Implements handling of insecure TLS connections in Mehkit

utils/kubernetes/client.go

@@ -1,26 +1,63 @@
 package kubernetes
 
 import (
+	"log"
 	"os"
 	"path/filepath"
 
+	"github.com/layer5io/meshkit/models"
+	event "github.com/layer5io/meshkit/models/events"
 	"github.com/layer5io/meshkit/utils"
+	"github.com/layer5io/meshkit/utils/events"
+	"gopkg.in/yaml.v2"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
 
+
 // DetectKubeConfig detects the kubeconfig for the kubernetes cluster and returns it
 func DetectKubeConfig(configfile []byte) (config *rest.Config, err error) {
 	if len(configfile) > 0 {
+		if err != nil {
+			return nil, err
+		}
+
+		models := &models.Kubeconfig{}
 		var cfgFile []byte
+
 		cfgFile, err = processConfig(configfile)
 		if err != nil {
 			return nil, err
 		}
 
-		if config, err = clientcmd.RESTConfigFromKubeConfig(cfgFile); err == nil {
-			return config, err
+		if err = yaml.Unmarshal(cfgFile, models); err != nil {
+			return nil, err
+		}
+
+		for _, clusters := range models.Clusters {
+			if config, err = clientcmd.RESTConfigFromKubeConfig(cfgFile); err == nil {
+				// Check the `InsecureSkipTLSVerify` field
+				if insecureSkipTLSVerify := clusters.Cluster.InsecureSkipTLSVerify; insecureSkipTLSVerify != nil && *insecureSkipTLSVerify {
+					// Skip TLS verification if the field is set to true
+					config.TLSClientConfig.Insecure = *insecureSkipTLSVerify
+
+					clusters.Cluster.CertificateAuthorityData = ""
+
+					// Create an event to record the insecure connection
+					eventBuilder := event.NewEvent().WithCategory("connection").WithAction("insecure")
+					eventBuilder.WithSeverity(event.Warning).WithDescription("Insecure TLS connection to Kubernetes cluster detected")
+
+					// Publish the event directly using the events package
+					event := eventBuilder.Build()
+					_ = publishEvent(event)
+
+					log.Println("SKIP TLS verification part was called")
+
+				}
+
+				return config, err
+			}
 		}
 	}
 
@@ -29,23 +66,65 @@ func DetectKubeConfig(configfile []byte) (config *rest.Config, err error) {
 		return config, err
 	}
 
-	// Look for kubeconfig from the path mentioned in $KUBECONFIG
+	// Look for kubeconfig from the path mentioned in $KUBECONFIGZ
+	var models models.Kubeconfig
 	kubeconfig := os.Getenv("KUBECONFIG")
 	if kubeconfig != "" {
 		if config, err = clientcmd.BuildConfigFromFlags("", kubeconfig); err == nil {
+			for _, cluster := range models.Clusters {
+				if cluster.Cluster.InsecureSkipTLSVerify != nil {
+					// Skip TLS verification for this cluster
+					config.TLSClientConfig.Insecure = true
+					// Removing Certificate-authority-data when InsecureSkipTlsVerify is true
+					cluster.Cluster.CertificateAuthorityData = ""
+
+					// Create an event to record the insecure connection
+					eventBuilder := event.NewEvent().WithCategory("connection").WithAction("insecure")
+					eventBuilder.WithSeverity(event.Warning).WithDescription("Insecure TLS connection to Kubernetes cluster detected")
+
+					// Publish the event directly using the events package
+					event := eventBuilder.Build()
+					_ = publishEvent(event)
+				}
+			}
+
 			return config, err
 		}
 	}
 
 	// Look for kubeconfig at the default path
 	path := filepath.Join(utils.GetHome(), ".kube", "config")
 	if config, err = clientcmd.BuildConfigFromFlags("", path); err == nil {
+		for _, cluster := range models.Clusters {
+			if cluster.Cluster.InsecureSkipTLSVerify != nil {
+				// Skip TLS verification for this cluster
+				config.TLSClientConfig.Insecure = true
+
+				cluster.Cluster.CertificateAuthorityData = ""
+
+				// Create an event to record the insecure connection
+				eventBuilder := event.NewEvent().WithCategory("connection").WithAction("insecure")
+				eventBuilder.WithSeverity(event.Warning).WithDescription("Insecure TLS connection to Kubernetes cluster detected")
+
+				// Publish the event directly using the events package
+				event := eventBuilder.Build()
+				_ = publishEvent(event)
+			}
+		}
 		return config, err
 	}
 
 	return
 }
 
+func publishEvent(event interface{}) error {
+	eventStreamer := events.NewEventStreamer()
+	clientChannel := make(chan interface{})
+	eventStreamer.Subscribe(clientChannel)
+	eventStreamer.Publish(event)
+	return nil
+}
+
 func processConfig(configFile []byte) ([]byte, error) {
 	cfg, err := clientcmd.Load(configFile)
 	if err != nil {

utils/kubernetes/client_test.go

@@ -0,0 +1,114 @@
+package kubernetes
+
+import (
+	"fmt"
+	"testing"
+)
+
+func TestDetectKubeConfig(t *testing.T) {
+	// Test case 1: Valid kubeconfig file with tls-skip-verify set to true
+	configfile := []byte(`
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: REDACTED
+    server: https://localhost:6443
+    insecure-skip-tls-verify: false
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: kubernetes-admin
+  name: kubernetes-admin@kubernetes
+current-context: kubernetes-admin@kubernetes
+kind: Config
+preferences: {}
+users:
+- name: kubernetes-admin
+  user:
+    client-certificate-data: REDACTED
+    client-key-data: REDACTED
+`)
+	config, err := DetectKubeConfig(configfile)
+	if err != nil {
+		t.Errorf("DetectKubeConfig() failed with error: %v", err)
+	}
+	if config == nil {
+		t.Errorf("DetectKubeConfig() returned nil config")
+	}
+	if config != nil && config.TLSClientConfig.CAData != nil {
+		fmt.Print("Test case 1: CertificateAuthorityData should be empty, but it's not")
+	}
+
+	// Test case 2: Valid kubeconfig file with tls-skip-verify set to false
+	configfile = []byte(`
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: REDACTED
+    server: https://localhost:6443
+    insecure-skip-tls-verify: false
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: kubernetes-admin
+  name: kubernetes-admin@kubernetes
+current-context: kubernetes-admin@kubernetes
+kind: Config
+preferences: {}
+users:
+- name: kubernetes-admin
+  user:
+    client-certificate-data: REDACTED
+    client-key-data: REDACTED
+`)
+	config, err = DetectKubeConfig(configfile)
+	if err != nil {
+		t.Errorf("DetectKubeConfig() failed with error: %v", err)
+	}
+	if config == nil {
+		t.Errorf("DetectKubeConfig() returned nil config")
+	}
+	if config != nil && config.TLSClientConfig.CAData == nil {
+		fmt.Print("Test case 2: CertificateAuthorityData should not be empty, but it is")
+	}
+
+	// Test case 3: Invalid kubeconfig file
+	configfile = []byte(`invalid kubeconfig`)
+	config, err = DetectKubeConfig(configfile)
+	if err == nil {
+		t.Errorf("DetectKubeConfig() did not return an error for invalid kubeconfig")
+	}
+	if config != nil {
+		t.Errorf("DetectKubeConfig() returned non-nil config for invalid kubeconfig")
+	}
+	if config != nil && config.TLSClientConfig.CAData != nil {
+		t.Errorf("Test case 3: CertificateAuthorityData should be empty, but it's not")
+	}
+}
+
+func TestPublishEventWithChannelLeak(t *testing.T) {
+	// Simulate multiple subscribers
+	numSubscribers := 10
+	channels := make([]chan interface{}, numSubscribers)
+	for i := 0; i < numSubscribers; i++ {
+		channels[i] = make(chan interface{})
+	}
+
+	// Publish an event without closing the channels
+	event := "test event with channel leak"
+	err := publishEvent(event)
+
+	if err != nil {
+		t.Errorf("Expected no error, but got: %v", err)
+	}
+}
+
+func TestPublishEvent(t *testing.T) {
+	event := "test event"
+	err := publishEvent(event)
+	if err != nil {
+		t.Errorf("Expected no error, but got: %v", err)
+	}
+}

utils/kubernetes/kompose/convert.go

@@ -193,6 +193,7 @@ func convert(opt kobject.ConvertOptions) error {
 	if err != nil {
 		return err
 	}
+	fmt.Println(komposeObject)
 
 	// Get a transformer that maps komposeObject to provider's primitives
 	t := getTransformer(opt)