filter_kubernetes: Provide for restoring behavior option for kublet TLS

cosmo0920 · AndrewChubatiuk · commit 687df5c2a357 · 2024-09-24T15:41:26.000+03:00
Signed-off-by: Hiroshi Hatake &lt;hiroshi@chronosphere.io&gt;
diff --git a/plugins/filter_kubernetes/kube_conf.h b/plugins/filter_kubernetes/kube_conf.h
@@ -80,6 +80,7 @@ struct flb_kube {
     int dummy_meta;
     int tls_debug;
     int tls_verify;
+    int tls_verify_hostname;
     int kube_token_ttl;
     flb_sds_t meta_preload_cache_dir;
 
diff --git a/plugins/filter_kubernetes/kube_meta.c b/plugins/filter_kubernetes/kube_meta.c
@@ -1681,6 +1681,7 @@ static int wait_for_dns(struct flb_kube *ctx)
 
 static int flb_kubelet_network_init(struct flb_kube *ctx, struct flb_config *config)
 {
+    int ret;
     int io_type = FLB_IO_TCP;
     int api_https = FLB_TRUE;
     ctx->kubelet_upstream = NULL;    
@@ -1709,6 +1710,14 @@ static int flb_kubelet_network_init(struct flb_kube *ctx, struct flb_config *con
             return -1;
         }
 
+        if (ctx->tls_verify_hostname == FLB_TRUE) {
+            ret = flb_tls_set_verify_hostname(ctx->kubelet_tls, ctx->tls_verify_hostname);
+            if (ret == -1) {
+                flb_plg_debug(ctx->ins, "kubelet network tls set up failed for hostname verification");
+                return -1;
+            }
+        }
+
         io_type = FLB_IO_TLS;
     }
 
@@ -1726,12 +1735,13 @@ static int flb_kubelet_network_init(struct flb_kube *ctx, struct flb_config *con
 
     /* Remove async flag from upstream */
     flb_stream_disable_async_mode(&ctx->kubelet_upstream->base);
-    
+
     return 0;
 }
 
 static int flb_kube_network_init(struct flb_kube *ctx, struct flb_config *config)
 {
+    int ret;
     int io_type = FLB_IO_TCP;
     int kubelet_network_init_ret = 0;
 
@@ -1753,6 +1763,14 @@ static int flb_kube_network_init(struct flb_kube *ctx, struct flb_config *config
             return -1;
         }
 
+        if (ctx->tls_verify_hostname == FLB_TRUE) {
+            ret = flb_tls_set_verify_hostname(ctx->tls, ctx->tls_verify_hostname);
+            if (ret == -1) {
+                flb_plg_debug(ctx->ins, "network tls set up failed for hostname verification");
+                return -1;
+            }
+        }
+
         io_type = FLB_IO_TLS;
     }
 
diff --git a/plugins/filter_kubernetes/kubernetes.c b/plugins/filter_kubernetes/kubernetes.c
@@ -800,6 +800,13 @@ static struct flb_config_map config_map[] = {
      "set optional TLS virtual host"
     },
 
+    /* TLS: set tls.hostame_verification feature */
+    {
+     FLB_CONFIG_MAP_BOOL, "tls.verify_hostname", "off",
+     0, FLB_TRUE, offsetof(struct flb_kube, tls_verify_hostname),
+     "enable or disable to verify hostname"
+    },
+
     /* Merge structured record as independent keys */
     {
      FLB_CONFIG_MAP_BOOL, "merge_log", "false",
