Add argument to Dashboard API to allow for a custom CA bundle

josemaia · josemaia · commit 8f818e45b51e · 2025-03-03T16:47:44.000Z
diff --git a/modules/api/main.go b/modules/api/main.go
@@ -44,6 +44,7 @@ func main() {
 		client.WithKubeconfig(args.KubeconfigPath()),
 		client.WithMasterUrl(args.ApiServerHost()),
 		client.WithInsecureTLSSkipVerify(args.ApiServerSkipTLSVerify()),
+		client.WithCaBundle(args.ApiServerCaBundle()),
 	)
 
 	if !args.IsProxyEnabled() {
diff --git a/modules/api/pkg/args/args.go b/modules/api/pkg/args/args.go
@@ -66,6 +66,7 @@ var (
 	argBindAddress         = pflag.IP("bind-address", net.IPv4(0, 0, 0, 0), "IP address on which to serve the --port, set to 0.0.0.0 for all interfaces")
 
 	argDefaultCertDir            = pflag.String("default-cert-dir", "/certs", "directory path containing files from --tls-cert-file and --tls-key-file, used also when auto-generating certificates flag is set")
+	argApiServerCaBundle				 = pflag.String("apiserver-ca-bundle", "", "file containing the x509 certificates used for HTTPS connection to the API Server")
 	argCertFile                  = pflag.String("tls-cert-file", "", "file containing the default x509 certificate for HTTPS")
 	argKeyFile                   = pflag.String("tls-key-file", "", "file containing the default x509 private key matching --tls-cert-file")
 	argApiServerHost             = pflag.String("apiserver-host", "", "address of the Kubernetes API server to connect to in the format of protocol://address:port, leave it empty if the binary runs inside cluster for local discovery attempt")
@@ -112,6 +113,10 @@ func DefaultCertDir() string {
 	return *argDefaultCertDir
 }
 
+func ApiServerCaBundle() string {
+	return *argApiServerCaBundle
+}
+
 func CertFile() string {
 	return *argCertFile
 }
diff --git a/modules/common/client/init.go b/modules/common/client/init.go
@@ -41,6 +41,7 @@ type configBuilder struct {
 	kubeconfigPath string
 	masterUrl      string
 	insecure       bool
+	caBundlePath   			 string
 }
 
 func (in *configBuilder) buildBaseConfig() (config *rest.Config, err error) {
@@ -58,6 +59,11 @@ func (in *configBuilder) buildBaseConfig() (config *rest.Config, err error) {
 		klog.InfoS("Using apiserver-host location", "masterUrl", in.masterUrl)
 	}
 
+	if len(in.caBundlePath) > 0 {
+		klog.InfoS("Using custom CA Bundle", "caBundle", in.caBundlePath)
+		config.TLSClientConfig.CertificateAuthority = in.caBundlePath
+	}
+
 	config, err = clientcmd.BuildConfigFromFlags(in.masterUrl, in.kubeconfigPath)
 	if err != nil {
 		return nil, err
@@ -123,6 +129,12 @@ func WithInsecureTLSSkipVerify(insecure bool) Option {
 	}
 }
 
+func WithCaBundle(caBundlePath string) Option {
+	return func(c *configBuilder) {
+		c.caBundlePath = caBundlePath
+	}
+}
+
 func configFromRequest(request *http.Request) (*rest.Config, error) {
 	authInfo, err := buildAuthInfo(request)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ func main() {`
`44`	`44`	`client.WithKubeconfig(args.KubeconfigPath()),`
`45`	`45`	`client.WithMasterUrl(args.ApiServerHost()),`
`46`	`46`	`client.WithInsecureTLSSkipVerify(args.ApiServerSkipTLSVerify()),`
	`47`	`+ client.WithCaBundle(args.ApiServerCaBundle()),`
`47`	`48`	`)`
`48`	`49`
`49`	`50`	`if !args.IsProxyEnabled() {`