Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set --proxy-client-cert-file and --proxy-client-key-file for kube-up.sh #43716

Closed
deads2k opened this issue Mar 27, 2017 · 5 comments · Fixed by #47094 or #47606
Closed

set --proxy-client-cert-file and --proxy-client-key-file for kube-up.sh #43716

deads2k opened this issue Mar 27, 2017 · 5 comments · Fixed by #47094 or #47606
Assignees
@cheftako
Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Milestone
v1.7

Comments

@deads2k
Copy link
Contributor

deads2k commented Mar 27, 2017

The kube-apiserver needs a proxy client certificate for the aggregated API servers to trust in order to effectively proxy authentication. kubeadm already has the cert/key pairs required and #43715 wires them together.

We need similar wiring for kube-up.sh so that our e2e tests can test the authentication and authorization flows.

@cheftako @kubernetes/sig-api-machinery-misc
@deads2k deads2k added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Mar 27, 2017
@deads2k deads2k added this to the v1.7 milestone Mar 27, 2017
@liggitt liggitt added the sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. label Mar 27, 2017
@liggitt
Copy link
Member

liggitt commented Mar 27, 2017

cc @mikedanese, same concept as api->kubelet for api->extension api server

@roberthbailey
Copy link
Contributor

Is anyone driving this for 1.7?

@cheftako cheftako mentioned this issue May 31, 2017
Merged
@deads2k
Copy link
Contributor Author

deads2k commented Jun 1, 2017

Is anyone driving this for 1.7?

@cheftako do you have a pull for this?

@cheftako cheftako mentioned this issue Jun 7, 2017
Merged
@cheftako
Copy link
Member

cheftako commented Jun 7, 2017
edited by sttts

#47094

cheftako added a commit to cheftako/kubernetes that referenced this issue Jun 9, 2017
@cheftako
Set up proxy certs for Aggregator.
46e179b 
Working on fixing kubernetes#43716.
This will create the necessary certificates.
On GCE is will upload those certificates to Metadata.
They are then pulled down on to the kube-apiserver.
They are written to the /etc/src/kubernetes/pki directory.
Finally they are loaded vi the appropriate command line flags.
The requestheader-client-ca-file can be seen by running the following:-
kubectl get ConfigMap extension-apiserver-authentication
--namespace=kube-system -o yaml
Minor bug fixes.
Made sure AGGR_MASTER_NAME is set up in all configs.
Clean up variable names.
Added additional requestheader configuration parameters.
k8s-github-robot pushed a commit that referenced this issue Jun 13, 2017
Merge pull request #47094 from cheftako/requestCAFile
55f887e 
Automatic merge from submit-queue (batch tested with PRs 47000, 47188, 47094, 47323, 47124)

Set up proxy certs for Aggregator.

Working on fixing #43716.
This will create the necessary certificates.
On GCE is will upload those certificates to Metadata.
They are then pulled down on to the kube-apiserver.
They are written to the /etc/src/kubernetes/pki directory.
Finally they are loaded vi the appropriate command line flags.
The requestheader-client-ca-file can be seen by running the following:-
kubectl get ConfigMap extension-apiserver-authentication --namespace=kube-system -o yaml

**What this PR does / why we need it**: 
This PR creates a request header CA. It also creates a proxy client cert/key pair. 
It causes these files to end up on kube-apiserver and set the CLI flags so they are properly loaded.
Without it the customer either has to set them up themselves or re-use the master CA which is a security vulnerability.
Currently this creates everything on GCE.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #43716

**Special notes for your reviewer**:
@dchen1107
Copy link
Member

I re-open this issue since I reverted #47094

@dchen1107 dchen1107 reopened this Jun 14, 2017
cheftako added a commit to cheftako/kubernetes that referenced this issue Jun 15, 2017
@cheftako
Working on fixing kubernetes#43716.
e067955 
This will create the necessary certificates.
On GCE is will upload those certificates to Metadata.
They are then pulled down on to the kube-apiserver.
They are written to the /etc/src/kubernetes/pki directory.
Finally they are loaded vi the appropriate command line flags.
The requestheader-client-ca-file can be seen by running the following:-
kubectl get ConfigMap extension-apiserver-authentication
--namespace=kube-system -o yaml
Minor bug fixes.
Made sure AGGR_MASTER_NAME is set up in all configs.
Clean up variable names.
Added additional requestheader configuration parameters.
Added check so that if there is no Aggregator CA contents we won't start
the aggregator with the relevant flags.
@cheftako cheftako mentioned this issue Jun 16, 2017
Merged
k8s-github-robot pushed a commit that referenced this issue Jun 17, 2017
Merge pull request #47606 from cheftako/requestCAFile
b00b6b9 
Automatic merge from submit-queue (batch tested with PRs 38751, 44282, 46382, 47603, 47606)

Working on fixing #43716.

This will create the necessary certificates.
On GCE is will upload those certificates to Metadata.
They are then pulled down on to the kube-apiserver.
They are written to the /etc/src/kubernetes/pki directory.
Finally they are loaded vi the appropriate command line flags.
The requestheader-client-ca-file can be seen by running the following:-
kubectl get ConfigMap extension-apiserver-authentication
--namespace=kube-system -o yaml
Minor bug fixes.
Made sure AGGR_MASTER_NAME is set up in all configs.
Clean up variable names.
Added additional requestheader configuration parameters.
Added check so that if there is no Aggregator CA contents we won't start
the aggregator with the relevant flags.

**What this PR does / why we need it**:
This PR creates a request header CA. It also creates a proxy client cert/key pair.
It causes these files to end up on kube-apiserver and set the CLI flags so they are properly loaded.
Without it the customer either has to set them up themselves or re-use the master CA which is a security vulnerability.
Currently this creates everything on GCE.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #43716

**Special notes for your reviewer**:
This is a reapply of pull/47094 with the GKE issue resolved.

**Release note**: None
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cheftako cheftako

Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Projects
None yet
Milestone
v1.7
5 participants
@cheftako @liggitt @dchen1107 @roberthbailey @deads2k