From e223ee7367b0ea9869b6cd2ccfe3057c60d02627 Mon Sep 17 00:00:00 2001
From: Carlo Lobrano <c.lobrano@gmail.com>
Date: Fri, 13 Oct 2023 17:13:35 +0200
Subject: [PATCH] Provide TLS Certificate to kubelet service status request

This change enhances the security of the kubelet service request in the
control plane manager by providing a TLS certificate when making the
request.

- Provide a CertStorageReader to the Manager
- Re-use PrepareCredentials function from certificates package to create
  the proper certificates
- Change TLSConfig providing Certificates and setting InsecureSkipVerify
  to false

see https://issues.redhat.com/browse/ECOPROJECT-1421

Signed-off-by: Carlo Lobrano <c.lobrano@gmail.com>
---
 main.go                         |  2 +-
 pkg/certificates/credentials.go |  6 +++---
 pkg/controlplane/manager.go     | 14 +++++++++++---
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/main.go b/main.go
index 664bf160..93345c22 100644
--- a/main.go
+++ b/main.go
@@ -311,7 +311,7 @@ func initSelfNodeRemediationAgent(mgr manager.Manager) {
 		MaxTimeForNoPeersResponse: reboot.MaxTimeForNoPeersResponse,
 	}
 
-	controlPlaneManager := controlplane.NewManager(myNodeName, mgr.GetClient())
+	controlPlaneManager := controlplane.NewManager(myNodeName, mgr.GetClient(), certReader)
 
 	if err = mgr.Add(controlPlaneManager); err != nil {
 		setupLog.Error(err, "failed to add controlPlane remediation manager to setup manager")
diff --git a/pkg/certificates/credentials.go b/pkg/certificates/credentials.go
index c7ebc946..b92ad2a5 100644
--- a/pkg/certificates/credentials.go
+++ b/pkg/certificates/credentials.go
@@ -12,7 +12,7 @@ const TLSMinVersion = tls.VersionTLS13
 
 func GetServerCredentialsFromCerts(certReader CertStorageReader) (credentials.TransportCredentials, error) {
 
-	keyPair, pool, err := prepareCredentials(certReader)
+	keyPair, pool, err := PrepareCredentials(certReader)
 	if err != nil {
 		return nil, err
 	}
@@ -27,7 +27,7 @@ func GetServerCredentialsFromCerts(certReader CertStorageReader) (credentials.Tr
 
 func GetClientCredentialsFromCerts(certReader CertStorageReader) (credentials.TransportCredentials, error) {
 
-	keyPair, pool, err := prepareCredentials(certReader)
+	keyPair, pool, err := PrepareCredentials(certReader)
 	if err != nil {
 		return nil, err
 	}
@@ -40,7 +40,7 @@ func GetClientCredentialsFromCerts(certReader CertStorageReader) (credentials.Tr
 	}), nil
 }
 
-func prepareCredentials(certReader CertStorageReader) (*tls.Certificate, *x509.CertPool, error) {
+func PrepareCredentials(certReader CertStorageReader) (*tls.Certificate, *x509.CertPool, error) {
 	caPem, certPem, keyPem, err := certReader.GetCerts()
 	if err != nil {
 		return nil, nil, err
diff --git a/pkg/controlplane/manager.go b/pkg/controlplane/manager.go
index b1084eab..7726a8f1 100644
--- a/pkg/controlplane/manager.go
+++ b/pkg/controlplane/manager.go
@@ -33,16 +33,18 @@ type Manager struct {
 	wasEndpointAccessibleAtStart bool
 	client                       client.Client
 	log                          logr.Logger
+	certReader                   certificates.CertStorageReader
 }
 
 // NewManager inits a new Manager return nil if init fails
-func NewManager(nodeName string, myClient client.Client) *Manager {
+func NewManager(nodeName string, myClient client.Client, certReader *certificates.SecretCertStorage) *Manager {
 	return &Manager{
 		nodeName:                     nodeName,
 		endpointHealthCheckUrl:       os.Getenv("END_POINT_HEALTH_CHECK_URL"),
 		client:                       myClient,
 		wasEndpointAccessibleAtStart: false,
 		log:                          ctrl.Log.WithName("controlPlane").WithName("Manager"),
+		certReader:                   certReader,
 	}
 }
 
@@ -149,15 +151,21 @@ func (manager *Manager) isEndpointAccessible() bool {
 }
 
 func (manager *Manager) isKubeletServiceRunning() bool {
-	url := fmt.Sprintf("https://%s:%s/pods", manager.nodeName, kubeletPort)
+	keyPair, _, err := certificates.PrepareCredentials(manager.certReader)
+	if err != nil {
+		manager.log.Error(err, "failed to prepare credentials", "node name", manager.nodeName)
+		return false
+	}
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
+			Certificates:       []tls.Certificate{*keyPair},
+			InsecureSkipVerify: false,
 			MinVersion:         certificates.TLSMinVersion,
 		},
 	}
 	httpClient := &http.Client{Transport: tr}
 
+	url := fmt.Sprintf("https://%s:%s/pods", manager.nodeName, kubeletPort)
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		manager.log.Error(err, "failed to create a kubelet service request", "node name", manager.nodeName)