Provide TLS Certificate to kubelet service status request

This change enhances the security of the kubelet service request in the
control plane manager by providing a TLS certificate when making the
request.

- Provide a CertStorageReader to the Manager
- Re-use PrepareCredentials function from certificates package to create
  the proper certificates
- Change TLSConfig providing Certificates and setting InsecureSkipVerify
  to false

see https://issues.redhat.com/browse/ECOPROJECT-1421

Signed-off-by: Carlo Lobrano <[email protected]>

main.go

@@ -311,7 +311,7 @@ func initSelfNodeRemediationAgent(mgr manager.Manager) {
 		MaxTimeForNoPeersResponse: reboot.MaxTimeForNoPeersResponse,
 	}
 
-	controlPlaneManager := controlplane.NewManager(myNodeName, mgr.GetClient())
+	controlPlaneManager := controlplane.NewManager(myNodeName, mgr.GetClient(), certReader)
 
 	if err = mgr.Add(controlPlaneManager); err != nil {
 		setupLog.Error(err, "failed to add controlPlane remediation manager to setup manager")

pkg/certificates/credentials.go

@@ -12,7 +12,7 @@ const TLSMinVersion = tls.VersionTLS13
 
 func GetServerCredentialsFromCerts(certReader CertStorageReader) (credentials.TransportCredentials, error) {
 
-	keyPair, pool, err := prepareCredentials(certReader)
+	keyPair, pool, err := PrepareCredentials(certReader)
 	if err != nil {
 		return nil, err
 	}
@@ -27,7 +27,7 @@ func GetServerCredentialsFromCerts(certReader CertStorageReader) (credentials.Tr
 
 func GetClientCredentialsFromCerts(certReader CertStorageReader) (credentials.TransportCredentials, error) {
 
-	keyPair, pool, err := prepareCredentials(certReader)
+	keyPair, pool, err := PrepareCredentials(certReader)
 	if err != nil {
 		return nil, err
 	}
@@ -40,7 +40,7 @@ func GetClientCredentialsFromCerts(certReader CertStorageReader) (credentials.Tr
 	}), nil
 }
 
-func prepareCredentials(certReader CertStorageReader) (*tls.Certificate, *x509.CertPool, error) {
+func PrepareCredentials(certReader CertStorageReader) (*tls.Certificate, *x509.CertPool, error) {
 	caPem, certPem, keyPem, err := certReader.GetCerts()
 	if err != nil {
 		return nil, nil, err

pkg/controlplane/manager.go

@@ -33,16 +33,18 @@ type Manager struct {
 	wasEndpointAccessibleAtStart bool
 	client                       client.Client
 	log                          logr.Logger
+	certReader                   certificates.CertStorageReader
 }
 
 // NewManager inits a new Manager return nil if init fails
-func NewManager(nodeName string, myClient client.Client) *Manager {
+func NewManager(nodeName string, myClient client.Client, certReader *certificates.SecretCertStorage) *Manager {
 	return &Manager{
 		nodeName:                     nodeName,
 		endpointHealthCheckUrl:       os.Getenv("END_POINT_HEALTH_CHECK_URL"),
 		client:                       myClient,
 		wasEndpointAccessibleAtStart: false,
 		log:                          ctrl.Log.WithName("controlPlane").WithName("Manager"),
+		certReader:                   certReader,
 	}
 }
 
@@ -149,15 +151,21 @@ func (manager *Manager) isEndpointAccessible() bool {
 }
 
 func (manager *Manager) isKubeletServiceRunning() bool {
-	url := fmt.Sprintf("https://%s:%s/pods", manager.nodeName, kubeletPort)
+	keyPair, _, err := certificates.PrepareCredentials(manager.certReader)
+	if err != nil {
+		manager.log.Error(err, "failed to prepare credentials", "node name", manager.nodeName)
+		return false
+	}
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
+			Certificates:       []tls.Certificate{*keyPair},
+			InsecureSkipVerify: false,
 			MinVersion:         certificates.TLSMinVersion,
 		},
 	}
 	httpClient := &http.Client{Transport: tr}
 
+	url := fmt.Sprintf("https://%s:%s/pods", manager.nodeName, kubeletPort)
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		manager.log.Error(err, "failed to create a kubelet service request", "node name", manager.nodeName)