Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for dynamic token providers in kubeconfig used by the proxy #3655

Merged
merged 4 commits into from
May 5, 2020
Merged

Add support for dynamic token providers in kubeconfig used by the proxy #3655

merged 4 commits into from
May 5, 2020

Conversation

awly
Copy link
Contributor

@awly awly commented May 1, 2020

Dynamic tokens (as opposed to static, cfg.BearerToken) require using http.RoundTripper wrappers provided by the k8s libraries.
To do this, make a kubeCreds.wrapTransport method that does wrapping the right way and use it with both SPDY dialer and regular HTTP forwarder.

Practically, this means the proxy can now talk to GCP, Azure and AWS k8s clusters using their plugin-based kubeconfigs.
It'll also support any other exec plugin a user might specify.

Also bundle a few semi-related changes (to avoid conflicting PRs):

  • remove ForwarderConfig.TargetAddr - it was never set explicitly and kubeconfig should be the authoritative source anyway
  • overwrite instead of appending impersonation headers
  • have requestCertificate return a finished tls.Config instead of an intermediate type
  • extract kubeCreds into auth.go
  • perform a full TLS handshake in SPDY dialer, instead of manually parsing and checking ServerName

Fixes #3652

Andrew Lytvynov added 4 commits April 30, 2020 13:25
Enable all kubeconfig auth plugins
611a6b2 
By importing the magic `k8s.io/client-go/plugin/pkg/client/auth`
package, we compile-in support for auth plugins: gcp, azure, oidc,
openstack.

Without this, users can't provide a kubeconfig using those authn
methods to a proxy.
lib/kube/proxy: always use server addr from kubeconfig
1dc24fc 
TargetAddr from ForwarderConfig wasn't actually ever used. Kubeconfig
parsing would fail if server address was missing.
lib/kube/proxy: extract auth handling into a separate file
056dcbd 
The existing kubeCreds already has tls.Config.
Add a new wrapTransport method to it, which handles added bearer tokens
or basic auth to the request before it goes out.

Use this wrapTransport to inject tokens for both SPDY connections and
catch-all forwarder requests.

Also simplify a few unrelated parts:
- don't manually call serverName verification in SPDY dialer
- have requestCertificate return a finished tls.Config instead of an
  intermediate type
Remove vendored openstack and oidc plugins
1ddd7ac 
These are no longer needed.
@awly awly merged commit 5fc99d2 into master May 5, 2020
@awly awly deleted the andrew/k8s-auth-providers branch May 5, 2020 23:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@russjones russjones russjones approved these changes

@fspmarshall fspmarshall Awaiting requested review from fspmarshall

@klizhentas klizhentas Awaiting requested review from klizhentas

@webvictim webvictim Awaiting requested review from webvictim

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Proxy doesn't support auth providers in kubeconfig
2 participants
@awly @russjones