fix: update TLS configuration to use leader hostname and custom dialer

2025-05-18 10:51:06 -04:00 · 2025-05-18 10:51:06 -04:00 · 8f90c1b16d
commit 8f90c1b16d
parent 641a2f09d3
1 changed files with 31 additions and 18 deletions
--- a/internal/agent/agent.go
+++ b/internal/agent/agent.go
@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
+	"net"
 	"net/http"
 	"os"
 	"runtime"
@ -115,28 +116,40 @@ func (a *Agent) SetupMTLSClient() error {
 		Certificates: []tls.Certificate{cert},
 		RootCAs:      caCertPool,
 		MinVersion:   tls.VersionTLS12,
-		// Skip hostname verification since we're using IP addresses
-		// and the leader cert is issued for leader.kat.cluster.local
-		InsecureSkipVerify: true,
-		// Custom verification to still validate the certificate chain
-		// but ignore the hostname mismatch
-		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-			// Skip verification if there are no chains (shouldn't happen with our config)
-			if len(verifiedChains) == 0 {
-				return fmt.Errorf("no verified chains provided")
-			}
-			
-			// The certificate chain was already verified against our CA by the TLS stack
-			// We just need to check that the leaf cert was issued by our trusted CA
-			// which is already done by the time this callback is called
-			return nil
-		},
 	}

 	// Create HTTP client with TLS configuration
 	a.client = &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: tlsConfig,
+			// Override the dial function to map any hostname to the leader's IP
+			DialTLS: func(network, addr string) (net.Conn, error) {
+				// Extract host and port from addr
+				host, port, err := net.SplitHostPort(addr)
+				if err != nil {
+					return nil, err
+				}
+				
+				// Extract host and port from LeaderAPI
+				leaderHost, leaderPort, err := net.SplitHostPort(a.LeaderAPI)
+				if err != nil {
+					return nil, err
+				}
+				
+				// Use the leader's IP but keep the original port
+				dialAddr := net.JoinHostPort(leaderHost, port)
+				
+				// For logging purposes
+				log.Printf("Dialing %s instead of %s", dialAddr, addr)
+				
+				// Create the TLS connection
+				conn, err := tls.Dial(network, dialAddr, tlsConfig)
+				if err != nil {
+					return nil, err
+				}
+				
+				return conn, nil
+			},
 		},
 		Timeout: 10 * time.Second,
 	}
@ -198,8 +211,8 @@ func (a *Agent) sendHeartbeat() error {
 		return fmt.Errorf("failed to marshal node status: %w", err)
 	}

-	// Construct URL
-	url := fmt.Sprintf("https://%s/v1alpha1/nodes/%s/status", a.LeaderAPI, a.NodeName)
+	// Construct URL - use leader.kat.cluster.local as hostname to match certificate
+	url := fmt.Sprintf("https://leader.kat.cluster.local/v1alpha1/nodes/%s/status", a.NodeName)

 	// Create request
 	req, err := http.NewRequest("POST", url, bytes.NewBuffer(statusJSON))