-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure static certs in kubeconfig override exec plugin #107410
Conversation
Hi @margocrawf. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/triage accepted |
Dynamic (plugins) taking precedence over static config seems like the more intuative pattern to me. But i am not very familiar with area of the code and it seems that making this alternative switch now can be more breaking. |
hack/testdata/auth/testcert.csr
Outdated
@@ -0,0 +1,15 @@ | |||
-----BEGIN CERTIFICATE REQUEST----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For all of these new testdata files, add:
- A comment describing how they were generated
- A note saying that this is a test-only credential and that no security vulnerabilities should be reported in regards to them being published to a public repo
test/cmd/authentication.sh
Outdated
metadata: | ||
name: testcert | ||
spec: | ||
request: $(base64 < hack/testdata/auth/testcert.csr | tr -d '\n') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is unclear what testcert.csr
encodes.
test/cmd/authentication.sh
Outdated
kubectl config set-credentials testcert --client-certificate="${TMPDIR:-/tmp}"/testcert.crt --client-key="hack/testdata/auth/testcert.key" --exec-api-version=client.authentication.k8s.io/v1beta1 --exec-command=/tmp/invalid_execcredential.sh | ||
output6=$(kubectl "${kube_flags_without_token[@]:?}" --user testcert get namespace kube-system -o name) | ||
if [[ "${output6}" =~ "Unauthorized" ]]; then | ||
kube::log::status "Unexpected output when providing --client-certificate/--client-key for authentication - exec credential plugin likely triggered. Output: ${output6}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error message looks incorrect since this is testing the kubeconfig based cert creds.
test/cmd/authentication.sh
Outdated
kube::test::get_object_assert 'csr/testcert' '{{range.status.conditions}}{{.type}}{{end}}' '' | ||
kubectl certificate approve testcert | ||
kube::test::get_object_assert 'csr/testcert' '{{range.status.conditions}}{{.type}}{{end}}' 'Approved' | ||
kubectl get csr testcert -o jsonpath='{.status.certificate}' | base64 -d > "${TMPDIR:-/tmp}"/testcert.crt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use kube::test::wait_object_assert
or something equivalent to poll for this, otherwise you are racing the signer and this test will flake in CI.
To be consistent with our behavior for tokens, static config must have precedence, i.e. #99603 (comment). In particular, CLI flags are considered static config, and they must override the client-go credential plugin. In an ideal world, we would detect the difference between CLI flags and kubeconfig data, and make the combination of the latter and a client-go credential plugin result in an error (since it is ambiguous what credentials you want to use). With CLI flags, it is clear what credentials the user is intending to use, and that is what this change addresses. I am okay with saying that static kubeconfig credentials takes precedence over client-go credential plugins simply because picking either is wrong/ambiguous, but at least then we are consistent across tokens/certs. |
c02605c
to
16e93d8
Compare
- Also update test-cmd.sh to pass a signing ca to the kube controller manager, so CSRs work properly in integration tests. Signed-off-by: Margo Crawford <margaretc@vmware.com>
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, margocrawf The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
Check whether static cert is already configured in UpdateTransportConfig
manager, so CSRs work properly in integration tests.
fixed #99603
/kind bug