specify custom ca file to verify the keystone server #35488
Conversation
|
Can a kubernetes member verify that this patch is reasonable to test? If so, please reply with "@k8s-bot ok to test" on its own line. Regular contributors should join the org to skip this step. |
| @@ -375,6 +376,11 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { | |||
| fs.StringVar(&s.KeystoneURL, "experimental-keystone-url", s.KeystoneURL, | |||
| "If passed, activates the keystone authentication plugin.") | |||
|
|
|||
| fs.StringVar(&s.KeystoneCAFile, "experimental-keystone-ca-file", s.KeystoneCAFile, ""+ | |||
There was a problem hiding this comment.
Use the OIDCCAFile flag description as a starting point instead
k8s-github-robot
added
size/M
| // NewKeystoneAuthenticator returns a password authenticator that validates credentials using openstack keystone | ||
| func NewKeystoneAuthenticator(authURL string) (*KeystoneAuthenticator, error) { | ||
| func NewKeystoneAuthenticator(authURL string, caFile string) (*KeystoneAuthenticator, error) { | ||
| if !strings.HasPrefix(authURL, "https") { | ||
| return nil, errors.New("Auth URL should be secure and start with https") | ||
| } | ||
| if authURL == "" { | ||
| return nil, errors.New("Auth URL is empty") | ||
| } | ||
|
|
There was a problem hiding this comment.
Load the cert pool from the given file here if cafile is set, rather than loading it for every request
| return nil, err | ||
| } | ||
|
|
||
| config := &tls.Config{} |
There was a problem hiding this comment.
Skip this whole block if the capool is nil?
There was a problem hiding this comment.
certutil.NewPool will return an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates.
So I think it is okay to remain the codes here unchanged.
There was a problem hiding this comment.
I mean, leave client.HTTPClient.Transport untouched unless we want to customize the ca pool
| config.RootCAs = roots | ||
| } | ||
| client.HTTPClient.Transport = &http.Transport{TLSClientConfig: config, } | ||
|
|
There was a problem hiding this comment.
return openstack.Authenticate(…)
There was a problem hiding this comment.
I did not get the actual use of this return.
There was a problem hiding this comment.
the function already returns client, err, so just return the result directly, instead of if err != nil ...
| } | ||
| config.RootCAs = roots | ||
| } | ||
| client.HTTPClient.Transport = &http.Transport{TLSClientConfig: config, } |
There was a problem hiding this comment.
is this equivalent to the transport set up by default by openstack.AuthenticatedClient (with respect to proxy settings, dial settings, timeouts, etc)?
There was a problem hiding this comment.
The client created by default openstack.AuthenticatedClient is *gophercloud.ProviderClient.
return &gophercloud.ProviderClient{
IdentityBase: base,
IdentityEndpoint: "",
}, nil
The default HTTPClient.Transport is nil, and DefaultTransport is used instead.
var DefaultTransport RoundTripper = &Transport{
Proxy: ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
}
The client.HTTPClient.Transport I used here is quite a new Transport with only TLSClientConfig configured.
Do you suggest that we should merge these two together ?
There was a problem hiding this comment.
util/net#SetOldTransportDefaults(&http.Transport{TLSClientConfig: config}) will set the default dialer, proxy, and timeouts
k8s-github-robot
added
the
needs-rebase
dixudx
force-pushed
the
keystone-ca-cert
branch
from
dd60dc8
to
87bd6be
Compare
k8s-github-robot
added
needs-rebase
dixudx
force-pushed
the
keystone-ca-cert
branch
from
87bd6be
to
cd3a6c1
Compare
k8s-github-robot
added
needs-rebase
dixudx
force-pushed
the
keystone-ca-cert
branch
from
cd3a6c1
to
63349fe
Compare
k8s-github-robot
added
needs-rebase
dixudx
force-pushed
the
keystone-ca-cert
branch
from
63349fe
to
c3e42e1
Compare
k8s-github-robot
added
needs-rebase
| roots, err := certutil.NewPool(caFile) | ||
| if err != nil { | ||
| return nil, err | ||
| } |
There was a problem hiding this comment.
build the transport once here and save it
| } | ||
| config := &tls.Config{} | ||
| config.RootCAs = roots | ||
| return &KeystoneAuthenticator{authURL, config, caFile}, nil |
There was a problem hiding this comment.
no need to store config or caFile in the struct, just the custom transport
| return nil, err | ||
| } | ||
|
|
||
| if keystoneAuthenticator.caFile != "" { |
There was a problem hiding this comment.
if keystoneAuthenticator.transport != nil {
client.HTTPClient.Transport = keystoneAuthenticator.transport
}
There was a problem hiding this comment.
Fixed this in the new commit. Thanks.
dixudx
force-pushed
the
keystone-ca-cert
branch
from
c3e42e1
to
a888386
Compare
k8s-github-robot
removed
the
needs-rebase
| ) | ||
|
|
||
| // KeystoneAuthenticator contacts openstack keystone to validate user's credentials passed in the request. | ||
| // The keystone endpoint is passed during apiserver startup | ||
| type KeystoneAuthenticator struct { | ||
| authURL string | ||
| authURL string | ||
| transport *http.Transport |
| } | ||
|
|
||
| if keystoneAuthenticator.transport != "" { | ||
| client.HTTPClient.Transport = netutil.SetOldTransportDefaults(keystoneAuthenticator.transport) |
There was a problem hiding this comment.
client.HTTPClient.Transport = keystoneAuthenticator.transport
| } | ||
| config := &tls.Config{} | ||
| config.RootCAs = roots | ||
| transport := &http.Transport{TLSClientConfig: config} |
There was a problem hiding this comment.
netutil.SetOldTransportDefaults(&http.Transport{TLSClientConfig: config})
liggitt
added
release-note
dixudx
force-pushed
the
keystone-ca-cert
branch
from
3807c37
to
f00026b
Compare
|
Jenkins unit/integration failed for commit f00026bcf202bc2b50b26081b4ba707492f4f48f. Full PR test history. The magic incantation to run this job again is |
dixudx
force-pushed
the
keystone-ca-cert
branch
from
f00026b
to
d8b7893
Compare
k8s-github-robot
removed
the
lgtm
| @@ -189,6 +189,8 @@ experimental-allowed-unsafe-sysctls | |||
| experimental-bootstrap-kubeconfig | |||
| experimental-keystone-url | |||
| experimental-mounter-path | |||
| experimental-mounter-rootfs-path | |||
There was a problem hiding this comment.
this looks unrelated... might need to rebase or remove this
There was a problem hiding this comment.
I don't know where it comes from. Seems rebase from previous commits. I did not add this. Quite weird.
Already removed this. Fixed.
|
Jenkins verification failed for commit f00026bcf202bc2b50b26081b4ba707492f4f48f. Full PR test history. The magic incantation to run this job again is |
dixudx
force-pushed
the
keystone-ca-cert
branch
from
d8b7893
to
68d40dc
Compare
|
also needs |
dixudx
force-pushed
the
keystone-ca-cert
branch
from
68d40dc
to
aa3d33a
Compare
|
@k8s-bot verify test this |
1 similar comment
|
@k8s-bot verify test this |
dixudx
force-pushed
the
keystone-ca-cert
branch
from
aa3d33a
to
dd6c980
Compare
|
Hi @liggitt I retest this patch on my local env. All works well. And the corresponding doc PR has also been submitted. Need lgtm label again. Thanks. |
liggitt
added
the
lgtm
|
Release-czar approved post-code freeze merge--This was LGTMed and in the merge-queue at code freeze time for 1.5. Adding 1.5 milestone to let it gets merged after code freeze. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what #35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on #35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
What this PR does / why we need it:
Sometimes the keystone server's certificate is self-signed, mainly used for internal development, testing and etc.
For this kind of ca, we need a way to verify the keystone server.
Otherwise, below error will occur.
This patch provide a way to pass in a ca file to verify the keystone server when starting
kube-apiserver.Which issue this PR fixes : fixes #22695, #24984
Special notes for your reviewer:
Release note:
This change is