Make "--insecure-skip-tls-verify" work on all cases

rata · rata · commit c0af96ccc241 · 2016-03-21T16:31:31.000-03:00
In the getting started example of AWS, the master uses an IP that is changed on
stop/start. If you are playing with a cluster and stop and start the master,
the IP is changed and you can't connect again, even using the
"--insecure-skip-tls-verify" option.

This patch fixes it and makes the option work on those cases too by making
sure no CA/CAData is added when it shouldn't.
diff --git a/pkg/client/unversioned/clientcmd/client_config.go b/pkg/client/unversioned/clientcmd/client_config.go
@@ -305,6 +305,14 @@ func (config *DirectClientConfig) getCluster() clientcmdapi.Cluster {
 		mergo.Merge(&mergedClusterInfo, configClusterInfo)
 	}
 	mergo.Merge(&mergedClusterInfo, config.overrides.ClusterInfo)
+	// An override of --insecure-skip-tls-verify=true and no accompanying CA/CA data should clear already-set CA/CA data
+	// otherwise, a kubeconfig containing a CA reference would return an error that "CA and insecure-skip-tls-verify couldn't both be set"
+	caLen := len(config.overrides.ClusterInfo.CertificateAuthority)
+	caDataLen := len(config.overrides.ClusterInfo.CertificateAuthorityData)
+	if config.overrides.ClusterInfo.InsecureSkipTLSVerify && caLen == 0 && caDataLen == 0 {
+		mergedClusterInfo.CertificateAuthority = ""
+		mergedClusterInfo.CertificateAuthorityData = nil
+	}
 
 	return mergedClusterInfo
 }
diff --git a/pkg/client/unversioned/clientcmd/client_config_test.go b/pkg/client/unversioned/clientcmd/client_config_test.go
@@ -65,6 +65,31 @@ func createValidTestConfig() *clientcmdapi.Config {
 	return config
 }
 
+func createCAValidTestConfig() *clientcmdapi.Config {
+
+	config := createValidTestConfig()
+	config.Clusters["clean"].CertificateAuthorityData = []byte{0, 0}
+	return config
+}
+
+func TestInsecureOverridesCA(t *testing.T) {
+	config := createCAValidTestConfig()
+	clientBuilder := NewNonInteractiveClientConfig(*config, "clean", &ConfigOverrides{
+		ClusterInfo: clientcmdapi.Cluster{
+			InsecureSkipTLSVerify: true,
+		},
+	})
+
+	actualCfg, err := clientBuilder.ClientConfig()
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+
+	matchBoolArg(true, actualCfg.Insecure, t)
+	matchStringArg("", actualCfg.TLSClientConfig.CAFile, t)
+	matchByteArg(nil, actualCfg.TLSClientConfig.CAData, t)
+}
+
 func TestMergeContext(t *testing.T) {
 	const namespace = "overriden-namespace"
 

Original file line number	Diff line number	Diff line change
`@@ -305,6 +305,14 @@ func (config *DirectClientConfig) getCluster() clientcmdapi.Cluster {`
`305`	`305`	`mergo.Merge(&mergedClusterInfo, configClusterInfo)`
`306`	`306`	`}`
`307`	`307`	`mergo.Merge(&mergedClusterInfo, config.overrides.ClusterInfo)`
	`308`	`+ // An override of --insecure-skip-tls-verify=true and no accompanying CA/CA data should clear already-set CA/CA data`
	`309`	`+ // otherwise, a kubeconfig containing a CA reference would return an error that "CA and insecure-skip-tls-verify couldn't both be set"`
	`310`	`+ caLen := len(config.overrides.ClusterInfo.CertificateAuthority)`
	`311`	`+ caDataLen := len(config.overrides.ClusterInfo.CertificateAuthorityData)`
	`312`	`+ if config.overrides.ClusterInfo.InsecureSkipTLSVerify && caLen == 0 && caDataLen == 0 {`
	`313`	`+ mergedClusterInfo.CertificateAuthority = ""`
	`314`	`+ mergedClusterInfo.CertificateAuthorityData = nil`
	`315`	`+ }`
`308`	`316`
`309`	`317`	`return mergedClusterInfo`
`310`	`318`	`}`