Skip to content

Commit

Permalink
Support TLS Server Name overrides in kubeconfig (#1282)
Browse files Browse the repository at this point in the history 
The client should support tls-server-name just like client-go and kubectl.  See kubernetes/kubernetes#88769
  • Loading branch information
@cb
cb authored Apr 28, 2023
1 parent ceddcfc commit d8da943
Show file tree
Hide file tree
Showing 7 changed files with 53 additions and 0 deletions.
6 changes: 6 additions & 0 deletions src/KubernetesClient.Models/KubeConfigModels/ClusterEndpoint.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ public class ClusterEndpoint
[YamlMember(Alias = "server")]
public string Server { get; set; }

/// <summary>
/// Gets or sets a value to override the TLS server name.
/// </summary>
[YamlMember(Alias = "tls-server-name", ApplyNamingConventions = false)]
public string TlsServerName { get; set; }

/// <summary>
/// Gets or sets a value indicating whether to skip the validity check for the server's certificate.
/// This will make your HTTPS connections insecure.
Expand Down
3 changes: 3 additions & 0 deletions src/KubernetesClient/Kubernetes.ConfigInit.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ public Kubernetes(KubernetesClientConfiguration config, params DelegatingHandler
ValidateConfig(config);
CaCerts = config.SslCaCerts;
SkipTlsVerify = config.SkipTlsVerify;
TlsServerName = config.TlsServerName;
CreateHttpClient(handlers, config);
InitializeFromConfig(config);
HttpClientTimeout = config.HttpClientTimeout;
Expand Down Expand Up @@ -115,6 +116,8 @@ private void InitializeFromConfig(KubernetesClientConfiguration config)

private bool SkipTlsVerify { get; }

private string TlsServerName { get; }

// NOTE: this method replicates the logic that the base ServiceClient uses except that it doesn't insert the RetryDelegatingHandler
// and it does insert the WatcherDelegatingHandler. we don't want the RetryDelegatingHandler because it has a very broad definition
// of what requests have failed. it considers everything outside 2xx to be failed, including 1xx (e.g. 101 Switching Protocols) and
Expand Down
5 changes: 5 additions & 0 deletions src/KubernetesClient/Kubernetes.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,11 @@ protected virtual async Task<HttpResponseMessage> SendRequestRaw(string requestC
await Credentials.ProcessHttpRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
}

if (!string.IsNullOrWhiteSpace(TlsServerName))
{
httpRequest.Headers.Host = TlsServerName;
}

// Send Request
cancellationToken.ThrowIfCancellationRequested();
var httpResponse = await HttpClient.SendAsync(httpRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
Expand Down
1 change: 1 addition & 0 deletions src/KubernetesClient/KubernetesClientConfiguration.ConfigFile.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,7 @@ private void SetClusterDetails(K8SConfiguration k8SConfig, Context activeContext

Host = clusterDetails.ClusterEndpoint.Server;
SkipTlsVerify = clusterDetails.ClusterEndpoint.SkipTlsVerify;
TlsServerName = clusterDetails.ClusterEndpoint.TlsServerName;

if (!Uri.TryCreate(Host, UriKind.Absolute, out var uri))
{
Expand Down
5 changes: 5 additions & 0 deletions src/KubernetesClient/KubernetesClientConfiguration.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@ public partial class KubernetesClientConfiguration
/// </summary>
public bool SkipTlsVerify { get; set; }

/// <summary>
/// Option to override the TLS server name
/// </summary>
public string TlsServerName { get; set; }

/// <summary>
/// Gets or sets the HTTP user agent.
/// </summary>
Expand Down
11 changes: 11 additions & 0 deletions tests/KubernetesClient.Tests/KubernetesClientConfigurationTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,17 @@ public void SmartSkipTlsVerify()
Assert.Equal("http://horse.org", cfg.Host);
}

/// <summary>
/// Make sure that TlsServerName is present
/// </summary>
[Fact]
public void TlsServerName()
{
var fi = new FileInfo("assets/kubeconfig.tls-servername.yml");
var cfg = KubernetesClientConfiguration.BuildConfigFromConfigFile(fi);
Assert.Equal("pony", cfg.TlsServerName);
}

/// <summary>
/// Checks config could work well when current-context is not set but masterUrl is set. #issue 24
/// </summary>
Expand Down
22 changes: 22 additions & 0 deletions tests/KubernetesClient.Tests/assets/kubeconfig.tls-servername.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Sample file based on https://kubernetes.io/docs/tasks/access-application-cluster/authenticate-across-clusters-kubeconfig/
# WARNING: File includes minor fixes
---
current-context: federal-context
apiVersion: v1
clusters:
- cluster:
server: https://horse.org:443
tls-server-name: pony
name: horse-cluster
contexts:
- context:
cluster: horse-cluster
namespace: chisel-ns
user: green-user
name: federal-context
kind: Config
users:
- name: green-user
user:
password: secret
username: admin

0 comments on commit d8da943

Please sign in to comment.