From f86415206731a2c637585f9eaafb487c6ced8ce1 Mon Sep 17 00:00:00 2001
From: Ricardo Noriega <rnoriega@redhat.com>
Date: Wed, 20 Oct 2021 13:15:07 +0200
Subject: [PATCH 1/2] Enable secure API registration for OpenShift apiserver

Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
---
 pkg/cmd/init.go                    |  2 +-
 pkg/controllers/apiservice.go      | 18 +++++++++++-------
 pkg/controllers/ocp-controllers.go |  9 ---------
 3 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go
index 680bc98dea..80908022fd 100644
--- a/pkg/cmd/init.go
+++ b/pkg/cmd/init.go
@@ -115,7 +115,7 @@ func initCerts(cfg *config.MicroshiftConfig) error {
 	// ocp
 	if err := util.GenCerts("openshift-apiserver", cfg.DataDir+"/resources/ocp-apiserver/secrets",
 		"tls.crt", "tls.key",
-		[]string{"openshift-apiserver", cfg.NodeIP, "127.0.0.1", "kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"}); err != nil {
+		[]string{"openshift-apiserver", cfg.NodeIP, "openshift-apiserver.default.svc", "openshift-apiserver.default", "127.0.0.1", "kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"}); err != nil {
 		return err
 	}
 	if err := util.GenCerts("openshift-controller-manager", cfg.DataDir+"/resources/ocp-controller-manager/secrets",
diff --git a/pkg/controllers/apiservice.go b/pkg/controllers/apiservice.go
index 9f19ab2e09..2fb827b936 100644
--- a/pkg/controllers/apiservice.go
+++ b/pkg/controllers/apiservice.go
@@ -17,12 +17,12 @@ package controllers
 
 import (
 	"context"
+	"io/ioutil"
 	"strings"
 
-	"github.com/sirupsen/logrus"
-
 	"github.com/openshift/microshift/pkg/assets"
 	"github.com/openshift/microshift/pkg/config"
+	"github.com/sirupsen/logrus"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -119,6 +119,10 @@ func createAPIRegistration(cfg *config.MicroshiftConfig) error {
 	if err != nil {
 		return err
 	}
+	caFile, err := ioutil.ReadFile(cfg.DataDir + "/certs/ca-bundle/ca-bundle.crt")
+	if err != nil {
+		logrus.Errorf("Error loading CA bundle certificate: %v", err)
+	}
 	client := apiregistrationclientv1.NewForConfigOrDie(rest.AddUserAgent(restConfig, "apiregistration-agent"))
 	for _, apiSvc := range []string{
 		"v1.apps.openshift.io",
@@ -146,11 +150,11 @@ func createAPIRegistration(cfg *config.MicroshiftConfig) error {
 					Name:      "openshift-apiserver",
 					Namespace: "default",
 				},
-				Group:                 trimFirst(apiSvc, "."),
-				GroupPriorityMinimum:  9900,
-				Version:               "v1",
-				InsecureSkipTLSVerify: true,
-				VersionPriority:       15,
+				Group:                trimFirst(apiSvc, "."),
+				GroupPriorityMinimum: 9900,
+				Version:              "v1",
+				CABundle:             caFile,
+				VersionPriority:      15,
 			},
 		}
 		_, err = client.APIServices().Get(context.TODO(), api.Name, metav1.GetOptions{})
diff --git a/pkg/controllers/ocp-controllers.go b/pkg/controllers/ocp-controllers.go
index 133acfe8a1..0792c96577 100644
--- a/pkg/controllers/ocp-controllers.go
+++ b/pkg/controllers/ocp-controllers.go
@@ -61,16 +61,7 @@ func OCPAPIServer(cfg *config.MicroshiftConfig) error {
 		"--config=" + cfg.DataDir + "/resources/openshift-apiserver/config/config.yaml",
 		"--authorization-kubeconfig=" + cfg.DataDir + "/resources/kubeadmin/kubeconfig",
 		"--authentication-kubeconfig=" + cfg.DataDir + "/resources/kubeadmin/kubeconfig",
-		"--requestheader-client-ca-file=" + cfg.DataDir + "/certs/ca-bundle/ca-bundle.crt",
-		"--requestheader-allowed-names=kube-apiserver-proxy,system:kube-apiserver-proxy,system:openshift-aggregator",
-		"--requestheader-username-headers=X-Remote-User",
-		"--requestheader-group-headers=X-Remote-Group",
-		"--requestheader-extra-headers-prefix=X-Remote-Extra-",
-		"--client-ca-file=" + cfg.DataDir + "/certs/ca-bundle/ca-bundle.crt",
-		"--logtostderr=" + strconv.FormatBool(cfg.LogDir == "" || cfg.LogAlsotostderr),
-		"--alsologtostderr=" + strconv.FormatBool(cfg.LogAlsotostderr),
 		"--v=" + strconv.Itoa(cfg.LogVLevel),
-		"--vmodule=" + cfg.LogVModule,
 	}
 	if cfg.LogDir != "" {
 		args = append(args, "--log-dir="+cfg.LogDir)

From 10462511930a7d755c4edb842786cad9c4ab912c Mon Sep 17 00:00:00 2001
From: Ricardo Noriega <rnoriega@redhat.com>
Date: Wed, 20 Oct 2021 17:12:34 +0200
Subject: [PATCH 2/2] Re-enable logging flags

Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
---
 pkg/controllers/ocp-controllers.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/controllers/ocp-controllers.go b/pkg/controllers/ocp-controllers.go
index 0792c96577..cd1e6da705 100644
--- a/pkg/controllers/ocp-controllers.go
+++ b/pkg/controllers/ocp-controllers.go
@@ -61,7 +61,10 @@ func OCPAPIServer(cfg *config.MicroshiftConfig) error {
 		"--config=" + cfg.DataDir + "/resources/openshift-apiserver/config/config.yaml",
 		"--authorization-kubeconfig=" + cfg.DataDir + "/resources/kubeadmin/kubeconfig",
 		"--authentication-kubeconfig=" + cfg.DataDir + "/resources/kubeadmin/kubeconfig",
+		"--logtostderr=" + strconv.FormatBool(cfg.LogDir == "" || cfg.LogAlsotostderr),
+		"--alsologtostderr=" + strconv.FormatBool(cfg.LogAlsotostderr),
 		"--v=" + strconv.Itoa(cfg.LogVLevel),
+		"--vmodule=" + cfg.LogVModule,
 	}
 	if cfg.LogDir != "" {
 		args = append(args, "--log-dir="+cfg.LogDir)