Fallback to use custom cacert

chuidaqi666 · Jan 22, 2021 · 30b91fd · 30b91fd
1 parent 1647f90
commit 30b91fd
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/modules/agent/pkg/controllers/cluster/cluster.go b/modules/agent/pkg/controllers/cluster/cluster.go
@@ -51,7 +51,9 @@ func Register(ctx context.Context,
 
 	go func() {
 		time.Sleep(15 * time.Second)
-		_ = h.Update()
+		if err := h.Update(); err != nil {
+			logrus.Errorf("failed to report cluster node status: %v", err)
+		}
 	}()
 	go func() {
 		if checkinInterval == 0 {

diff --git a/modules/agent/pkg/register/register.go b/modules/agent/pkg/register/register.go
@@ -3,6 +3,7 @@ package register
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"time"
 
 	fleet "github.com/rancher/fleet/pkg/apis/fleet.cattle.io/v1alpha1"
@@ -253,6 +254,10 @@ func createClientConfigFromSecret(secret *corev1.Secret) clientcmd.ClientConfig
 	namespace := string(data[ClusterNamespace])
 	token := string(data[Token])
 
+	if _, err := http.Get(apiServerURL); err == nil {
+		apiServerCA = nil
+	}
+
 	cfg := clientcmdapi.Config{
 		Clusters: map[string]*clientcmdapi.Cluster{
 			"cluster": {

diff --git a/pkg/controllers/cluster/import.go b/pkg/controllers/cluster/import.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"net/http"
 	"strconv"
 	"time"
 
@@ -20,6 +21,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 )
 
@@ -157,7 +159,7 @@ func (i *importHandler) importCluster(cluster *fleet.Cluster, status fleet.Clust
 		apiServerCA = cfg.APIServerCA
 	}
 
-	restConfig, err := clientcmd.RESTConfigFromKubeConfig(secret.Data["value"])
+	restConfig, err := i.restConfigFromKubeConfig(secret.Data["value"])
 	if err != nil {
 		return status, err
 	}
@@ -233,3 +235,28 @@ func (i *importHandler) importCluster(cluster *fleet.Cluster, status fleet.Clust
 	status.Agent = fleet.AgentStatus{}
 	return status, nil
 }
+
+// restConfigFromKubeConfig checks kubeconfig data and tries to connect to server. If server is behind public CA, remove CertificateAuthorityData in kubeconfig file.
+func (i *importHandler) restConfigFromKubeConfig(data []byte) (*rest.Config, error) {
+	clientConfig, err := clientcmd.NewClientConfigFromBytes(data)
+	if err != nil {
+		return nil, err
+	}
+
+	raw, err := clientConfig.RawConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	if raw.Contexts[raw.CurrentContext] != nil {
+		cluster := raw.Contexts[raw.CurrentContext].Cluster
+		if raw.Clusters[cluster] != nil {
+			_, err := http.Get(raw.Clusters[cluster].Server)
+			if err == nil {
+				raw.Clusters[cluster].CertificateAuthorityData = nil
+			}
+		}
+	}
+
+	return clientcmd.NewDefaultClientConfig(raw, &clientcmd.ConfigOverrides{}).ClientConfig()
+}