Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use specified ServerName in aggregator TLS validation #49353

Merged
merged 1 commit into from
Jul 21, 2017
Merged

Use specified ServerName in aggregator TLS validation #49353

merged 1 commit into from
Jul 21, 2017

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Jul 21, 2017
edited
Loading

Fixes #49354

The aggregator sets a ServerName in the proxier tlsConfig, but the code path handling websocket upgrade requests did not honor it, and instead tried to verify TLS using the dialed host

  • Honors ServerName if already set in tls.Config
  • Adds unit tests for upgrade functionality via the aggregator
  • Fixes mutation of shared tlsConfig.ServerName in spdy roundtripper
Websocket requests to aggregated APIs now perform TLS verification using the service DNS name instead of the backend server's IP address, consistent with non-websocket requests.

@k8s-github-robot k8s-github-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 21, 2017
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 21, 2017
@liggitt
Copy link
Member Author

liggitt commented Jul 21, 2017

cc @kubernetes/sig-api-machinery-pr-reviews @kubernetes/sig-api-machinery-bugs

@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. kind/bug Categorizes issue or PR as related to a bug. labels Jul 21, 2017
@liggitt liggitt added release-note Denotes a PR that will be considered when it comes time to generate release notes. cherrypick-candidate and removed release-note-label-needed labels Jul 21, 2017
@liggitt liggitt added this to the v1.7 milestone Jul 21, 2017
@liggitt
Copy link
Member Author

liggitt commented Jul 21, 2017

/retest

@deads2k
Copy link
Contributor

deads2k commented Jul 21, 2017

@ncdc

liggitt
liggitt commented Jul 21, 2017
View reviewed changes
staging/src/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go
@@ -158,27 +158,28 @@ func (s *SpdyRoundTripper) dial(req *http.Request) (net.Conn, error) {
return nil, err
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this bit fixes two existing bugs:

  • mutation of the roundtripper
  • mutation of the original tlsConfig (which the round tripper should not assume it is free to modify)

ncdc
ncdc reviewed Jul 21, 2017
View reviewed changes
staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go
path := "/apis/" + tc.APIService.Spec.Group + "/" + tc.APIService.Spec.Version + "/foo"
called := false

func() { // Cleanup after each test case.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use subtests?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tried it, it triggered the race detector on references to the iterators, didn't feel like messing with it

staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go Outdated
@@ -218,3 +226,189 @@ func TestProxyHandler(t *testing.T) {
}()
}
}

func TestProxyUpgrade(t *testing.T) {

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove

staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go Outdated
Service: &apiregistration.ServiceReference{},
Group: "foo",
Version: "v1",
InsecureSkipTLSVerify: true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I take it this is now part of TestProxyUpgrade?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually, I can keep this one intact and add a caBundle test... I wanted a TLS test for normal connections

@liggitt
Copy link
Member Author

liggitt commented Jul 21, 2017

test nits addressed

@ncdc
Copy link
Member

ncdc commented Jul 21, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 21, 2017
@liggitt
Copy link
Member Author

liggitt commented Jul 21, 2017

/test pull-kubernetes-federation-e2e-gce

@deads2k
Copy link
Contributor

deads2k commented Jul 21, 2017

/approve

@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, liggitt, ncdc

Associated issue: 49354

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 21, 2017
@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 971c247 into kubernetes:master Jul 21, 2017
@liggitt liggitt deleted the aggregator-tls branch July 21, 2017 17:47
@janetkuo
Copy link
Member

@liggitt

k8s.io/kubernetes/vendor/k8s.io/kube-aggregator/pkg/apiserver TestProxyUpgrade seems to be flaky:

go test -v k8s.io/kubernetes/vendor/k8s.io/kube-aggregator/pkg/apiserver -run TestProxyUpgrade$
handler_proxy_test.go:328: invalid hostname + insecure: expected called=true, got false
testing.go:610: race detected during execution of test

https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/48746/pull-kubernetes-unit/42230/

@janetkuo janetkuo mentioned this pull request Jul 21, 2017
Merged
@liggitt liggitt mentioned this pull request Jul 21, 2017
Merged
@liggitt
Copy link
Member Author

liggitt commented Jul 21, 2017

@janetkuo looking...

@liggitt liggitt mentioned this pull request Jul 21, 2017
Merged
@liggitt
Copy link
Member Author

liggitt commented Jul 21, 2017

@janetkuo fixed in #49404

k8s-github-robot pushed a commit that referenced this pull request Jul 21, 2017
Merge pull request #49404 from liggitt/test-race
3bae345 
Automatic merge from submit-queue

fix race in proxy unit test

fixes #49413, follow up to #49353 to fix a race in the unit test:


```
go test -v k8s.io/kubernetes/vendor/k8s.io/kube-aggregator/pkg/apiserver -run TestProxyUpgrade$
handler_proxy_test.go:328: invalid hostname + insecure: expected called=true, got false
testing.go:610: race detected during execution of test
```
https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/48746/pull-kubernetes-unit/42230/
@wojtek-t wojtek-t mentioned this pull request Jul 25, 2017
Merged
@wojtek-t
Copy link
Member

Cherrypick in #49560

@wojtek-t wojtek-t added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jul 25, 2017
@liggitt
Copy link
Member Author

liggitt commented Jul 25, 2017

Was picked in #49403

@liggitt
Copy link
Member Author

liggitt commented Jul 25, 2017

Pick in #49403 includes the unit test race fix

k8s-github-robot pushed a commit that referenced this pull request Jul 25, 2017
Merge pull request #49560 from wojtek-t/automated-cherry-pick-of-#49212-
59dbcbb 
#49353-upstream-release-1.7

Automatic merge from submit-queue

Automated cherry pick of #49212 upstream release 1.7

Cherry pick of #49212 on release-1.7.

#49212: Bump rescheduler version to v0.3.1
k8s-github-robot pushed a commit that referenced this pull request Jul 26, 2017
Merge pull request #49403 from liggitt/automated-cherry-pick-of-#4935…
c00bd53 
…3-upstream-release-1.7

Automatic merge from submit-queue

Automated cherry pick of #49353

Cherry pick of #49353 on release-1.7.

#49353: Use specified ServerName in aggregator TLS validation
@k8s-cherrypick-bot
Copy link

Commit found in the "release-1.7" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncdc ncdc ncdc left review comments

Assignees

@ncdc ncdc

@thockin thockin

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.7
Development

Successfully merging this pull request may close these issues.
9 participants
@liggitt @deads2k @ncdc @k8s-github-robot @janetkuo @wojtek-t @k8s-cherrypick-bot @thockin @k8s-ci-robot