fix(auth): ha not work for auth webhook

tkestack · Sep 28, 2020 · 51d67a1 · 51d67a1
1 parent 5760bd7
commit 51d67a1
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/api/platform/v1/cluster.go b/api/platform/v1/cluster.go
@@ -180,6 +180,18 @@ func (in *Cluster) AuthzWebhookBuiltinEndpoint() (string, bool) {
 		return "", false
 	}
 
-	return utilhttp.MakeEndpoint("https", in.Spec.Machines[0].IP,
+	endPointHost := in.Spec.Machines[0].IP
+
+	// use VIP in HA situation
+	if in.Spec.Features.HA != nil {
+		if in.Spec.Features.HA.TKEHA != nil {
+			endPointHost = in.Spec.Features.HA.TKEHA.VIP
+		}
+		if in.Spec.Features.HA.ThirdPartyHA != nil {
+			endPointHost = in.Spec.Features.HA.ThirdPartyHA.VIP
+		}
+	}
+
+	return utilhttp.MakeEndpoint("https", endPointHost,
 		constants.AuthzWebhookNodePort, "/auth/authz"), true
 }
diff --git a/cmd/tke-installer/app/installer/installer.go b/cmd/tke-installer/app/installer/installer.go
@@ -1328,7 +1328,19 @@ func (t *TKE) prepareCertificates(ctx context.Context) error {
 }
 
 func (t *TKE) authzWebhookBuiltinEndpoint() string {
-	return utilhttp.MakeEndpoint("https", t.Para.Cluster.Spec.Machines[0].IP,
+	endPointHost := t.Para.Cluster.Spec.Machines[0].IP
+
+	// use VIP in HA situation
+	if t.Para.Cluster.Spec.Features.HA != nil {
+		if t.Para.Cluster.Spec.Features.HA.TKEHA != nil {
+			endPointHost = t.Para.Cluster.Spec.Features.HA.TKEHA.VIP
+		}
+		if t.Para.Cluster.Spec.Features.HA.ThirdPartyHA != nil {
+			endPointHost = t.Para.Cluster.Spec.Features.HA.ThirdPartyHA.VIP
+		}
+	}
+
+	return utilhttp.MakeEndpoint("https", endPointHost,
 		constants.AuthzWebhookNodePort, "/auth/authz")
 }