Merge pull request #1071 from fluxcd/fix-flux2-5677

matheuscscp · web-flow · commit d6af17e6f40b · 2026-01-13T16:47:17.000Z
auth: remove cluster host matching requirement
diff --git a/auth/aws/provider.go b/auth/aws/provider.go
@@ -345,24 +345,10 @@ func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
 			return nil, fmt.Errorf("failed to describe EKS cluster '%s': %w", cluster, err)
 		}
 
-		// Compare specified address and address from the cluster resource.
-		endpoint := *clusterResource.Cluster.Endpoint
-		if host != "" {
-			canonicalAddress, err := auth.ParseClusterAddress(host)
-			if err != nil {
-				return nil, fmt.Errorf("failed to parse specified cluster address '%s': %w", host, err)
-			}
-			canonicalEndpoint, err := auth.ParseClusterAddress(endpoint)
-			if err != nil {
-				return nil, fmt.Errorf("failed to parse EKS endpoint '%s': %w", endpoint, err)
-			}
-			if canonicalAddress != canonicalEndpoint {
-				return nil, fmt.Errorf("EKS endpoint '%s' does not match specified address: '%s'", endpoint, host)
-			}
-		}
-
 		// Update host and CA with cluster details.
-		host = endpoint
+		if host == "" {
+			host = *clusterResource.Cluster.Endpoint
+		}
 		if len(caData) == 0 {
 			caData, err = base64.StdEncoding.DecodeString(*clusterResource.Cluster.CertificateAuthority.Data)
 			if err != nil {
diff --git a/auth/aws/provider_test.go b/auth/aws/provider_test.go
@@ -421,10 +421,9 @@ func TestProvider_NewRESTConfig(t *testing.T) {
 			err:            `invalid EKS cluster ARN: ''. must match ^arn:aws[\w-]*:eks:([^:]{1,100}):[0-9]{1,30}:cluster/(.{1,200})$`,
 		},
 		{
-			name:           "cluster address mismatch",
+			name:           "valid EKS cluster with address override",
 			cluster:        "arn:aws:eks:us-east-1:123456789012:cluster/test-cluster",
 			clusterAddress: "https://different-endpoint.eks.amazonaws.com:443",
-			err:            "EKS endpoint 'https://EXAMPLE1234567890123456789012345678.gr7.us-east-1.eks.amazonaws.com' does not match specified address: 'https://different-endpoint.eks.amazonaws.com:443'",
 		},
 		{
 			name:        "valid EKS cluster with custom STS endpoint",
@@ -486,7 +485,11 @@ func TestProvider_NewRESTConfig(t *testing.T) {
 			if tt.err == "" {
 				g.Expect(err).NotTo(HaveOccurred())
 				g.Expect(restConfig).NotTo(BeNil())
-				g.Expect(restConfig.Host).To(Equal("https://EXAMPLE1234567890123456789012345678.gr7.us-east-1.eks.amazonaws.com"))
+				expectedHost := "https://EXAMPLE1234567890123456789012345678.gr7.us-east-1.eks.amazonaws.com"
+				if tt.clusterAddress != "" {
+					expectedHost = tt.clusterAddress
+				}
+				g.Expect(restConfig.Host).To(Equal(expectedHost))
 				g.Expect(restConfig.BearerToken).To(Equal("k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtZWFzdC0xLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTY"))
 				g.Expect(restConfig.CAData).To(Equal([]byte("-----BEGIN CERTIFICATE-----")))
 				g.Expect(restConfig.ExpiresAt).To(BeTemporally(">", time.Now().Add(14*time.Minute)))
diff --git a/auth/azure/provider.go b/auth/azure/provider.go
@@ -365,12 +365,14 @@ func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
 			if canonicalHost == "" {
 				return nil, fmt.Errorf("no kubeconfig found for AKS cluster %s", cluster)
 			}
-			return nil, fmt.Errorf("AKS cluster %s does not match specified address '%s'. cluster addresses: [%s]",
+			return nil, fmt.Errorf("no kubeconfig found for AKS cluster %s matching the specified address '%s'. cluster addresses: [%s]",
 				cluster, o.ClusterAddress, strings.Join(addresses, ", "))
 		}
 
 		// Update host and CA with cluster details.
-		host = restConfig.Host
+		if host == "" {
+			host = restConfig.Host
+		}
 		if len(caData) == 0 {
 			caData = restConfig.CAData
 		}
diff --git a/auth/azure/provider_test.go b/auth/azure/provider_test.go
@@ -476,6 +476,24 @@ func TestProvider_NewRESTConfig(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:           "valid AKS cluster with address override",
+			cluster:        "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
+			clusterAddress: "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io", // without :443, should still match and be preserved
+			aadProfile: &armcontainerservice.ManagedClusterAADProfile{
+				Managed: &[]bool{true}[0],
+			},
+			kubeconfigs: []*armcontainerservice.CredentialResult{
+				{
+					Name:  &[]string{"clusterUser"}[0],
+					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+				},
+				{
+					Name:  &[]string{"clusterUser-secondary"}[0],
+					Value: createKubeconfig("test-cluster-secondary", "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443"),
+				},
+			},
+		},
 		{
 			name:    "valid AKS cluster with CA",
 			cluster: "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
@@ -525,7 +543,7 @@ func TestProvider_NewRESTConfig(t *testing.T) {
 					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
 				},
 			},
-			err: "AKS cluster /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster does not match specified address 'https://different-cluster.hcp.eastus.azmk8s.io:443'. cluster addresses: ['https://test-cluster-12345678.hcp.eastus.azmk8s.io:443']",
+			err: "no kubeconfig found for AKS cluster /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster matching the specified address 'https://different-cluster.hcp.eastus.azmk8s.io:443'. cluster addresses: ['https://test-cluster-12345678.hcp.eastus.azmk8s.io:443']",
 		},
 		{
 			name:    "cluster without AAD integration",
diff --git a/auth/gcp/provider.go b/auth/gcp/provider.go
@@ -243,24 +243,10 @@ func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
 			return nil, fmt.Errorf("failed to describe GKE cluster '%s': %w", cluster, err)
 		}
 
-		// Compare specified address and address from the cluster resource.
-		endpoint := clusterResource.Endpoint
-		if host != "" {
-			canonicalAddress, err := auth.ParseClusterAddress(host)
-			if err != nil {
-				return nil, fmt.Errorf("failed to parse specified cluster address '%s': %w", host, err)
-			}
-			canonicalEndpoint, err := auth.ParseClusterAddress(endpoint)
-			if err != nil {
-				return nil, fmt.Errorf("failed to parse GKE endpoint '%s': %w", endpoint, err)
-			}
-			if canonicalAddress != canonicalEndpoint {
-				return nil, fmt.Errorf("GKE endpoint '%s' does not match specified address: '%s'", endpoint, host)
-			}
-		}
-
 		// Update host and CA with cluster details.
-		host = endpoint
+		if host == "" {
+			host = clusterResource.Endpoint
+		}
 		if len(caData) == 0 {
 			caData, err = base64.StdEncoding.DecodeString(clusterResource.MasterAuth.ClusterCaCertificate)
 			if err != nil {
diff --git a/auth/gcp/provider_test.go b/auth/gcp/provider_test.go
@@ -371,14 +371,13 @@ func TestProvider_NewRESTConfig(t *testing.T) {
 			endpoint:       "https://203.0.113.10",
 		},
 		{
-			name:           "cluster address mismatch",
+			name:           "valid GKE cluster with address override",
 			cluster:        "projects/test-project/locations/us-central1/clusters/test-cluster",
 			clusterAddress: "https://198.51.100.10:443",
 			masterAuth: &container.MasterAuth{
 				ClusterCaCertificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t",
 			},
 			endpoint: "https://203.0.113.10",
-			err:      "GKE endpoint 'https://203.0.113.10' does not match specified address: 'https://198.51.100.10:443'",
 		},
 		{
 			name:    "invalid cluster ID",
@@ -427,7 +426,11 @@ func TestProvider_NewRESTConfig(t *testing.T) {
 			if tt.err == "" {
 				g.Expect(err).NotTo(HaveOccurred())
 				g.Expect(restConfig).NotTo(BeNil())
-				g.Expect(restConfig.Host).To(Equal(tt.endpoint))
+				expectedHost := tt.endpoint
+				if tt.clusterAddress != "" {
+					expectedHost = tt.clusterAddress
+				}
+				g.Expect(restConfig.Host).To(Equal(expectedHost))
 				g.Expect(restConfig.BearerToken).To(Equal("access-token"))
 				g.Expect(restConfig.CAData).To(Equal([]byte("-----BEGIN CERTIFICATE-----")))
 				g.Expect(restConfig.ExpiresAt).To(Equal(tokenExpiry))

Original file line number	Diff line number	Diff line change
`@@ -365,12 +365,14 @@ func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,`
`365`	`365`	`if canonicalHost == "" {`
`366`	`366`	`return nil, fmt.Errorf("no kubeconfig found for AKS cluster %s", cluster)`
`367`	`367`	`}`
`368`		`- return nil, fmt.Errorf("AKS cluster %s does not match specified address '%s'. cluster addresses: [%s]",`
	`368`	`+ return nil, fmt.Errorf("no kubeconfig found for AKS cluster %s matching the specified address '%s'. cluster addresses: [%s]",`
`369`	`369`	`cluster, o.ClusterAddress, strings.Join(addresses, ", "))`
`370`	`370`	`}`
`371`	`371`
`372`	`372`	`// Update host and CA with cluster details.`
`373`		`- host = restConfig.Host`
	`373`	`+ if host == "" {`
	`374`	`+ host = restConfig.Host`
	`375`	`+ }`
`374`	`376`	`if len(caData) == 0 {`
`375`	`377`	`caData = restConfig.CAData`
`376`	`378`	`}`