backport tls handshake error (#1075)

marytlf · web-flow · commit 1ef443c1d725 · 2025-09-12T11:17:24.000-03:00
diff --git a/go.mod b/go.mod
@@ -42,7 +42,7 @@ require (
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/evanphx/json-patch v5.9.11+incompatible
 	github.com/gorilla/mux v1.8.1
-	github.com/rancher/dynamiclistener v0.6.1
+	github.com/rancher/dynamiclistener v0.6.4-rc.1
 	github.com/rancher/lasso v0.2.2
 	github.com/rancher/rancher/pkg/apis v0.0.0-20250821052021-149127de3e30
 	github.com/rancher/rke v1.7.9
diff --git a/go.sum b/go.sum
@@ -149,8 +149,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rancher/aks-operator v1.10.8 h1:P3pr0ToPqY4U+T2Vgzw1/3SSRFx6aMHlePGRbz3CT/Q=
 github.com/rancher/aks-operator v1.10.8/go.mod h1:8gUm0ZgFHBB46SnVW1kn9H/3e34PqZaFHeo8GAjt8KI=
-github.com/rancher/dynamiclistener v0.6.1 h1:sw4fxjutSedm7uIPD4I/hhAS2zIJIk3wOZLEZEElcYI=
-github.com/rancher/dynamiclistener v0.6.1/go.mod h1:0KhUMHy3VcGMGavTY3i1/Mr8rVM02wFqNlUzjc+Cplg=
+github.com/rancher/dynamiclistener v0.6.4-rc.1 h1:DxwwqRisvUIwvFIhwmmjeoF4z+p8nC4RhdySIbfjXgo=
+github.com/rancher/dynamiclistener v0.6.4-rc.1/go.mod h1:ncmVR7qR8kR1o6xNkTcVS2mZ9WtlljimBilIlNjdyzc=
 github.com/rancher/eks-operator v1.10.8 h1:4HRGLp6mlyOEeEmuG9BGMJBk3Z08cFPywuBfEXCui68=
 github.com/rancher/eks-operator v1.10.8/go.mod h1:XxoR925R6QQVKDrslvYp+FdKst/Miphkk/1T5zO8DXU=
 github.com/rancher/fleet/pkg/apis v0.11.9 h1:PCfiPClMVQYeusyzttQttd+S7o9+XJq2JgXDi9pgMfU=
diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -43,6 +43,8 @@ const (
 	webhookPortEnvKey       = "CATTLE_PORT"
 	webhookURLEnvKey        = "CATTLE_WEBHOOK_URL"
 	allowedCNsEnv           = "ALLOWED_CNS"
+	ignoreTLSHandshakeError = "IGNORE_TLS_HANDSHAKE_ERROR"
+	ignoreTLSHandErrorVal   = false
 )
 
 var caFile = filepath.Join(os.TempDir(), "k8s-webhook-server", "client-ca", "ca.crt")
@@ -151,6 +153,7 @@ func listenAndServe(ctx context.Context, clients *clients.Clients, validators []
 			return fmt.Errorf("failed to decode webhook port value '%s': %w", portStr, err)
 		}
 	}
+	ignoreTLSHandErrorVal, _ := strconv.ParseBool(os.Getenv(ignoreTLSHandshakeError))
 	return server.ListenAndServe(ctx, webhookHTTPSPort, webhookHTTPPort, router, &server.ListenOpts{
 		Secrets:       clients.Core.Secret(),
 		CertNamespace: namespace,
@@ -163,7 +166,8 @@ func listenAndServe(ctx context.Context, clients *clients.Clients, validators []
 			FilterCN:  dynamiclistener.OnlyAllow(tlsName),
 			TLSConfig: tlsConfig,
 		},
-		DisplayServerLogs: true,
+		DisplayServerLogs:       true,
+		IgnoreTLSHandshakeError: ignoreTLSHandErrorVal,
 	})
 }
 

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,8 @@ const (`
`43`	`43`	`webhookPortEnvKey = "CATTLE_PORT"`
`44`	`44`	`webhookURLEnvKey = "CATTLE_WEBHOOK_URL"`
`45`	`45`	`allowedCNsEnv = "ALLOWED_CNS"`
	`46`	`+ ignoreTLSHandshakeError = "IGNORE_TLS_HANDSHAKE_ERROR"`
	`47`	`+ ignoreTLSHandErrorVal = false`
`46`	`48`	`)`
`47`	`49`
`48`	`50`	`var caFile = filepath.Join(os.TempDir(), "k8s-webhook-server", "client-ca", "ca.crt")`
`@@ -151,6 +153,7 @@ func listenAndServe(ctx context.Context, clients *clients.Clients, validators []`
`151`	`153`	`return fmt.Errorf("failed to decode webhook port value '%s': %w", portStr, err)`
`152`	`154`	`}`
`153`	`155`	`}`
	`156`	`+ ignoreTLSHandErrorVal, _ := strconv.ParseBool(os.Getenv(ignoreTLSHandshakeError))`
`154`	`157`	`return server.ListenAndServe(ctx, webhookHTTPSPort, webhookHTTPPort, router, &server.ListenOpts{`
`155`	`158`	`Secrets: clients.Core.Secret(),`
`156`	`159`	`CertNamespace: namespace,`
`@@ -163,7 +166,8 @@ func listenAndServe(ctx context.Context, clients *clients.Clients, validators []`
`163`	`166`	`FilterCN: dynamiclistener.OnlyAllow(tlsName),`
`164`	`167`	`TLSConfig: tlsConfig,`
`165`	`168`	`},`
`166`		`- DisplayServerLogs: true,`
	`169`	`+ DisplayServerLogs: true,`
	`170`	`+ IgnoreTLSHandshakeError: ignoreTLSHandErrorVal,`
`167`	`171`	`})`
`168`	`172`	`}`
`169`	`173`