Support k8s clusters with insecure-tls-skip-verify

sdg0919 · Dec 1, 2020 · bd57699 · bd57699
1 parent f4e3068
commit bd57699
Show file tree

Hide file tree

Showing 29 changed files with 166 additions and 33 deletions.
diff --git a/api/common/cloudspec/cloudspec.go b/api/common/cloudspec/cloudspec.go
@@ -88,6 +88,7 @@ func (api *CloudSpecAPI) MakeCloudSpec(pSpec *params.CloudSpec) (environs.CloudS
 		IdentityEndpoint: pSpec.IdentityEndpoint,
 		StorageEndpoint:  pSpec.StorageEndpoint,
 		CACertificates:   pSpec.CACertificates,
+		SkipTLSVerify:    pSpec.SkipTLSVerify,
 		Credential:       credential,
 	}
 	if err := spec.Validate(); err != nil {

diff --git a/api/common/cloudspec/cloudspec_test.go b/api/common/cloudspec/cloudspec_test.go
@@ -50,6 +50,7 @@ func (s *CloudSpecSuite) TestCloudSpec(c *gc.C) {
 						Attributes: map[string]string{"k": "v"},
 					},
 					CACertificates: []string{coretesting.CACert},
+					SkipTLSVerify:  true,
 				},
 			}},
 		}
@@ -72,6 +73,7 @@ func (s *CloudSpecSuite) TestCloudSpec(c *gc.C) {
 		StorageEndpoint:  "storage-endpoint",
 		Credential:       &credential,
 		CACertificates:   []string{coretesting.CACert},
+		SkipTLSVerify:    true,
 	})
 }
 

diff --git a/apiserver/common/cloud.go b/apiserver/common/cloud.go
@@ -38,6 +38,7 @@ func CloudToParams(cloud jujucloud.Cloud) params.Cloud {
 		StorageEndpoint:  cloud.StorageEndpoint,
 		Regions:          regions,
 		CACertificates:   cloud.CACertificates,
+		SkipTLSVerify:    cloud.SkipTLSVerify,
 		Config:           cloud.Config,
 		RegionConfig:     regionConfig,
 	}
@@ -73,6 +74,7 @@ func CloudFromParams(cloudName string, p params.Cloud) jujucloud.Cloud {
 		StorageEndpoint:  p.StorageEndpoint,
 		Regions:          regions,
 		CACertificates:   p.CACertificates,
+		SkipTLSVerify:    p.SkipTLSVerify,
 		Config:           p.Config,
 		RegionConfig:     regionConfig,
 	}

diff --git a/apiserver/common/cloudspec/cloudspec.go b/apiserver/common/cloudspec/cloudspec.go
@@ -103,6 +103,7 @@ func (s cloudSpecAPI) GetCloudSpec(tag names.ModelTag) params.CloudSpecResult {
 		StorageEndpoint:  spec.StorageEndpoint,
 		Credential:       paramsCloudCredential,
 		CACertificates:   spec.CACertificates,
+		SkipTLSVerify:    spec.SkipTLSVerify,
 	}
 	return result
 }

diff --git a/apiserver/common/cloudspec/cloudspec_test.go b/apiserver/common/cloudspec/cloudspec_test.go
@@ -54,6 +54,7 @@ func (s *CloudSpecSuite) SetUpTest(c *gc.C) {
 		StorageEndpoint:  "storage-endpoint",
 		Credential:       &credential,
 		CACertificates:   []string{coretesting.CACert},
+		SkipTLSVerify:    true,
 	}
 }
 
@@ -104,6 +105,7 @@ func (s *CloudSpecSuite) TestCloudSpec(c *gc.C) {
 				Attributes: map[string]string{"k": "v"},
 			},
 			CACertificates: []string{coretesting.CACert},
+			SkipTLSVerify:  true,
 		},
 	}, {
 		Error: &params.Error{
@@ -188,6 +190,7 @@ func (s *CloudSpecSuite) TestCloudSpecNilCredential(c *gc.C) {
 			StorageEndpoint:  "storage-endpoint",
 			Credential:       nil,
 			CACertificates:   []string{coretesting.CACert},
+			SkipTLSVerify:    true,
 		},
 	}})
 }

diff --git a/apiserver/facades/schema.json b/apiserver/facades/schema.json
@@ -1361,6 +1361,9 @@
                         "region": {
                             "type": "string"
                         },
+                        "skip-tls-verify": {
+                            "type": "boolean"
+                        },
                         "storage-endpoint": {
                             "type": "string"
                         },
@@ -6188,6 +6191,9 @@
                         "region": {
                             "type": "string"
                         },
+                        "skip-tls-verify": {
+                            "type": "boolean"
+                        },
                         "storage-endpoint": {
                             "type": "string"
                         },
@@ -12843,6 +12849,9 @@
                                 "$ref": "#/definitions/CloudRegion"
                             }
                         },
+                        "skip-tls-verify": {
+                            "type": "boolean"
+                        },
                         "storage-endpoint": {
                             "type": "string"
                         },
@@ -14022,6 +14031,9 @@
                         "region": {
                             "type": "string"
                         },
+                        "skip-tls-verify": {
+                            "type": "boolean"
+                        },
                         "storage-endpoint": {
                             "type": "string"
                         },
@@ -17675,6 +17687,9 @@
                         "region": {
                             "type": "string"
                         },
+                        "skip-tls-verify": {
+                            "type": "boolean"
+                        },
                         "storage-endpoint": {
                             "type": "string"
                         },
@@ -39243,6 +39258,9 @@
                         "region": {
                             "type": "string"
                         },
+                        "skip-tls-verify": {
+                            "type": "boolean"
+                        },
                         "storage-endpoint": {
                             "type": "string"
                         },

diff --git a/apiserver/params/cloud.go b/apiserver/params/cloud.go
@@ -13,6 +13,7 @@ type Cloud struct {
 	StorageEndpoint  string                            `json:"storage-endpoint,omitempty"`
 	Regions          []CloudRegion                     `json:"regions,omitempty"`
 	CACertificates   []string                          `json:"ca-certificates,omitempty"`
+	SkipTLSVerify    bool                              `json:"skip-tls-verify,omitempty"`
 	Config           map[string]interface{}            `json:"config,omitempty"`
 	RegionConfig     map[string]map[string]interface{} `json:"region-config,omitempty"`
 }
@@ -198,6 +199,7 @@ type CloudSpec struct {
 	StorageEndpoint  string           `json:"storage-endpoint,omitempty"`
 	Credential       *CloudCredential `json:"credential,omitempty"`
 	CACertificates   []string         `json:"cacertificates,omitempty"`
+	SkipTLSVerify    bool             `json:"skip-tls-verify,omitempty"`
 }
 
 // CloudSpecResult contains a CloudSpec or an error.

diff --git a/caas/kubernetes/clientconfig/k8s.go b/caas/kubernetes/clientconfig/k8s.go
@@ -146,8 +146,9 @@ func cloudsFromConfig(config *clientcmdapi.Config, cloudName string) (map[string
 		attrs["CAData"] = string(k8sCAData)
 
 		return CloudConfig{
-			Endpoint:   cluster.Server,
-			Attributes: attrs,
+			Endpoint:      cluster.Server,
+			SkipTLSVerify: cluster.InsecureSkipTLSVerify,
+			Attributes:    attrs,
 		}, nil
 	}
 

diff --git a/caas/kubernetes/clientconfig/k8s_test.go b/caas/kubernetes/clientconfig/k8s_test.go
@@ -10,13 +10,13 @@ import (
 	"strings"
 	"text/template"
 
+	"github.com/juju/testing"
 	jc "github.com/juju/testing/checkers"
 	gc "gopkg.in/check.v1"
 	"k8s.io/client-go/tools/clientcmd"
 
 	"github.com/juju/juju/caas/kubernetes/clientconfig"
 	"github.com/juju/juju/cloud"
-	"github.com/juju/testing"
 )
 
 type k8sConfigSuite struct {
@@ -137,6 +137,28 @@ contexts:
 current-context: the-context
 preferences: {}
 users:
+- name: the-user
+  user:
+    password: thepassword
+    username: theuser
+`
+
+	insecureTLSYAMLTemplate = `
+apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    server: https://1.1.1.1:8888
+    insecure-skip-tls-verify: true
+  name: the-cluster
+contexts:
+- context:
+    cluster: the-cluster
+    user: the-user
+  name: the-context
+current-context: the-context
+preferences: {}
+users:
 - name: the-user
   user:
     password: thepassword
@@ -437,6 +459,34 @@ func (s *k8sConfigSuite) TestConfigWithExternalCA(c *gc.C) {
 	})
 }
 
+func (s *k8sConfigSuite) TestConfigWithInsecureSkilTLSVerify(c *gc.C) {
+	cred := cloud.NewNamedCredential(
+		"the-user", cloud.UserPassAuthType,
+		map[string]string{"username": "theuser", "password": "thepassword"}, false)
+	s.assertNewK8sClientConfig(c, newK8sClientConfigTestCase{
+		title:              "assert config with insecure TLS skip verify",
+		clusterName:        "the-cluster",
+		configYamlContent:  insecureTLSYAMLTemplate,
+		configYamlFileName: "insecure-tls",
+		expected: &clientconfig.ClientConfig{
+			Type: "kubernetes",
+			Contexts: map[string]clientconfig.Context{
+				"the-context": {
+					CloudName:      "the-cluster",
+					CredentialName: "the-user"}},
+			CurrentContext: "the-context",
+			Clouds: map[string]clientconfig.CloudConfig{
+				"the-cluster": {
+					Endpoint:      "https://1.1.1.1:8888",
+					SkipTLSVerify: true,
+					Attributes:    map[string]interface{}{"CAData": ""}}},
+			Credentials: map[string]cloud.Credential{
+				"the-user": cred,
+			},
+		},
+	})
+}
+
 // TestGetSingleConfigReadsFilePaths checks that we handle config
 // with certificate/key file paths the same as we do those with
 // the data inline.

diff --git a/caas/kubernetes/clientconfig/types.go b/caas/kubernetes/clientconfig/types.go
@@ -35,8 +35,9 @@ func (c Context) isEmpty() bool {
 
 // CloudConfig stores information about how to connect to a Cloud.
 type CloudConfig struct {
-	Endpoint   string
-	Attributes map[string]interface{}
+	Endpoint      string
+	SkipTLSVerify bool
+	Attributes    map[string]interface{}
 }
 
 // If existing CAAS cloud has Cluster_A and User_A, here's what happens when we try to define a new CAAS cloud:

diff --git a/caas/kubernetes/provider/cloud.go b/caas/kubernetes/provider/cloud.go
@@ -90,6 +90,7 @@ func newCloudCredentialFromKubeConfig(reader io.Reader, cloudParams KubeCloudPar
 	newCloud.AuthTypes = []cloud.AuthType{credential.AuthType()}
 	currentCloud := caasConfig.Clouds[context.CloudName]
 	newCloud.Endpoint = currentCloud.Endpoint
+	newCloud.SkipTLSVerify = currentCloud.SkipTLSVerify
 
 	cloudCAData, ok := currentCloud.Attributes["CAData"].(string)
 	if !ok {

diff --git a/caas/kubernetes/provider/cloud_test.go b/caas/kubernetes/provider/cloud_test.go
@@ -86,6 +86,7 @@ var defaultK8sCloud = jujucloud.Cloud{
 	Type:           cloud.CloudTypeCAAS,
 	AuthTypes:      []cloud.AuthType{cloud.UserPassAuthType},
 	CACertificates: []string{""},
+	SkipTLSVerify:  true,
 }
 
 var defaultClusterMetadata = &caas.ClusterMetadata{
@@ -141,6 +142,7 @@ func (s *cloudSuite) TestFinalizeCloudMicrok8s(c *gc.C) {
 		Type:            jujucloud.CloudTypeCAAS,
 		AuthTypes:       []jujucloud.AuthType{jujucloud.UserPassAuthType},
 		CACertificates:  []string{""},
+		SkipTLSVerify:   true,
 		Endpoint:        "http://1.1.1.1:8080",
 		HostCloudRegion: fmt.Sprintf("%s/%s", caas.K8sCloudMicrok8s, caas.Microk8sRegion),
 		Config:          map[string]interface{}{"operator-storage": "operator-sc", "workload-storage": ""},

diff --git a/caas/kubernetes/provider/provider.go b/caas/kubernetes/provider/provider.go
@@ -102,6 +102,7 @@ func CloudSpecToK8sRestConfig(cloudSpec environs.CloudSpec) (*rest.Config, error
 			CertData: []byte(credentialAttrs[CredAttrClientCertificateData]),
 			KeyData:  []byte(credentialAttrs[CredAttrClientKeyData]),
 			CAData:   CAData,
+			Insecure: cloudSpec.SkipTLSVerify,
 		},
 	}, nil
 }

diff --git a/cloud/clouds.go b/cloud/clouds.go
@@ -165,6 +165,11 @@ type Cloud struct {
 	// of cloud infrastructure components
 	// The contents are Base64 encoded x.509 certs.
 	CACertificates []string
+
+	// SkipTLSVerify is true if the server should be asked not to
+	// validate certificates. It is not recommended for production clouds.
+	// It is secure (false) by default.
+	SkipTLSVerify bool
 }
 
 // SplitHostCloudRegion splits host cloud region to cloudType and region.
@@ -233,6 +238,7 @@ type cloud struct {
 	Config           map[string]interface{} `yaml:"config,omitempty"`
 	RegionConfig     RegionConfig           `yaml:"region-config,omitempty"`
 	CACertificates   []string               `yaml:"ca-certificates,omitempty"`
+	SkipTLSVerify    bool                   `yaml:"skip-tls-verify,omitempty"`
 }
 
 // regions is a collection of regions, either as a map and/or
@@ -493,6 +499,7 @@ func cloudToInternal(in Cloud, withName bool) *cloud {
 		Config:           in.Config,
 		RegionConfig:     in.RegionConfig,
 		CACertificates:   in.CACertificates,
+		SkipTLSVerify:    in.SkipTLSVerify,
 	}
 }
 
@@ -529,6 +536,7 @@ func cloudFromInternal(in *cloud) Cloud {
 		RegionConfig:     in.RegionConfig,
 		Description:      in.Description,
 		CACertificates:   in.CACertificates,
+		SkipTLSVerify:    in.SkipTLSVerify,
 	}
 	meta.denormaliseMetadata()
 	return meta

diff --git a/cloud/clouds_test.go b/cloud/clouds_test.go
@@ -300,6 +300,7 @@ func (s *cloudSuite) TestMarshalCloud(c *gc.C) {
 		AuthTypes:      []cloud.AuthType{"baz"},
 		Endpoint:       "qux",
 		CACertificates: []string{"fakecacert"},
+		SkipTLSVerify:  true,
 	}
 	marshalled, err := cloud.MarshalCloud(in)
 	c.Assert(err, jc.ErrorIsNil)
@@ -310,6 +311,7 @@ auth-types: [baz]
 endpoint: qux
 ca-certificates:
 - fakecacert
+skip-tls-verify: true
 `[1:])
 }
 
@@ -320,6 +322,7 @@ type: bar
 auth-types: [baz]
 endpoint: qux
 ca-certificates: [fakecacert]
+skip-tls-verify: true
 `)
 	out, err := cloud.UnmarshalCloud(in)
 	c.Assert(err, jc.ErrorIsNil)
@@ -329,6 +332,7 @@ ca-certificates: [fakecacert]
 		AuthTypes:      []cloud.AuthType{"baz"},
 		Endpoint:       "qux",
 		CACertificates: []string{"fakecacert"},
+		SkipTLSVerify: true,
 	})
 }
 

diff --git a/cmd/juju/cloud/add.go b/cmd/juju/cloud/add.go
@@ -424,6 +424,7 @@ func cloudFromLocal(store jujuclient.CredentialGetter, cloudName string) (*jujuc
 		IdentityEndpoint: cloudDetails.IdentityEndpoint,
 		StorageEndpoint:  cloudDetails.StorageEndpoint,
 		CACertificates:   cloudDetails.CACredentials,
+		SkipTLSVerify:    cloudDetails.SkipTLSVerify,
 		Config:           cloudDetails.Config,
 		RegionConfig:     cloudDetails.RegionConfig,
 	}