From 24302e441ba412bd07f4778f24eaed702e523df5 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Sun, 6 Oct 2019 13:40:21 -0400 Subject: [PATCH] Overriding CA file should override skip TLS and CA data Kubernetes-commit: 857572168e79430af2dbf05e9d4705dfb3f0d99b --- tools/clientcmd/client_config.go | 12 +++++++----- tools/clientcmd/client_config_test.go | 26 +++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/tools/clientcmd/client_config.go b/tools/clientcmd/client_config.go index 9c6ac3b5d2..44115130d9 100644 --- a/tools/clientcmd/client_config.go +++ b/tools/clientcmd/client_config.go @@ -449,13 +449,15 @@ func (config *DirectClientConfig) getCluster() (clientcmdapi.Cluster, error) { return clientcmdapi.Cluster{}, fmt.Errorf("cluster %q does not exist", clusterInfoName) } mergo.MergeWithOverwrite(mergedClusterInfo, config.overrides.ClusterInfo) - // An override of --insecure-skip-tls-verify=true and no accompanying CA/CA data should clear already-set CA/CA data - // otherwise, a kubeconfig containing a CA reference would return an error that "CA and insecure-skip-tls-verify couldn't both be set" + // * An override of --insecure-skip-tls-verify=true and no accompanying CA/CA data should clear already-set CA/CA data + // otherwise, a kubeconfig containing a CA reference would return an error that "CA and insecure-skip-tls-verify couldn't both be set". + // * An override of --certificate-authority should also override TLS skip settings and CA data, otherwise existing CA data will take precedence. caLen := len(config.overrides.ClusterInfo.CertificateAuthority) caDataLen := len(config.overrides.ClusterInfo.CertificateAuthorityData) - if config.overrides.ClusterInfo.InsecureSkipTLSVerify && caLen == 0 && caDataLen == 0 { - mergedClusterInfo.CertificateAuthority = "" - mergedClusterInfo.CertificateAuthorityData = nil + if config.overrides.ClusterInfo.InsecureSkipTLSVerify || caLen > 0 || caDataLen > 0 { + mergedClusterInfo.InsecureSkipTLSVerify = config.overrides.ClusterInfo.InsecureSkipTLSVerify + mergedClusterInfo.CertificateAuthority = config.overrides.ClusterInfo.CertificateAuthority + mergedClusterInfo.CertificateAuthorityData = config.overrides.ClusterInfo.CertificateAuthorityData } return *mergedClusterInfo, nil diff --git a/tools/clientcmd/client_config_test.go b/tools/clientcmd/client_config_test.go index 907dcde761..954accdeb9 100644 --- a/tools/clientcmd/client_config_test.go +++ b/tools/clientcmd/client_config_test.go @@ -148,7 +148,7 @@ func TestInsecureOverridesCA(t *testing.T) { actualCfg, err := clientBuilder.ClientConfig() if err != nil { - t.Errorf("Unexpected error: %v", err) + t.Fatalf("Unexpected error: %v", err) } matchBoolArg(true, actualCfg.Insecure, t) @@ -156,6 +156,30 @@ func TestInsecureOverridesCA(t *testing.T) { matchByteArg(nil, actualCfg.TLSClientConfig.CAData, t) } +func TestCAOverridesCAData(t *testing.T) { + file, err := ioutil.TempFile("", "my.ca") + if err != nil { + t.Fatalf("could not create tempfile: %v", err) + } + defer os.Remove(file.Name()) + + config := createCAValidTestConfig() + clientBuilder := NewNonInteractiveClientConfig(*config, "clean", &ConfigOverrides{ + ClusterInfo: clientcmdapi.Cluster{ + CertificateAuthority: file.Name(), + }, + }, nil) + + actualCfg, err := clientBuilder.ClientConfig() + if err != nil { + t.Fatalf("Unexpected error: %v", err) + } + + matchBoolArg(false, actualCfg.Insecure, t) + matchStringArg(file.Name(), actualCfg.TLSClientConfig.CAFile, t) + matchByteArg(nil, actualCfg.TLSClientConfig.CAData, t) +} + func TestMergeContext(t *testing.T) { const namespace = "overridden-namespace"