fix: add support for tls-server-name in KubeConfig

For some reason the feature that was added in 076531e was missing in the 1.x release branch – we ported the existing feature from there. Co-authored-by: Tim Beyer <TimBeyer@users.noreply.github.com>
kubernetes-client · Nov 21, 2023 · 60f0ea6 · 60f0ea6
1 parent 22613f1
commit 60f0ea6
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 5 deletions.
diff --git a/src/config.ts b/src/config.ts
@@ -225,6 +225,10 @@ export class KubeConfig implements SecurityAuthentication {
             agentOptions.rejectUnauthorized = false;
         }
 
+        if (cluster && cluster.tlsServerName) {
+            agentOptions.servername = cluster.tlsServerName
+        }
+
         if (user && user.username) {
             const auth = Buffer.from(`${user.username}:${user.password}`).toString('base64');
             context.setHeaderParam('Authorization', `Basic ${auth}`);
@@ -515,6 +519,10 @@ export class KubeConfig implements SecurityAuthentication {
         if (cluster != null && cluster.skipTLSVerify) {
             opts.rejectUnauthorized = false;
         }
+        if (cluster != null && cluster.tlsServerName) {
+            // WebSocket.ClientOptions types are missing the servername
+            (opts as any).servername = cluster.tlsServerName;
+        }
         const ca = cluster != null ? bufferFromFileOrString(cluster.caFile, cluster.caData) : null;
         if (ca) {
             opts.ca = ca;

diff --git a/src/config_test.ts b/src/config_test.ts
@@ -25,6 +25,7 @@ const kcDupeUser = 'testdata/kubeconfig-dupe-user.yaml';
 const kcNoUserFileName = 'testdata/empty-user-kubeconfig.yaml';
 const kcInvalidContextFileName = 'testdata/empty-context-kubeconfig.yaml';
 const kcInvalidClusterFileName = 'testdata/empty-cluster-kubeconfig.yaml';
+const kcTlsServerNameFileName = 'testdata/tls-server-name-kubeconfig.yaml';
 
 use(chaiAsPromised);
 
@@ -274,20 +275,55 @@ describe('KubeConfig', () => {
     });
 
     describe('applyHTTPSOptions', () => {
-        it('should apply cert configs', () => {
+        it('should apply tls-server-name to https.RequestOptions', async () => {
             const kc = new KubeConfig();
-            kc.loadFromFile(kcFileName);
+            kc.loadFromFile(kcTlsServerNameFileName);
 
             const opts: https.RequestOptions = {};
-            kc.applyToHTTPSOptions(opts);
+            await kc.applyToHTTPSOptions(opts);
+
+            const expectedAgent = new https.Agent({
+                ca: Buffer.from('CADATA2', 'utf-8'),
+                cert: Buffer.from('USER_CADATA', 'utf-8'),
+                key:  Buffer.from('USER_CKDATA', 'utf-8'),
+                passphrase: undefined,
+                pfx: undefined,
+                rejectUnauthorized: false,
+                servername: 'kube.example2.com',
+            });
 
-            expect(opts).to.deep.equal({
+            const expectedOptions: https.RequestOptions = {
                 headers: {},
+                rejectUnauthorized: false,
+                servername: 'kube.example2.com',
+                agent: expectedAgent,
+            };
+
+            assertRequestOptionsEqual(opts, expectedOptions);
+        });
+        it('should apply cert configs', async () => {
+            const kc = new KubeConfig();
+            kc.loadFromFile(kcFileName);
+
+            const opts: https.RequestOptions = {};
+            await kc.applyToHTTPSOptions(opts);
+
+            const expectedAgent = new https.Agent({
                 ca: Buffer.from('CADATA2', 'utf-8'),
                 cert: Buffer.from('USER2_CADATA', 'utf-8'),
-                key: Buffer.from('USER2_CKDATA', 'utf-8'),
+                key:  Buffer.from('USER2_CKDATA', 'utf-8'),
+                passphrase: undefined,
+                pfx: undefined,
                 rejectUnauthorized: false,
             });
+
+            const expectedOptions: https.RequestOptions = {
+                headers: {},
+                rejectUnauthorized: false,
+                agent: expectedAgent,
+            };
+
+            assertRequestOptionsEqual(opts, expectedOptions);
         });
         it('should apply password', async () => {
             const kc = new KubeConfig();

diff --git a/src/config_types.ts b/src/config_types.ts
@@ -21,6 +21,7 @@ export interface Cluster {
     readonly caData?: string;
     caFile?: string;
     readonly server: string;
+    readonly tlsServerName?: string
     readonly skipTLSVerify: boolean;
 }
 
@@ -38,6 +39,7 @@ export function exportCluster(cluster: Cluster): any {
             'certificate-authority-data': cluster.caData,
             'certificate-authority': cluster.caFile,
             'insecure-skip-tls-verify': cluster.skipTLSVerify,
+            'tls-server-name': cluster.tlsServerName,
         },
     };
 }
@@ -60,6 +62,7 @@ function clusterIterator(onInvalidEntry: ActionOnInvalid): _.ListIterator<any, C
                 name: elt.name,
                 server: elt.cluster.server.replace(/\/$/, ''),
                 skipTLSVerify: elt.cluster['insecure-skip-tls-verify'] === true,
+                tlsServerName: elt.cluster['tls-server-name'],
             };
         } catch (err) {
             switch (onInvalidEntry) {

diff --git a/testdata/tls-server-name-kubeconfig.yaml b/testdata/tls-server-name-kubeconfig.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: Q0FEQVRBMg==
+    server: http://example2.com
+    insecure-skip-tls-verify: true
+    tls-server-name: kube.example2.com
+  name: cluster
+- cluster:
+    certificate-authority-data: Q0FEQVRBMg==
+    server: http://example2.com
+    insecure-skip-tls-verify: true
+  name: cluster2
+
+contexts:
+- context:
+    cluster: cluster
+    user: user
+  name: context
+
+current-context: context
+kind: Config
+preferences: {}
+users:
+- name: user
+  user:
+    client-certificate-data: VVNFUl9DQURBVEE=
+    client-key-data: VVNFUl9DS0RBVEE=