New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Populate ClientCA in delegating auth setup #69430

Merged
merged 1 commit into from Oct 5, 2018

Conversation

@DirectXMan12
Contributor

DirectXMan12 commented Oct 4, 2018

#67768 accidentally removed population of the the ClientCA
in the delegating auth setup code. This appears to have broken the ability to talk directly
to aggregated API servers with client certs (e.g. admin certs).

/kind bug

Fix client cert setup in delegating authentication logic
Populate ClientCA in delegating auth setup
#67768 accidentally removed population of the the ClientCA
in the delegating auth setup code.  This restores it.
@DirectXMan12

This comment has been minimized.

Show comment
Hide comment
@DirectXMan12

DirectXMan12 Oct 4, 2018

Contributor

cc @sttts @kubernetes/sig-api-machinery-bugs I'm not missing some other change here, right?

I discovered this when I updated the deps to the custom-metrics-apiserver boilerplate and could no longer use my admin certs to connect to it directly when debugging a couple of things.

Contributor

DirectXMan12 commented Oct 4, 2018

cc @sttts @kubernetes/sig-api-machinery-bugs I'm not missing some other change here, right?

I discovered this when I updated the deps to the custom-metrics-apiserver boilerplate and could no longer use my admin certs to connect to it directly when debugging a couple of things.

@jennybuckley

This comment has been minimized.

Show comment
Hide comment
@jennybuckley

jennybuckley Oct 4, 2018

Contributor

/assign @cheftako
/cc @wenjiaswe

Contributor

jennybuckley commented Oct 4, 2018

/assign @cheftako
/cc @wenjiaswe

@k8s-ci-robot

This comment has been minimized.

Show comment
Hide comment
@k8s-ci-robot

k8s-ci-robot Oct 4, 2018

Contributor

@jennybuckley: GitHub didn't allow me to request PR reviews from the following users: wenjiaswe.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/assign @cheftako
/cc @wenjiaswe

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Contributor

k8s-ci-robot commented Oct 4, 2018

@jennybuckley: GitHub didn't allow me to request PR reviews from the following users: wenjiaswe.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/assign @cheftako
/cc @wenjiaswe

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@yliaog

This comment has been minimized.

Show comment
Hide comment
@yliaog

yliaog Oct 4, 2018

Contributor

please add a test to prevent it from happening again?

Contributor

yliaog commented Oct 4, 2018

please add a test to prevent it from happening again?

@sttts

This comment has been minimized.

Show comment
Hide comment
@sttts

sttts Oct 5, 2018

Contributor

/lgtm
/approve

Contributor

sttts commented Oct 5, 2018

/lgtm
/approve

@sttts

This comment has been minimized.

Show comment
Hide comment
@sttts

sttts Oct 5, 2018

Contributor

@DirectXMan12 can you backport to 1.12?

Contributor

sttts commented Oct 5, 2018

@DirectXMan12 can you backport to 1.12?

@k8s-ci-robot

This comment has been minimized.

Show comment
Hide comment
@k8s-ci-robot

k8s-ci-robot Oct 5, 2018

Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DirectXMan12, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Contributor

k8s-ci-robot commented Oct 5, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DirectXMan12, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sttts

This comment has been minimized.

Show comment
Hide comment
@sttts

sttts Oct 5, 2018

Contributor

please add a test to prevent it from happening again?

That would be appreciated.

Contributor

sttts commented Oct 5, 2018

please add a test to prevent it from happening again?

That would be appreciated.

@k8s-ci-robot k8s-ci-robot merged commit 0373b8d into kubernetes:master Oct 5, 2018

18 checks passed

cla/linuxfoundation DirectXMan12 authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-e2e-kubeadm-gce Skipped
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
@lavalamp

This comment has been minimized.

Show comment
Hide comment
@lavalamp

lavalamp Oct 10, 2018

Member

+1 please add a test. @sttts I think it's acceptable to ask for a test (or an explanation of why it's not a reasonable thing to test) before merging.

Member

lavalamp commented Oct 10, 2018

+1 please add a test. @sttts I think it's acceptable to ask for a test (or an explanation of why it's not a reasonable thing to test) before merging.

@sttts

This comment has been minimized.

Show comment
Hide comment
@sttts

sttts Oct 10, 2018

Contributor

@lavalamp +100

@DirectXMan12 to get you started with a test, maybe a look at https://github.com/kubernetes/kubernetes/blob/master/test/integration/controllermanager/serving_test.go#L68 helps. It already integration tests a lot of the delegated authn/z code paths. Maybe you can add a case for the fixed issue.

Contributor

sttts commented Oct 10, 2018

@lavalamp +100

@DirectXMan12 to get you started with a test, maybe a look at https://github.com/kubernetes/kubernetes/blob/master/test/integration/controllermanager/serving_test.go#L68 helps. It already integration tests a lot of the delegated authn/z code paths. Maybe you can add a case for the fixed issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment