dubey/kat
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: update TLS configuration to use leader hostname and custom dialer

Browse Source
This commit is contained in:
Tanishq Dubey 2025-05-18 10:51:06 -04:00
parent 641a2f09d3
commit 8f90c1b16d
No known key found for this signature in database
GPG Key ID: CFC1931B84DFC3F9
1 changed files with 31 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
internal/agent/agent.go
View File

@ -8,6 +8,7 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"log" "log"
"net"
"net/http" "net/http"
"os" "os"
"runtime" "runtime"
@ -115,28 +116,40 @@ func (a *Agent) SetupMTLSClient() error {
Certificates: []tls.Certificate{cert}, Certificates: []tls.Certificate{cert},
RootCAs: caCertPool, RootCAs: caCertPool,
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
// Skip hostname verification since we're using IP addresses
// and the leader cert is issued for leader.kat.cluster.local
InsecureSkipVerify: true,
// Custom verification to still validate the certificate chain
// but ignore the hostname mismatch
VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
// Skip verification if there are no chains (shouldn't happen with our config)
if len(verifiedChains) == 0 {
return fmt.Errorf("no verified chains provided")
}
// The certificate chain was already verified against our CA by the TLS stack
// We just need to check that the leaf cert was issued by our trusted CA
// which is already done by the time this callback is called
return nil
},
} }
// Create HTTP client with TLS configuration // Create HTTP client with TLS configuration
a.client = &http.Client{ a.client = &http.Client{
Transport: &http.Transport{ Transport: &http.Transport{
TLSClientConfig: tlsConfig, TLSClientConfig: tlsConfig,
// Override the dial function to map any hostname to the leader's IP
DialTLS: func(network, addr string) (net.Conn, error) {
// Extract host and port from addr
host, port, err := net.SplitHostPort(addr)
if err != nil {
return nil, err
}
// Extract host and port from LeaderAPI
leaderHost, leaderPort, err := net.SplitHostPort(a.LeaderAPI)
if err != nil {
return nil, err
}
// Use the leader's IP but keep the original port
dialAddr := net.JoinHostPort(leaderHost, port)
// For logging purposes
log.Printf("Dialing %s instead of %s", dialAddr, addr)
// Create the TLS connection
conn, err := tls.Dial(network, dialAddr, tlsConfig)
if err != nil {
return nil, err
}
return conn, nil
},
}, },
Timeout: 10 * time.Second, Timeout: 10 * time.Second,
} }
@ -198,8 +211,8 @@ func (a *Agent) sendHeartbeat() error {
return fmt.Errorf("failed to marshal node status: %w", err) return fmt.Errorf("failed to marshal node status: %w", err)
} }
// Construct URL // Construct URL - use leader.kat.cluster.local as hostname to match certificate
url := fmt.Sprintf("https://%s/v1alpha1/nodes/%s/status", a.LeaderAPI, a.NodeName) url := fmt.Sprintf("https://leader.kat.cluster.local/v1alpha1/nodes/%s/status", a.NodeName)
// Create request // Create request
req, err := http.NewRequest("POST", url, bytes.NewBuffer(statusJSON)) req, err := http.NewRequest("POST", url, bytes.NewBuffer(statusJSON))