fix(kuma-cp): do not require certs on https api port (#7102)

Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
kumahq · Jun 26, 2023 · 1bd937e · 1bd937e
1 parent 2e775e9
commit 1bd937e
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/pkg/api-server/server.go b/pkg/api-server/server.go
@@ -37,6 +37,11 @@ import (
 	"github.com/kumahq/kuma/pkg/dns/vips"
 	"github.com/kumahq/kuma/pkg/envoy/admin"
 	"github.com/kumahq/kuma/pkg/metrics"
+<<<<<<< HEAD
+=======
+	"github.com/kumahq/kuma/pkg/plugins/authn/api-server/certs"
+	"github.com/kumahq/kuma/pkg/plugins/resources/k8s"
+>>>>>>> e6d916ba9 (fix(kuma-cp): do not require certs on https api port (#7102))
 	"github.com/kumahq/kuma/pkg/tokens/builtin"
 	tokens_server "github.com/kumahq/kuma/pkg/tokens/builtin/server"
 	util_prometheus "github.com/kumahq/kuma/pkg/util/prometheus"
@@ -421,8 +426,8 @@ func configureMTLS(tlsConfig *tls.Config, cfg api_server.ApiServerConfig) error
 	tlsConfig.ClientCAs = clientCertPool
 	if cfg.HTTPS.RequireClientCert {
 		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-	} else {
-		tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven // client certs are required only for some endpoints
+	} else if cfg.Authn.Type == certs.PluginName {
+		tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven // client certs are required only for some endpoints when using admin client cert
 	}
 	return nil
 }