Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

连接后端apiserver走https的时候能否不写死tlsClientConfig里面的name #61

Open
Riete opened this issue Mar 22, 2024 · 6 comments
Assignees

Comments

@Riete
Copy link
Contributor

Riete commented Mar 22, 2024

What would you like to be added:

连接后端apiserver走https的时候能否不写死tlsClientConfig里面的name

Why is this needed:
pkg/clusters/util.go 49

	if httpScheme == "https" {
		tlsCfg := rest.TLSClientConfig{
			ServerName: cluster.Name,
			KeyData:    cluster.Spec.ClientConfig.KeyData,
			CertData:   cluster.Spec.ClientConfig.CertData,
			CAData:     cluster.Spec.ClientConfig.CAData,
			Insecure:   cluster.Spec.ClientConfig.Insecure,
		}
		cfg.TLSClientConfig = tlsCfg
	}

从代码看,会去设置ServerName为cluster.Name, 在我们的应用场景中会造成而外的问题。
我们的场景大致如下 k8s service1/service2/...-> kubegateway -> proxy service <----tunnel----> cluster1 apiserver/cluster2 apiserver/....
最终是访问的service名称,通过service名称和CR里面的name关联,同时在kubegateway里面创建的CR的endpoints是proxy service的名称(我们这里就叫kubernetes),通过不同的端口到不同的apiserver,这样的话由于代理的域名默认就在k8s证书的dns里面,正常情况不需要对已有集群去重新签发证书,但kubegateway这里访问的时候去设置了tlsClientConfig.ServerName,就会改变 http host,造成后端apiserver域名验证不通过,解决办法一个CR里面Insecure=true忽略服务端证书校验,或者把对应的service名称签进去(这个不太好对现有集群操作),再或者走http,所以这里是否可以不强制写死,提供个可选项配置。

@Riete
Copy link
Contributor Author

Riete commented Mar 22, 2024

顺便提一下最新的代码,依赖库code.byted.org/xxxxx 获取不到,这是内部代码库吧?

@xuqingyun
Copy link
Collaborator

顺便提一下最新的代码,依赖库code.byted.org/xxxxx 获取不到,这是内部代码库吧?

I will fix it

@xuqingyun
Copy link
Collaborator

你是想用endpoint的域名作为host访问apiserver是吧。作为一个代理服务最好的方式是将client的host透传给upstream,所以就算这里不指定ServerName,可能还是会证书校验不过,也得指定Insecure=true才行?

@Riete
Copy link
Contributor Author

Riete commented Mar 22, 2024

是的, 想用endpoint的域名作为host,不指定ServerName,我理解就是用的endpoint原始url里面的域名/ip, 我这里就是kubernetes,而这个域名默认在证书里面的

	// ServerName is passed to the server for SNI and is used in the client to check server
	// ceritificates against. If ServerName is empty, the hostname used to contact the
	// server is used.
	ServerName string

在我这种场景下,如果要走mTLS,这样处理是改动最少的。

@xuqingyun
Copy link
Collaborator

你现在用Insecure暂时是能访问的吧。直接把ServerName设置为空在动态服务发现的场景,比如动态podIP,hostIP时证书仍然会有问题。后面可以在Spec.ClientConfig里面增加一个ServerName的可选项,这仍然要求多个endpoint必须使用相同的ServerName。

@Riete
Copy link
Contributor Author

Riete commented Mar 22, 2024

是的Insecure可以访问, 我这边就是通过固定的serviceName + 不同的端口来规避了,这样我所有集群的apiserver,在kubegateway这边的endpoint都是相同的域名,如果可以增加个可选项我觉得是可以完美解决我这个问题的

@xuqingyun xuqingyun self-assigned this Mar 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants