-
Notifications
You must be signed in to change notification settings - Fork 40.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
specify custom ca file to verify the keystone server #35488
Conversation
Can a kubernetes member verify that this patch is reasonable to test? If so, please reply with "@k8s-bot ok to test" on its own line. Regular contributors should join the org to skip this step. |
@@ -375,6 +376,11 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { | |||
fs.StringVar(&s.KeystoneURL, "experimental-keystone-url", s.KeystoneURL, | |||
"If passed, activates the keystone authentication plugin.") | |||
|
|||
fs.StringVar(&s.KeystoneCAFile, "experimental-keystone-ca-file", s.KeystoneCAFile, ""+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use the OIDCCAFile flag description as a starting point instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Already fix this.
// NewKeystoneAuthenticator returns a password authenticator that validates credentials using openstack keystone | ||
func NewKeystoneAuthenticator(authURL string) (*KeystoneAuthenticator, error) { | ||
func NewKeystoneAuthenticator(authURL string, caFile string) (*KeystoneAuthenticator, error) { | ||
if !strings.HasPrefix(authURL, "https") { | ||
return nil, errors.New("Auth URL should be secure and start with https") | ||
} | ||
if authURL == "" { | ||
return nil, errors.New("Auth URL is empty") | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Load the cert pool from the given file here if cafile is set, rather than loading it for every request
return nil, err | ||
} | ||
|
||
config := &tls.Config{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Skip this whole block if the capool is nil?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
certutil.NewPool
will return an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates.
So I think it is okay to remain the codes here unchanged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, leave client.HTTPClient.Transport
untouched unless we want to customize the ca pool
config.RootCAs = roots | ||
} | ||
client.HTTPClient.Transport = &http.Transport{TLSClientConfig: config, } | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return openstack.Authenticate(…)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not get the actual use of this return.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the function already returns client, err
, so just return the result directly, instead of if err != nil ...
} | ||
config.RootCAs = roots | ||
} | ||
client.HTTPClient.Transport = &http.Transport{TLSClientConfig: config, } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs gofmt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this equivalent to the transport set up by default by openstack.AuthenticatedClient
(with respect to proxy settings, dial settings, timeouts, etc)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The client created by default openstack.AuthenticatedClient
is *gophercloud.ProviderClient
.
return &gophercloud.ProviderClient{
IdentityBase: base,
IdentityEndpoint: "",
}, nil
The default HTTPClient.Transport
is nil
, and DefaultTransport
is used instead.
var DefaultTransport RoundTripper = &Transport{
Proxy: ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
}
The client.HTTPClient.Transport
I used here is quite a new Transport
with only TLSClientConfig
configured.
Do you suggest that we should merge these two together ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
util/net#SetOldTransportDefaults(&http.Transport{TLSClientConfig: config})
will set the default dialer, proxy, and timeouts
dd60dc8
to
87bd6be
Compare
87bd6be
to
cd3a6c1
Compare
cd3a6c1
to
63349fe
Compare
63349fe
to
c3e42e1
Compare
roots, err := certutil.NewPool(caFile) | ||
if err != nil { | ||
return nil, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
build the transport once here and save it
} | ||
config := &tls.Config{} | ||
config.RootCAs = roots | ||
return &KeystoneAuthenticator{authURL, config, caFile}, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need to store config or caFile in the struct, just the custom transport
return nil, err | ||
} | ||
|
||
if keystoneAuthenticator.caFile != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if keystoneAuthenticator.transport != nil {
client.HTTPClient.Transport = keystoneAuthenticator.transport
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed this in the new commit. Thanks.
c3e42e1
to
a888386
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
squash and rebase as well
) | ||
|
||
// KeystoneAuthenticator contacts openstack keystone to validate user's credentials passed in the request. | ||
// The keystone endpoint is passed during apiserver startup | ||
type KeystoneAuthenticator struct { | ||
authURL string | ||
authURL string | ||
transport *http.Transport |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
http.RoundTripper
} | ||
|
||
if keystoneAuthenticator.transport != "" { | ||
client.HTTPClient.Transport = netutil.SetOldTransportDefaults(keystoneAuthenticator.transport) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
client.HTTPClient.Transport = keystoneAuthenticator.transport
} | ||
config := &tls.Config{} | ||
config.RootCAs = roots | ||
transport := &http.Transport{TLSClientConfig: config} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
netutil.SetOldTransportDefaults(&http.Transport{TLSClientConfig: config})
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Fixed.
3807c37
to
f00026b
Compare
Jenkins unit/integration failed for commit f00026bcf202bc2b50b26081b4ba707492f4f48f. Full PR test history. The magic incantation to run this job again is |
f00026b
to
d8b7893
Compare
@@ -189,6 +189,8 @@ experimental-allowed-unsafe-sysctls | |||
experimental-bootstrap-kubeconfig | |||
experimental-keystone-url | |||
experimental-mounter-path | |||
experimental-mounter-rootfs-path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks unrelated... might need to rebase or remove this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know where it comes from. Seems rebase from previous commits. I did not add this. Quite weird.
Already removed this. Fixed.
Jenkins verification failed for commit f00026bcf202bc2b50b26081b4ba707492f4f48f. Full PR test history. The magic incantation to run this job again is |
d8b7893
to
68d40dc
Compare
also needs
|
68d40dc
to
aa3d33a
Compare
@k8s-bot verify test this |
1 similar comment
@k8s-bot verify test this |
aa3d33a
to
dd6c980
Compare
Hi @liggitt I retest this patch on my local env. All works well. And the corresponding doc PR has also been submitted. Need lgtm label again. Thanks. |
Release-czar approved post-code freeze merge--This was LGTMed and in the merge-queue at code freeze time for 1.5. Adding 1.5 milestone to let it gets merged after code freeze. |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what #35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on #35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
What this PR does / why we need it:
Sometimes the keystone server's certificate is self-signed, mainly used for internal development, testing and etc.
For this kind of ca, we need a way to verify the keystone server.
Otherwise, below error will occur.
This patch provide a way to pass in a ca file to verify the keystone server when starting
kube-apiserver
.Which issue this PR fixes : fixes #22695, #24984
Special notes for your reviewer:
Release note:
This change is