do nothing to TSL config when true disable_local_ca_jwt & unset kuber…

…netes_ca_cert
hashicorp · Mar 14, 2024 · cac8247 · cac8247
1 parent 875494f
commit cac8247
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 17 deletions.
diff --git a/backend.go b/backend.go
@@ -102,6 +102,7 @@ type kubeAuthBackend struct {
 	// localCACertReader contains the local CA certificate. Local CA certificate is
 	// used when running in a pod with following configuration
 	// - kubernetes_ca_cert is not set
+	// - disable_local_ca_jwt is false
 	localCACertReader *cachingFileReader
 
 	// tlsConfigUpdaterRunning is used to signal the current state of the tlsConfig updater routine.
@@ -333,16 +334,6 @@ func (b *kubeAuthBackend) loadConfig(ctx context.Context, s logical.Storage) (*k
 	if config == nil {
 		return config, nil
 	}
-
-	// Read local CA cert unless it was stored in config.
-	// Else build the TLSConfig with the trusted CA cert and load into client
-	if config.CACert == "" {
-		config.CACert, err = b.localCACertReader.ReadFile()
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	// Nothing more to do if loading local CA cert and JWT token is disabled.
 	if config.DisableLocalCAJwt {
 		return config, nil
@@ -357,6 +348,16 @@ func (b *kubeAuthBackend) loadConfig(ctx context.Context, s logical.Storage) (*k
 			b.Logger().Debug("failed to read local service account token, will use client token", "error", err)
 		}
 	}
+
+	// Read local CA cert unless it was stored in config.
+	// Else build the TLSConfig with the trusted CA cert and load into client
+	if config.CACert == "" {
+		config.CACert, err = b.localCACertReader.ReadFile()
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return config, nil
 }
 
@@ -424,7 +425,7 @@ func (b *kubeAuthBackend) updateTLSConfig(config *kubeConfig) error {
 	var caCertBytes []byte
 	if config.CACert != "" {
 		caCertBytes = []byte(config.CACert)
-	} else if b.localCACertReader != nil {
+	} else if !config.DisableLocalCAJwt && b.localCACertReader != nil {
 		data, err := b.localCACertReader.ReadFile()
 		if err != nil {
 			return err
@@ -439,7 +440,7 @@ func (b *kubeAuthBackend) updateTLSConfig(config *kubeConfig) error {
 		}
 	} else {
 		// provide an empty certPool
-		b.Logger().Warn("No CA certificates configured, TLS verification will fail")
+		b.Logger().Warn("No CA certificates configured, TLS verification will use the system's trust store")
 		// TODO: think about supporting host root CA certificates via a configuration toggle,
 		// in which case RootCAs should be set to nil
 	}

diff --git a/path_config.go b/path_config.go
@@ -37,7 +37,7 @@ func pathConfig(b *kubeAuthBackend) *framework.Path {
 			"kubernetes_ca_cert": {
 				Type: framework.TypeString,
 				Description: `Optional PEM encoded CA cert for use by the TLS client used to talk with the API. 
-If not set, the local CA cert will be used.`,
+If it is not set and disable_local_ca_jwt is true, the system's trust store will be used.`,
 				DisplayAttrs: &framework.DisplayAttributes{
 					Name: "Kubernetes CA Certificate",
 				},
@@ -159,7 +159,7 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 		return logical.ErrorResponse("no host provided"), nil
 	}
 
-	disableLocalJWT := data.Get("disable_local_ca_jwt").(bool)
+	disableLocalCAJwt := data.Get("disable_local_ca_jwt").(bool)
 	pemList := data.Get("pem_keys").([]string)
 	caCert := data.Get("kubernetes_ca_cert").(string)
 	issuer := data.Get("issuer").(string)
@@ -175,7 +175,7 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 		TokenReviewerJWT:              tokenReviewer,
 		Issuer:                        issuer,
 		DisableISSValidation:          disableIssValidation,
-		DisableLocalCAJwt:             disableLocalJWT,
+		DisableLocalCAJwt:             disableLocalCAJwt,
 		UseAnnotationsAsAliasMetadata: useAnnotationsAsAliasMetadata,
 	}
 

diff --git a/path_config_test.go b/path_config_test.go
@@ -474,17 +474,34 @@ func TestConfig_LocalCaJWT(t *testing.T) {
 				DisableLocalCAJwt:    true,
 			},
 		},
-		"disable local default, no CA or JWT, default to local CA": {
+		"disable local default, JWT set": {
 			config: map[string]interface{}{
 				"kubernetes_host":      "host",
+				"token_reviewer_jwt":   jwtGoodDataToken,
 				"disable_local_ca_jwt": true,
 			},
 			setupInClusterFiles: true,
 			expected: &kubeConfig{
 				PublicKeys:           []crypto.PublicKey{},
 				PEMKeys:              []string{},
 				Host:                 "host",
-				CACert:               testLocalCACert,
+				CACert:               "",
+				TokenReviewerJWT:     jwtGoodDataToken,
+				DisableISSValidation: true,
+				DisableLocalCAJwt:    true,
+			},
+		},
+		"disable local default, no CA or JWT": {
+			config: map[string]interface{}{
+				"kubernetes_host":      "host",
+				"disable_local_ca_jwt": true,
+			},
+			setupInClusterFiles: true,
+			expected: &kubeConfig{
+				PublicKeys:           []crypto.PublicKey{},
+				PEMKeys:              []string{},
+				Host:                 "host",
+				CACert:               "",
 				TokenReviewerJWT:     "",
 				DisableISSValidation: true,
 				DisableLocalCAJwt:    true,