-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass the CA root cert into the apiserver #7326
Conversation
perform client cert checks for authorization. Only enable on GCE where the apiserver is terminating SSL connections from end users.
/cc @lavalamp |
@zmerlynn I'd like for this to get in before the 0.16.0 release cut tomorrow if possible. Thanks! |
Sorry, was completely offline. Looking now. |
LGTM |
Pass the CA root cert into the apiserver
Thanks for finding! |
@@ -43,10 +43,12 @@ | |||
|
|||
{% set cert_file = "--tls_cert_file=/srv/kubernetes/server.cert" -%} | |||
{% set key_file = "--tls_private_key_file=/srv/kubernetes/server.key" -%} | |||
{% set client_ca_file = "--client_ca_file=/dev/null" -%} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This broke non-GCE providers I think. Right now, the kube-apiserver outputs errors like the following:
F0427 21:05:35.065323 1 server.go:247] Invalid Authentication Config: error reading /dev/null: could not read any certificates
Is there any reason why we could not default the value to the empty string?
{% set client_ca_file = "" -%}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will put a PR together that does what described above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry @derekwaynecarr. I was following the example of the token auth file since I thought the implementation on the server was identical.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem ;-)
Fix vagrant regression due to #7326
So that the apiserver will perform client cert checks for authorization. Only enable on GCE where
the apiserver is terminating SSL connections from end users.