Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Populate ClientCA in delegating auth setup #69430

Merged
merged 1 commit into from
Oct 5, 2018
Merged

Populate ClientCA in delegating auth setup #69430

merged 1 commit into from
Oct 5, 2018

Conversation

DirectXMan12
Copy link
Contributor

#67768 accidentally removed population of the the ClientCA
in the delegating auth setup code. This appears to have broken the ability to talk directly
to aggregated API servers with client certs (e.g. admin certs).

/kind bug

Fix client cert setup in delegating authentication logic

@DirectXMan12
Populate ClientCA in delegating auth setup
65cea86 
kubernetes#67768 accidentally removed population of the the ClientCA
in the delegating auth setup code.  This restores it.
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 4, 2018
@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 4, 2018
@DirectXMan12
Copy link
Contributor Author

cc @sttts @kubernetes/sig-api-machinery-bugs I'm not missing some other change here, right?

I discovered this when I updated the deps to the custom-metrics-apiserver boilerplate and could no longer use my admin certs to connect to it directly when debugging a couple of things.

@jennybuckley
Copy link

/assign @cheftako
/cc @wenjiaswe

@k8s-ci-robot
Copy link
Contributor

@jennybuckley: GitHub didn't allow me to request PR reviews from the following users: wenjiaswe.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/assign @cheftako
/cc @wenjiaswe

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@yliaog
Copy link
Contributor

yliaog commented Oct 4, 2018

please add a test to prevent it from happening again?

@sttts
Copy link
Contributor

sttts commented Oct 5, 2018

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 5, 2018
@sttts
Copy link
Contributor

sttts commented Oct 5, 2018

@DirectXMan12 can you backport to 1.12?

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DirectXMan12, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 5, 2018
@sttts
Copy link
Contributor

sttts commented Oct 5, 2018

please add a test to prevent it from happening again?

That would be appreciated.

@k8s-ci-robot k8s-ci-robot merged commit 0373b8d into kubernetes:master Oct 5, 2018
@lavalamp
Copy link
Member

+1 please add a test. @sttts I think it's acceptable to ask for a test (or an explanation of why it's not a reasonable thing to test) before merging.

@sttts
Copy link
Contributor

sttts commented Oct 10, 2018

@lavalamp +100

@DirectXMan12 to get you started with a test, maybe a look at https://github.com/kubernetes/kubernetes/blob/master/test/integration/controllermanager/serving_test.go#L68 helps. It already integration tests a lot of the delegated authn/z code paths. Maybe you can add a case for the fixed issue.

@DirectXMan12 DirectXMan12 deleted the bug/use-client-auth branch November 7, 2018 20:45
@DirectXMan12
Copy link
Contributor Author

Apologies for not responding. I've been away for the past few weeks. I'll try and take a look at this soon.

@yue9944882 yue9944882 mentioned this pull request Mar 28, 2019
Merged
k8s-ci-robot added a commit that referenced this pull request Apr 2, 2019
@k8s-ci-robot
Merge pull request #75823 from yue9944882/automated-cherry-pick-of-#6…
aa030c6 
…9430-origin-release-1.12

Automated cherry pick of #69430: Populate ClientCA in delegating auth setup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt Awaiting requested review from liggitt

@wojtek-t wojtek-t Awaiting requested review from wojtek-t

Assignees

@sttts sttts

@cheftako cheftako

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@DirectXMan12 @jennybuckley @k8s-ci-robot @yliaog @sttts @lavalamp @cheftako