Merge pull request #57 from yue9944882/bugfix/support-absent-port-addr

Somefive · web-flow · commit 40104198efc6 · 2022-02-17T17:47:11.000+08:00
Bugfix: Support absent port in the address
diff --git a/pkg/apis/cluster/v1alpha1/transport.go b/pkg/apis/cluster/v1alpha1/transport.go
@@ -10,11 +10,33 @@ import (
 	"github.com/pkg/errors"
 	"google.golang.org/grpc"
 	grpccredentials "google.golang.org/grpc/credentials"
+	k8snet "k8s.io/apimachinery/pkg/util/net"
 	restclient "k8s.io/client-go/rest"
 	konnectivity "sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client"
 	"sigs.k8s.io/apiserver-network-proxy/pkg/util"
 )
 
+var DialerGetter = func() (k8snet.DialFunc, error) {
+	tlsCfg, err := util.GetClientTLSConfig(
+		config.ClusterProxyCAFile,
+		config.ClusterProxyCertFile,
+		config.ClusterProxyKeyFile,
+		config.ClusterProxyHost,
+		nil)
+	if err != nil {
+		return nil, err
+	}
+	tunnel, err := konnectivity.CreateSingleUseGrpcTunnel(
+		context.TODO(),
+		net.JoinHostPort(config.ClusterProxyHost, strconv.Itoa(config.ClusterProxyPort)),
+		grpc.WithTransportCredentials(grpccredentials.NewTLS(tlsCfg)),
+	)
+	if err != nil {
+		return nil, err
+	}
+	return tunnel.DialContext, nil
+}
+
 func NewConfigFromCluster(c *ClusterGateway) (*restclient.Config, error) {
 	cfg := &restclient.Config{}
 	// setting up endpoint
@@ -29,33 +51,29 @@ func NewConfigFromCluster(c *ClusterGateway) (*restclient.Config, error) {
 		if err != nil {
 			return nil, err
 		}
+
+		const missingPort = "missing port in address"
 		host, _, err := net.SplitHostPort(u.Host)
 		if err != nil {
-			return nil, err
+			addrErr, ok := err.(*net.AddrError)
+			if !ok {
+				return nil, err
+			}
+			if addrErr.Err != missingPort {
+				return nil, err
+			}
+			host = u.Host
 		}
 		cfg.ServerName = host // apiserver may listen on SNI cert
 	case ClusterEndpointTypeClusterProxy:
 		cfg.Host = c.Name // the same as the cluster name
 		cfg.Insecure = true
 		cfg.CAData = nil
-		tlsCfg, err := util.GetClientTLSConfig(
-			config.ClusterProxyCAFile,
-			config.ClusterProxyCertFile,
-			config.ClusterProxyKeyFile,
-			config.ClusterProxyHost,
-			nil)
-		if err != nil {
-			return nil, err
-		}
-		tunnel, err := konnectivity.CreateSingleUseGrpcTunnel(
-			context.TODO(),
-			net.JoinHostPort(config.ClusterProxyHost, strconv.Itoa(config.ClusterProxyPort)),
-			grpc.WithTransportCredentials(grpccredentials.NewTLS(tlsCfg)),
-		)
+		dail, err := DialerGetter()
 		if err != nil {
 			return nil, err
 		}
-		cfg.Dial = tunnel.DialContext
+		cfg.Dial = dail
 	}
 	// setting up credentials
 	switch c.Spec.Access.Credential.Type {
diff --git a/pkg/apis/cluster/v1alpha1/transport_test.go b/pkg/apis/cluster/v1alpha1/transport_test.go
@@ -0,0 +1,195 @@
+package v1alpha1
+
+import (
+	"context"
+	"net"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8snet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/client-go/rest"
+	"k8s.io/utils/pointer"
+)
+
+func TestClusterRestConfigConversion(t *testing.T) {
+	testToken := "test-token"
+	testCAData := []byte(`test-ca`)
+	testCertData := []byte(`test-cert`)
+	testKeyData := []byte(`test-key`)
+	testDialFunc := func(ctx context.Context, net, addr string) (net.Conn, error) {
+		return nil, nil
+	}
+	DialerGetter = func() (k8snet.DialFunc, error) {
+		return testDialFunc, nil
+	}
+	cases := []struct {
+		name           string
+		clusterGateway *ClusterGateway
+		expectedCfg    *rest.Config
+		expectFailure  bool
+	}{
+		{
+			name: "normal cluster-gateway with SA token + host-port should work",
+			clusterGateway: &ClusterGateway{
+				Spec: ClusterGatewaySpec{
+					Access: ClusterAccess{
+						Endpoint: &ClusterEndpoint{
+							Type: ClusterEndpointTypeConst,
+							Const: &ClusterEndpointConst{
+								Address:  "https://foo.bar:33",
+								CABundle: testCAData,
+							},
+						},
+						Credential: &ClusterAccessCredential{
+							Type:                CredentialTypeServiceAccountToken,
+							ServiceAccountToken: testToken,
+						},
+					},
+				},
+			},
+			expectedCfg: &rest.Config{
+				Host:        "https://foo.bar:33",
+				BearerToken: testToken,
+				TLSClientConfig: rest.TLSClientConfig{
+					ServerName: "foo.bar",
+					CAData:     testCAData,
+				},
+			},
+		},
+		{
+			name: "normal cluster-gateway with X509 + host-port should work",
+			clusterGateway: &ClusterGateway{
+				Spec: ClusterGatewaySpec{
+					Access: ClusterAccess{
+						Endpoint: &ClusterEndpoint{
+							Type: ClusterEndpointTypeConst,
+							Const: &ClusterEndpointConst{
+								Address:  "https://foo.bar:33",
+								CABundle: testCAData,
+							},
+						},
+						Credential: &ClusterAccessCredential{
+							Type: CredentialTypeX509Certificate,
+							X509: &X509{
+								Certificate: testCertData,
+								PrivateKey:  testKeyData,
+							},
+						},
+					},
+				},
+			},
+			expectedCfg: &rest.Config{
+				Host: "https://foo.bar:33",
+				TLSClientConfig: rest.TLSClientConfig{
+					ServerName: "foo.bar",
+					CAData:     testCAData,
+					CertData:   testCertData,
+					KeyData:    testKeyData,
+				},
+			},
+		},
+		{
+			name: "https port defaulting should work",
+			clusterGateway: &ClusterGateway{
+				Spec: ClusterGatewaySpec{
+					Access: ClusterAccess{
+						Endpoint: &ClusterEndpoint{
+							Type: ClusterEndpointTypeConst,
+							Const: &ClusterEndpointConst{
+								Address:  "https://foo.bar",
+								CABundle: testCAData,
+							},
+						},
+						Credential: &ClusterAccessCredential{
+							Type:                CredentialTypeServiceAccountToken,
+							ServiceAccountToken: testToken,
+						},
+					},
+				},
+			},
+			expectedCfg: &rest.Config{
+				Host:        "https://foo.bar",
+				BearerToken: testToken,
+				TLSClientConfig: rest.TLSClientConfig{
+					ServerName: "foo.bar",
+					CAData:     testCAData,
+				},
+			},
+		},
+		{
+			name: "insecure (no CA bundle) should work",
+			clusterGateway: &ClusterGateway{
+				Spec: ClusterGatewaySpec{
+					Access: ClusterAccess{
+						Endpoint: &ClusterEndpoint{
+							Type: ClusterEndpointTypeConst,
+							Const: &ClusterEndpointConst{
+								Address:  "https://foo.bar:33",
+								Insecure: pointer.Bool(true),
+							},
+						},
+						Credential: &ClusterAccessCredential{
+							Type:                CredentialTypeServiceAccountToken,
+							ServiceAccountToken: testToken,
+						},
+					},
+				},
+			},
+			expectedCfg: &rest.Config{
+				Host:        "https://foo.bar:33",
+				BearerToken: testToken,
+				TLSClientConfig: rest.TLSClientConfig{
+					ServerName: "foo.bar",
+					Insecure:   true,
+				},
+			},
+		},
+		{
+			name: "cluster-proxy egress should work",
+			clusterGateway: &ClusterGateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "my-cluster",
+				},
+				Spec: ClusterGatewaySpec{
+					Access: ClusterAccess{
+						Endpoint: &ClusterEndpoint{
+							Type: ClusterEndpointTypeClusterProxy,
+						},
+						Credential: &ClusterAccessCredential{
+							Type:                CredentialTypeServiceAccountToken,
+							ServiceAccountToken: testToken,
+						},
+					},
+				},
+			},
+			expectedCfg: &rest.Config{
+				Host:        "my-cluster",
+				BearerToken: testToken,
+				Dial:        testDialFunc,
+				TLSClientConfig: rest.TLSClientConfig{
+					Insecure: true,
+				},
+			},
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			cfg, err := NewConfigFromCluster(c.clusterGateway)
+			if err != nil {
+				if c.expectFailure {
+					return
+				}
+				require.NoError(t, err)
+			}
+			if cfg.Dial != nil {
+				assert.ObjectsAreEqual(c.expectedCfg.Dial, cfg.Dial)
+				c.expectedCfg.Dial = nil
+				cfg.Dial = nil
+			}
+			assert.Equal(t, c.expectedCfg, cfg)
+		})
+	}
+
+}
