From 618ca85bc9482ea11cf792331688fdf0c7b54518 Mon Sep 17 00:00:00 2001
From: Marcus Ruddick <Ruddickmg@gmail.com>
Date: Mon, 26 Aug 2024 14:43:02 -1000
Subject: [PATCH] kmsv2: fixed issue with an invalid authority header being
 sent by the KMSv2 service

---
 .../value/encrypt/envelope/kmsv2/grpc_service.go     |  1 +
 .../encrypt/envelope/testing/v2/kms_plugin_mock.go   | 12 +++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go
index 67f7bc79e1a30..09a2a76df50e3 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go
@@ -58,6 +58,7 @@ func NewGRPCService(ctx context.Context, endpoint, providerName string, callTime
 	s := &gRPCService{callTimeout: callTimeout}
 	s.connection, err = grpc.Dial(
 		addr,
+		grpc.WithAuthority("localhost"),
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithDefaultCallOptions(grpc.WaitForReady(true)),
 		grpc.WithContextDialer(
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2/kms_plugin_mock.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2/kms_plugin_mock.go
index 2babbbe3c7d46..ee6b9ef1ccaba 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2/kms_plugin_mock.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2/kms_plugin_mock.go
@@ -31,6 +31,7 @@ import (
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
 
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -61,7 +62,16 @@ type Base64Plugin struct {
 
 // NewBase64Plugin is a constructor for Base64Plugin.
 func NewBase64Plugin(t testing.TB, socketPath string) *Base64Plugin {
-	server := grpc.NewServer()
+	server := grpc.NewServer(
+		grpc.UnaryInterceptor(
+			func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+				if val := metadata.ValueFromIncomingContext(ctx, ":authority"); len(val) != 1 || val[0] != "localhost" {
+					t.Errorf("wanted localhost authority, got: %v", val)
+				}
+				return handler(ctx, req)
+			},
+		),
+	)
 	result := &Base64Plugin{
 		grpcServer: server,
 		mu:         &sync.Mutex{},