-
Notifications
You must be signed in to change notification settings - Fork 614
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for bootsrapping TLS from a rest.Config #1014
base: master
Are you sure you want to change the base?
Conversation
To test this locally: Token Auth$ make build
Building...
CGO_ENABLED=0 go build -ldflags '-extldflags "-static"' -o bin/virtual-kubelet -ldflags='-X "main.buildVersion=v1.5.0-41-g0127d428" -X "main.buildTime=2022-08-30-22:27 UTC"' ./cmd/virtual-kubelet
$ token="$(kubectl config view --minify --raw --output 'jsonpath={.users[0]}' | jq -r .user.token)"
$ bin/virtual-kubelet --kubeconfig ~/.kube/config --provider=mock --provider-config hack/skaffold/virtual-kubelet/vkubelet-mock-0-cfg.json --nodename=vkubelet-mock-0 &
INFO[0000] Waiting for controller to be ready node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] Pod cache in-sync node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] receive GetPods method=GetPods node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] starting workers node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] started workers node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] Ready node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
$ curl -k -H "Authorization: bearer ${token}" https://localhost:10250/stats/summary
{"node":{"nodeName":"vkubelet-mock-0","startTime":"2022-08-30T22:04:39Z"},"pods":null}
$ Certificate Auth$ make build
Building...
CGO_ENABLED=0 go build -ldflags '-extldflags "-static"' -o bin/virtual-kubelet -ldflags='-X "main.buildVersion=v1.5.0-41-g0127d428" -X "main.buildTime=2022-08-30-22:27 UTC"' ./cmd/virtual-kubelet
$ bin/virtual-kubelet --kubeconfig ~/.kube/config --provider=mock --provider-config hack/skaffold/virtual-kubelet/vkubelet-mock-0-cfg.json --nodename=vkubelet-mock-0 &
INFO[0000] Waiting for controller to be ready node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] Pod cache in-sync node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] receive GetPods method=GetPods node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] starting workers node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] started workers node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
INFO[0000] Ready node=vkubelet-mock-0 operatingSystem=linux provider=mock watchedNamespace=
$ kubectl config view --minify --raw --output 'jsonpath={.users[0].user.client-key-data}' | base64 -d > key.pem
$ kubectl config view --minify --raw --output 'jsonpath={.users[0].user.client-certificate-data}' | base64 -d > cert.pem
$ curl -k --cert cert.pem --key key.pem https://localhost:10250/stats/summary
{"node":{"nodeName":"vkubelet-mock-0","startTime":"2022-09-01T21:25:53Z"},"pods":null} |
058b299
to
e5c534d
Compare
This uses a rest.Config to bootstrap TLS for the http server, webhook auth, and the client. This can be expanded later to do other kinds of TLS bootstrapping. For now this seems to get the job done in terms of what VK expects for permissions on the cluster. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This was just an annoyance when working with the API from a terminal. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
// BootstrapOpt is a functional option used to configure node bootstrapping | ||
type BootstrapOpt func(*BootstrapConfig) error | ||
|
||
// WithBootstrapFromRestConfig takes a reset config (or a default one from the environment) and returns a NodeOpt that will: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/reset/rest
// WithBootstrapFromRestConfig takes a reset config (or a default one from the environment) and returns a NodeOpt that will: | ||
// 1. Create a client from the rest config (if no client is set) | ||
// 2. Create webhook authn/authz from the rest config | ||
// 3. Configure the TLS config for the HTTP server from the certs in the rest config. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC the x509 artifacts used for VK to authenticate as a client are the same used to serve the (virtual-)kubelet API?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that's what it is currently doing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the PR description, TLS authentication output doesn't seem to be relying on TLS for authentication. I trust it's working, just raising awareness.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Eek, apparently my copy didn't take effect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed that description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM.
CI is failing most likely due to the test not using the right certs. I need to look into where this is happening. |
I have not looked closely but assuming the CA used for signing serving certificates and client certificates is the same is generally not valid. |
Unless I'm missing something here, the configuration is passed by the user. |
When can we expect this PR to be merged!! |
Hello @cpuguy83, Is this still wip or shall i take it forward? |
I do not have cycles for this. |
This uses a rest.Config to bootstrap TLS for the http server, webhook
auth, and the client.
This can be expanded later to do other kinds of TLS bootstrapping. For
now this seems to get the job done in terms of what VK expects for
permissions on the cluster.