feat: detect if a mitm proxy is being used in host preflights (#1318)

* make templates provide http/s proxy strings and cacert from runtimeSpec back out changes using RuntimeSpec back out new Provider functions get privateCAs from install flags remove privateCAs() from Applier make initial-release check proxy and privateca flags before passing them on make stuff Discard changes to pkg/addons/embeddedclusteroperator/static/metadata.yaml Discard changes to operator/charts/embedded-cluster-operator/values.yaml Discard changes to operator/charts/embedded-cluster-operator/Chart.yaml make kinds generate && make operator manifests * remove old code * test a minified hostpreflight spec * Discard changes to pkg/preflights/host-preflight.yaml * Discard changes to pkg/preflights/preflights.go * revert changes to hostpreflight template * make sure CA collector code is pulled in from latest troubleshoot release * go mod tidy * make initial-release * fix spec syntax * Discard changes to operator/charts/embedded-cluster-operator/Chart.yaml * Discard changes to operator/charts/embedded-cluster-operator/values.yaml * Discard changes to pkg/addons/embeddedclusteroperator/static/metadata.yaml * remove development code * Discard changes to operator/charts/embedded-cluster-operator/Chart.yaml * Discard changes to operator/charts/embedded-cluster-operator/values.yaml * Discard changes to pkg/addons/embeddedclusteroperator/static/metadata.yaml * bump troubleshoot in makefile * revert change to runtime config * Discard changes to operator/charts/embedded-cluster-operator/Chart.yaml * Discard changes to operator/charts/embedded-cluster-operator/values.yaml * Discard changes to operator/charts/embedded-cluster-operator/charts/crds/templates/resources.yaml * Discard changes to operator/config/crd/bases/embeddedcluster.replicated.com_installations.yaml * Discard changes to pkg/addons/embeddedclusteroperator/static/metadata.yaml
replicatedhq · Oct 28, 2024 · 43b013c · 43b013c
1 parent 8986851
commit 43b013c
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -15,7 +15,8 @@ K0S_GO_VERSION = v1.30.5+k0s.0
 PREVIOUS_K0S_VERSION ?= v1.29.9+k0s.0-ec.0
 PREVIOUS_K0S_GO_VERSION ?= v1.29.9+k0s.0
 K0S_BINARY_SOURCE_OVERRIDE =
-TROUBLESHOOT_VERSION = v0.107.3
+TROUBLESHOOT_VERSION = v0.107.4
+
 KOTS_VERSION = v$(shell awk '/^version/{print $$2}' pkg/addons/adminconsole/static/metadata.yaml | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
 # When updating KOTS_BINARY_URL_OVERRIDE, also update the KOTS_VERSION above or
 # scripts/ci-upload-binaries.sh may find the version in the cache and not upload the overridden binary.

diff --git a/cmd/embedded-cluster/install.go b/cmd/embedded-cluster/install.go
@@ -152,6 +152,8 @@ func RunHostPreflights(c *cli.Context, provider *defaults.Provider, applier *add
 		return fmt.Errorf("unable to read host preflights: %w", err)
 	}
 
+	privateCAs := getPrivateCAPath(c)
+
 	data, err := preflights.TemplateData{
 		ReplicatedAPIURL:        replicatedAPIURL,
 		ProxyRegistryURL:        proxyRegistryURL,
@@ -161,12 +163,21 @@ func RunHostPreflights(c *cli.Context, provider *defaults.Provider, applier *add
 		DataDir:                 provider.EmbeddedClusterHomeDirectory(),
 		K0sDataDir:              provider.EmbeddedClusterK0sSubDir(),
 		OpenEBSDataDir:          provider.EmbeddedClusterOpenEBSLocalSubDir(),
+		PrivateCA:               privateCAs,
 		SystemArchitecture:      runtime.GOARCH,
 	}.WithCIDRData(getCIDRs(c))
 
 	if err != nil {
 		return fmt.Errorf("unable to get host preflights data: %w", err)
 	}
+
+	if proxy != nil {
+		data.HTTPProxy = proxy.HTTPProxy
+		data.HTTPSProxy = proxy.HTTPSProxy
+		data.ProvidedNoProxy = proxy.ProvidedNoProxy
+		data.NoProxy = proxy.NoProxy
+	}
+
 	chpfs, err := preflights.GetClusterHostPreflights(c.Context, data)
 	if err != nil {
 		return fmt.Errorf("unable to get cluster host preflights: %w", err)
@@ -638,6 +649,15 @@ func validateAdminConsolePassword(password, passwordCheck string) bool {
 	return true
 }
 
+// return only the first private CA path for now - troubleshoot needs a refactor to support multiple CAs in the future
+func getPrivateCAPath(c *cli.Context) string {
+	privateCA := ""
+	if len(c.StringSlice("private-ca")) > 0 {
+		privateCA = c.StringSlice("private-ca")[0]
+	}
+	return privateCA
+}
+
 // installCommands executes the "install" command. This will ensure that a k0s.yaml file exists
 // and then run `k0s install` to apply the cluster. Once this is finished then a "kubeconfig"
 // file is created. Resulting kubeconfig is stored in the configuration dir.

diff --git a/pkg/preflights/host-preflight.yaml b/pkg/preflights/host-preflight.yaml
@@ -43,12 +43,18 @@ spec:
         get:
           url: '{{ .ReplicatedAPIURL }}'
           timeout: 5s
+          tls:
+            cacert: '{{ .PrivateCA }}'
+          proxy: '{{ .HTTPSProxy }}'
         exclude: '{{ or .IsAirgap (eq .ReplicatedAPIURL "") }}'
     - http:
         collectorName: http-proxy-replicated-com
         get:
           url: '{{ .ProxyRegistryURL }}/v2/'
           timeout: 5s
+          tls:
+            cacert: '{{ .PrivateCA }}'
+          proxy: '{{ .HTTPSProxy }}'
         exclude: '{{ or .IsAirgap (eq .ProxyRegistryURL "") }}'
     - run:
         collectorName: resolv.conf

diff --git a/pkg/preflights/template.go b/pkg/preflights/template.go
@@ -28,6 +28,11 @@ type TemplateData struct {
 	ServiceCIDR             CIDRData
 	PodCIDR                 CIDRData
 	GlobalCIDR              CIDRData
+	PrivateCA               string
+	HTTPProxy               string
+	HTTPSProxy              string
+	ProvidedNoProxy         string
+	NoProxy                 string
 }
 
 // WithCIDRData sets the respective CIDR properties in the TemplateData struct based on the provided CIDR strings