip-tls-verify=true and no accompanying CA/CA data should clear already-set CA/CA data + // otherwise, a kubeconfig containing a CA reference would return an error that "CA and insecure-skip-tls-verify couldn't both be set" + caLen := len(config.overrides.ClusterInfo.CertificateAuthority) + caDataLen := len(config.overrides.ClusterInfo.CertificateAuthorityData) + if config.overrides.ClusterInfo.InsecureSkipTLSVerify && caLen == 0 && caDataLen == 0 { + mergedClusterInfo.CertificateAuthority = "" + mergedClusterInfo.CertificateAuthorityData = nil + } return mergedClusterInfo } diff --git a/pkg/client/unversioned/clientcmd/client_config_test.go b/pkg/client/unversioned/clientcmd/client_config_test.go index c9650ea6d52..8e68ff7a13c 100644 --- a/pkg/client/unversioned/clientcmd/client_config_test.go +++ b/pkg/client/unversioned/clientcmd/client_config_test.go @@ -65,6 +65,31 @@ func createValidTestConfig() *clientcmdapi.Config { return config } +func createCAValidTestConfig() *clientcmdapi.Config { + + config := createValidTestConfig() + config.Clusters["clean"].CertificateAuthorityData = []byte{0, 0} + return config +} + +func TestInsecureOverridesCA(t *testing.T) { + config := createCAValidTestConfig() + clientBuilder := NewNonInteractiveClientConfig(*config, "clean", &ConfigOverrides{ + ClusterInfo: clientcmdapi.Cluster{ + InsecureSkipTLSVerify: true, + }, + }) + + actualCfg, err := clientBuilder.ClientConfig() + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + + matchBoolArg(true, actualCfg.Insecure, t) + matchStringArg("", actualCfg.TLSClientConfig.CAFile, t) + matchByteArg(nil, actualCfg.TLSClientConfig.CAData, t) +} + func TestMergeContext(t *testing.T) { const namespace = "overriden-namespace"