Add support for bootsrapping TLS from a rest.Config #1014
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
To test this locally: Token Auth$ make build
Building...
CGO_ENABLED=0 go build -ldflags '-extldflags "-static"' -o bin/virtual-kubelet -ldflags='-X "main.buildVersion=v1.5.0-41-g0127d428" -X "main.buildTime=2022-08-30-22:27 UTC"' ./cmd/virtual-kubelet
$ token="$(kubectl config view --minify --raw --output 'jsonpath={.users[0]}' | jq -r .user.token)"
$ bin/virtual-kubelet --kubeconfig ~/.kube/config --provider=mock --provider-config hack/skaffold/virtual-kubelet/vkubelet-mock-0-cfg.json --nodename=vkubelet-mock-0 &
INFO[0000] Waiting for controller to be ready node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] Pod cache in-sync node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] receive GetPods method=GetPods node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] starting workers node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] started workers node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] Ready node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
$ curl -k -H "Authorization: bearer ${token}" https://localhost:10250/stats/summary
{"node":{"nodeName":"vkubelet-mock-0","startTime":"2022-08-30T22:04:39Z"},"pods":null}
$Certificate Auth$ make build
Building...
CGO_ENABLED=0 go build -ldflags '-extldflags "-static"' -o bin/virtual-kubelet -ldflags='-X "main.buildVersion=v1.5.0-41-g0127d428" -X "main.buildTime=2022-08-30-22:27 UTC"' ./cmd/virtual-kubelet
$ bin/virtual-kubelet --kubeconfig ~/.kube/config --provider=mock --provider-config hack/skaffold/virtual-kubelet/vkubelet-mock-0-cfg.json --nodename=vkubelet-mock-0 &
INFO[0000] Waiting for controller to be ready node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] Pod cache in-sync node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] receive GetPods method=GetPods node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] starting workers node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] started workers node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] Ready node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
$ kubectl config view --minify --raw --output 'jsonpath={.users[0].user.client-key-data}' | base64 -d > key.pem
$ kubectl config view --minify --raw --output 'jsonpath={.users[0].user.client-certificate-data}' | base64 -d > cert.pem
$ curl -k --cert cert.pem --key key.pem https://localhost:10250/stats/summary
{"node":{"nodeName":"vkubelet-mock-0","startTime":"2022-09-01T21:25:53Z"},"pods":null} |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
cpuguy83
force-pushed
the
boostrap
branch
2 times, most recently
from
058b299
to
e5c534d
Compare
This uses a rest.Config to bootstrap TLS for the http server, webhook auth, and the client. This can be expanded later to do other kinds of TLS bootstrapping. For now this seems to get the job done in terms of what VK expects for permissions on the cluster. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This was just an annoyance when working with the API from a terminal. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
pires
reviewed
Sep 1, 2022
| // BootstrapOpt is a functional option used to configure node bootstrapping | ||
| type BootstrapOpt func(*BootstrapConfig) error | ||
|
|
||
| // WithBootstrapFromRestConfig takes a reset config (or a default one from the environment) and returns a NodeOpt that will: |
pires
reviewed
Sep 1, 2022
| // WithBootstrapFromRestConfig takes a reset config (or a default one from the environment) and returns a NodeOpt that will: | ||
| // 1. Create a client from the rest config (if no client is set) | ||
| // 2. Create webhook authn/authz from the rest config | ||
| // 3. Configure the TLS config for the HTTP server from the certs in the rest config. |
There was a problem hiding this comment.
IIUC the x509 artifacts used for VK to authenticate as a client are the same used to serve the (virtual-)kubelet API?
There was a problem hiding this comment.
Yes that's what it is currently doing.
There was a problem hiding this comment.
In the PR description, TLS authentication output doesn't seem to be relying on TLS for authentication. I trust it's working, just raising awareness.
There was a problem hiding this comment.
Eek, apparently my copy didn't take effect.
There was a problem hiding this comment.
Fixed that description.
|
CI is failing most likely due to the test not using the right certs. I need to look into where this is happening. |
|
I have not looked closely but assuming the CA used for signing serving certificates and client certificates is the same is generally not valid. |
|
Unless I'm missing something here, the configuration is passed by the user. |
|
When can we expect this PR to be merged!! |
|
Hello @cpuguy83, Is this still wip or shall i take it forward? |
|
I do not have cycles for this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This uses a rest.Config to bootstrap TLS for the http server, webhook
auth, and the client.
This can be expanded later to do other kinds of TLS bootstrapping. For
now this seems to get the job done in terms of what VK expects for
permissions on the cluster.