Allow white-spaced CABundle during webhook client creation and validation (#132514)

tiffanny29631 · k8s-publishing-bot · commit 6f8ce15561bd · 2025-07-25T03:19:25.000Z
* apiextensions: Treat whitespace-only caBundle as empty for webhook client config and validation

- Updates webhookClientConfigForCRD to treat caBundle values containing only whitespace as empty, ensuring system trust roots are used in this case.
- Updates ValidateCABundle to treat whitespace-only caBundle as valid, consistent with empty or nil values.
- Adds/updates unit tests to verify that whitespace-only caBundle is handled equivalently to empty or nil.
- Ensures consistent and user-friendly handling of caBundle across CRD conversion webhook configuration and validation.

* Revert validation logic

* Add integration test for webhook bypass

* Fix linting

Kubernetes-commit: a652896307ce8dd1412483ed18e61d6dd2ad36da
diff --git a/go.mod b/go.mod
@@ -26,10 +26,10 @@ require (
 	google.golang.org/grpc v1.72.1
 	google.golang.org/protobuf v1.36.5
 	gopkg.in/evanphx/json-patch.v4 v4.12.0
-	k8s.io/api v0.0.0-20250724224534-f2279712f874
+	k8s.io/api v0.0.0-20250725024534-53dd5462e729
 	k8s.io/apimachinery v0.0.0-20250724224258-50e39b11cd32
 	k8s.io/apiserver v0.0.0-20250724230616-e08cc1978f1b
-	k8s.io/client-go v0.0.0-20250724224906-d4f2d5b8ccf7
+	k8s.io/client-go v0.0.0-20250725024915-bce2be2f20f3
 	k8s.io/code-generator v0.0.0-20250724225710-fe7d3af27d90
 	k8s.io/component-base v0.0.0-20250724225857-f959b0363667
 	k8s.io/klog/v2 v2.130.1
diff --git a/go.sum b/go.sum
@@ -291,14 +291,14 @@ gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYs
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.0.0-20250724224534-f2279712f874 h1:AzVs/5TvK2r0BSsV33dVm4FLPgJEUybkjfLrEmiA7Ss=
-k8s.io/api v0.0.0-20250724224534-f2279712f874/go.mod h1:h7pQu2oCQ3ccFA95Gaxuu7JO+0gHm6uxdKA4dLNL3Y8=
+k8s.io/api v0.0.0-20250725024534-53dd5462e729 h1:raeWWJ+/+yxrpn2KAvZgxic537l2Ejpa8nnLaCO7+7Y=
+k8s.io/api v0.0.0-20250725024534-53dd5462e729/go.mod h1:h7pQu2oCQ3ccFA95Gaxuu7JO+0gHm6uxdKA4dLNL3Y8=
 k8s.io/apimachinery v0.0.0-20250724224258-50e39b11cd32 h1:XbDM37tJSNp0ga7QZkizY+qxKJEA0DFe+nqssKruths=
 k8s.io/apimachinery v0.0.0-20250724224258-50e39b11cd32/go.mod h1:mjSAX6740hY31nMwwbFVIcjVaXzV46iZzqDA+UfugZ8=
 k8s.io/apiserver v0.0.0-20250724230616-e08cc1978f1b h1:Q295T9ri9A24WwsnAmEf8k+12NVY8qhPUZjsrMqAn8E=
 k8s.io/apiserver v0.0.0-20250724230616-e08cc1978f1b/go.mod h1:td8qDjyqmlRNp/inElkMFDWBrHv+YFCYE536yMGqEno=
-k8s.io/client-go v0.0.0-20250724224906-d4f2d5b8ccf7 h1:C8WJw/YbIDqiA23gjDMRgBKsALuaO0i3iF2w574EpfU=
-k8s.io/client-go v0.0.0-20250724224906-d4f2d5b8ccf7/go.mod h1:zKs1Ap5k23bvGabDhvkL2sweYIp3KNomdmyrhOBwvzo=
+k8s.io/client-go v0.0.0-20250725024915-bce2be2f20f3 h1:FGZDzvT0js6Mp+uw3hIBjUB1MM7nZgCOSSTKHsoR1M8=
+k8s.io/client-go v0.0.0-20250725024915-bce2be2f20f3/go.mod h1:dSUbXIhtKRg5cEkqD3yeFAJ7ZZpVZw6dns/ikA9dMNE=
 k8s.io/code-generator v0.0.0-20250724225710-fe7d3af27d90 h1:l7oUGTSxEKfrSHv7eYupe8wGxvf3AQ3Xy63LWqlBFB0=
 k8s.io/code-generator v0.0.0-20250724225710-fe7d3af27d90/go.mod h1:9aIDufE+Ylxl6SGZilgTysYdMp/GoFcHLAF/c8gE2uQ=
 k8s.io/component-base v0.0.0-20250724225857-f959b0363667 h1:pvV8NZOWqqWnHImbEtFPHt7aFoftkCKdq4X51FyljYQ=
diff --git a/pkg/apiserver/conversion/webhook_converter.go b/pkg/apiserver/conversion/webhook_converter.go
@@ -17,6 +17,7 @@ limitations under the License.
 package conversion
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -76,9 +77,14 @@ type webhookConverter struct {
 
 func webhookClientConfigForCRD(crd *v1.CustomResourceDefinition) *webhook.ClientConfig {
 	apiConfig := crd.Spec.Conversion.Webhook.ClientConfig
+	caBundle := apiConfig.CABundle
+	if len(caBundle) > 0 && len(bytes.TrimSpace(caBundle)) == 0 {
+		// treat whitespace-only caBundle as empty
+		caBundle = nil
+	}
 	ret := webhook.ClientConfig{
 		Name:     fmt.Sprintf("conversion_webhook_for_%s", crd.Name),
-		CABundle: apiConfig.CABundle,
+		CABundle: caBundle,
 	}
 	if apiConfig.URL != nil {
 		ret.URL = *apiConfig.URL
diff --git a/test/integration/conversion/conversion_test.go b/test/integration/conversion/conversion_test.go
@@ -981,7 +981,6 @@ func (c *conversionTestContext) setConversionWebhook(t *testing.T, webhookClient
 		t.Fatal(err)
 	}
 	c.crd = crd
-
 }
 
 func (c *conversionTestContext) removeConversionWebhook(t *testing.T) {
@@ -1337,3 +1336,102 @@ func jsonPtr(x interface{}) *apiextensionsv1.JSON {
 	ret := apiextensionsv1.JSON{Raw: bs}
 	return &ret
 }
+
+func TestWebhookConversion_WhitespaceCABundleEtcdBypass(t *testing.T) {
+	// Setup server and clients
+	tearDown, config, options, err := fixtures.StartDefaultServer(t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer tearDown()
+
+	apiExtensionsClient, err := clientset.NewForConfig(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dynamicClient, err := dynamic.NewForConfig(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	crd := multiVersionFixture.DeepCopy()
+
+	RESTOptionsGetter := serveroptions.NewCRDRESTOptionsGetter(*options.RecommendedOptions.Etcd, nil, nil)
+	restOptions, err := RESTOptionsGetter.GetRESTOptions(schema.GroupResource{Group: crd.Spec.Group, Resource: crd.Spec.Names.Plural}, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	etcdClient, _, err := storage.GetEtcdClients(restOptions.StorageConfig.Transport)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = etcdClient.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
+	}()
+	etcdObjectReader := storage.NewEtcdObjectReader(etcdClient, &restOptions, crd)
+
+	ctcTearDown, ctc := newConversionTestContext(t, apiExtensionsClient, dynamicClient, etcdObjectReader, crd)
+	defer ctcTearDown()
+
+	ns := "whitespace-cabundle"
+	version := "v1beta1"
+	client := ctc.versionedClient(ns, version)
+
+	// Create a CR instance
+	name := "test"
+	obj, err := client.Create(context.TODO(), newConversionMultiVersionFixture(ns, name, version), metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("failed to create CR instance: %v", err)
+	}
+	verifyMultiVersionObject(t, "v1beta1", obj)
+
+	// Set up webhook conversion
+	tearDown, webhookClientConfig, err := StartConversionWebhookServer(NewObjectConverterWebhookHandler(t, noopConverter))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer tearDown()
+
+	crd.Spec.Conversion = &apiextensionsv1.CustomResourceConversion{
+		Strategy: apiextensionsv1.WebhookConverter,
+		Webhook: &apiextensionsv1.WebhookConversion{
+			ClientConfig:             webhookClientConfig,
+			ConversionReviewVersions: []string{"v1beta1"},
+		},
+	}
+	crd.TypeMeta = metav1.TypeMeta{
+		APIVersion: "apiextensions.k8s.io/v1",
+		Kind:       "CustomResourceDefinition",
+	}
+
+	// Fetch the latest CRD from the API server to get the current resourceVersion
+	crdFromAPI, err := ctc.apiExtensionsClient.ApiextensionsV1().CustomResourceDefinitions().Get(
+		context.TODO(), crd.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	crd.ResourceVersion = crdFromAPI.ResourceVersion
+	_, err = ctc.apiExtensionsClient.ApiextensionsV1().CustomResourceDefinitions().Update(
+		context.TODO(), crd, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Replace the CABundle with empty spaces
+	crd.Spec.Conversion.Webhook.ClientConfig.CABundle = []byte("    \n\t   ")
+	err = etcdObjectReader.SetStoredCustomResourceDefinition(crd.Name, crd)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Try to read the CR instance (should succeed, as no conversion is needed)
+	obj, err = ctc.etcdObjectReader.GetStoredCustomResource(ns, name)
+	if err != nil {
+		t.Fatal(err)
+	}
+	verifyMultiVersionObject(t, "v1beta1", obj)
+
+}
diff --git a/test/integration/storage/objectreader.go b/test/integration/storage/objectreader.go
@@ -128,3 +128,16 @@ func GetEtcdClients(config storagebackend.TransportConfig) (*clientv3.Client, cl
 
 	return c, clientv3.NewKV(c), nil
 }
+
+// SetStoredCustomResourceDefinition writes the storage representation of a CRD to etcd.
+func (s *EtcdObjectReader) SetStoredCustomResourceDefinition(name string, crd *apiextensionsv1.CustomResourceDefinition) error {
+	bs, err := json.Marshal(crd)
+	if err != nil {
+		return err
+	}
+	key := path.Join("/", s.storagePrefix, "apiextensions.k8s.io", "customresourcedefinitions", name)
+	if _, err := s.etcdClient.Put(context.Background(), key, string(bs)); err != nil {
+		return fmt.Errorf("error setting CRD %s in etcd at key %s: %w", name, key, err)
+	}
+	return nil
+}
