fix: x509 error when adding cluster with different cadata in kube-public

Signed-off-by: Amin Arefzadeh <[email protected]>
argoproj · Jan 1, 2025 · 2e6763c · 2e6763c
1 parent 8126508
commit 2e6763c
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 12 deletions.
diff --git a/cmd/argocd/commands/cluster.go b/cmd/argocd/commands/cluster.go
@@ -166,13 +166,14 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 			if clusterOpts.InClusterEndpoint() {
 				clst.Server = argoappv1.KubernetesInternalAPIServerAddr
 			} else if clusterOpts.ClusterEndpoint == string(cmdutil.KubePublicEndpoint) {
-				endpoint, err := cmdutil.GetKubePublicEndpoint(clientset)
+				endpoint, caData, err := cmdutil.GetKubePublicEndpoint(clientset)
 				if err != nil || len(endpoint) == 0 {
 					log.Warnf("Failed to find the cluster endpoint from kube-public data: %v", err)
 					log.Infof("Falling back to the endpoint '%s' as listed in the kubeconfig context", clst.Server)
 					endpoint = clst.Server
 				}
 				clst.Server = endpoint
+				clst.Config.TLSClientConfig.CAData = caData
 			}
 
 			if clusterOpts.Shard >= 0 {

diff --git a/cmd/util/cluster.go b/cmd/util/cluster.go
@@ -125,26 +125,26 @@ func NewCluster(name string, namespaces []string, clusterResources bool, conf *r
 
 // GetKubePublicEndpoint returns the kubernetes apiserver endpoint as published
 // in the kube-public.
-func GetKubePublicEndpoint(client kubernetes.Interface) (string, error) {
+func GetKubePublicEndpoint(client kubernetes.Interface) (string, []byte, error) {
 	clusterInfo, err := client.CoreV1().ConfigMaps("kube-public").Get(context.TODO(), "cluster-info", metav1.GetOptions{})
 	if err != nil {
-		return "", err
+		return "", nil, err
 	}
 	kubeconfig, ok := clusterInfo.Data["kubeconfig"]
 	if !ok {
-		return "", stderrors.New("cluster-info does not contain a public kubeconfig")
+		return "", nil, stderrors.New("cluster-info does not contain a public kubeconfig")
 	}
 	// Parse Kubeconfig and get server address
 	config := &clientcmdapiv1.Config{}
 	err = yaml.Unmarshal([]byte(kubeconfig), config)
 	if err != nil {
-		return "", fmt.Errorf("failed to parse cluster-info kubeconfig: %w", err)
+		return "", nil, fmt.Errorf("failed to parse cluster-info kubeconfig: %w", err)
 	}
 	if len(config.Clusters) == 0 {
-		return "", stderrors.New("cluster-info kubeconfig does not have any clusters")
+		return "", nil, stderrors.New("cluster-info kubeconfig does not have any clusters")
 	}
 
-	return config.Clusters[0].Cluster.Server, nil
+	return config.Clusters[0].Cluster.Server, config.Clusters[0].Cluster.CertificateAuthorityData, nil
 }
 
 type ClusterOptions struct {

diff --git a/cmd/util/cluster_test.go b/cmd/util/cluster_test.go
@@ -96,8 +96,23 @@ func TestGetKubePublicEndpoint(t *testing.T) {
 		name             string
 		clusterInfo      *corev1.ConfigMap
 		expectedEndpoint string
+		expectedCAData   []byte
 		expectError      bool
 	}{
+		{
+			name: "has public endpoint and certificate authority data",
+			clusterInfo: &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "kube-public",
+					Name:      "cluster-info",
+				},
+				Data: map[string]string{
+					"kubeconfig": kubeconfigFixture("https://test-cluster:6443", []byte("test-ca-data")),
+				},
+			},
+			expectedEndpoint: "https://test-cluster:6443",
+			expectedCAData:   []byte("test-ca-data"),
+		},
 		{
 			name: "has public endpoint",
 			clusterInfo: &corev1.ConfigMap{
@@ -106,10 +121,11 @@ func TestGetKubePublicEndpoint(t *testing.T) {
 					Name:      "cluster-info",
 				},
 				Data: map[string]string{
-					"kubeconfig": kubeconfigFixture("https://test-cluster:6443"),
+					"kubeconfig": kubeconfigFixture("https://test-cluster:6443", nil),
 				},
 			},
 			expectedEndpoint: "https://test-cluster:6443",
+			expectedCAData:   nil,
 		},
 		{
 			name:        "no cluster-info",
@@ -136,7 +152,7 @@ func TestGetKubePublicEndpoint(t *testing.T) {
 					Name:      "cluster-info",
 				},
 				Data: map[string]string{
-					"kubeconfig": kubeconfigFixture(""),
+					"kubeconfig": kubeconfigFixture("", nil),
 				},
 			},
 			expectError: true,
@@ -163,25 +179,27 @@ func TestGetKubePublicEndpoint(t *testing.T) {
 				objects = append(objects, tc.clusterInfo)
 			}
 			clientset := fake.NewClientset(objects...)
-			endpoint, err := GetKubePublicEndpoint(clientset)
+			endpoint, caData, err := GetKubePublicEndpoint(clientset)
 			if tc.expectError {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
 			}
 			require.Equalf(t, tc.expectedEndpoint, endpoint, "expected endpoint %s, got %s", tc.expectedEndpoint, endpoint)
+			require.Equalf(t, tc.expectedCAData, caData, "expected caData %s, got %s", tc.expectedCAData, caData)
 		})
 	}
 }
 
-func kubeconfigFixture(endpoint string) string {
+func kubeconfigFixture(endpoint string, certificateAuthorityData []byte) string {
 	kubeconfig := &clientcmdapiv1.Config{}
 	if len(endpoint) > 0 {
 		kubeconfig.Clusters = []clientcmdapiv1.NamedCluster{
 			{
 				Name: "test-kube",
 				Cluster: clientcmdapiv1.Cluster{
-					Server: endpoint,
+					Server:                   endpoint,
+					CertificateAuthorityData: certificateAuthorityData,
 				},
 			},
 		}