Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate kubeconfig files in case of external CA mode #70537

Merged
merged 2 commits into from
Nov 5, 2018
Merged

Validate kubeconfig files in case of external CA mode #70537

merged 2 commits into from
Nov 5, 2018

Conversation

yagonobre
Copy link
Member

@yagonobre yagonobre commented Nov 1, 2018
edited
Loading

What type of PR is this?
/kind bug
What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes kubernetes/kubeadm#1203

Does this PR introduce a user-facing change?:

kubeadm: validate kubeconfig files in case of external CA mode.

/assign @timothysc
/assign @fabriziopandini

@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Nov 1, 2018
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Nov 1, 2018
@neolit123
Copy link
Member

@yagonobre thanks.
please use this format for the release note:

kubeadm: validate kubeconfig files in case of external CA mode.

@neolit123
Copy link
Member

/priority important-longterm
(?)

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Nov 1, 2018
neolit123
neolit123 reviewed Nov 1, 2018
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on a quick look.
added two minor nits.

cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go Outdated
err := ValidateKubeConfig(outDir, filename, config)
if err != nil {
// Check if the file exist, and if it doesn't, just write it to disk
if os.IsNotExist(err) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can be done as follows, optionally:

if !os.IsNotExist(err) {
	return err
}
...

cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go Outdated

err = kubeconfigutil.WriteToDisk(kubeConfigFilePath, config)
if err != nil {
return errors.Wrapf(err, "failed to save kubeconfig file %s on disk", kubeConfigFilePath)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"%s" -> "%q"

@yagonobre
Copy link
Member Author

@neolit123 done

@neolit123
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 1, 2018
timothysc
timothysc reviewed Nov 1, 2018
View reviewed changes
cmd/kubeadm/app/cmd/phases/kubeconfig.go Outdated
@@ -116,7 +125,14 @@ func runKubeConfigFile(kubeConfigFileName string) func(workflow.RunData) error {

// if external CA mode, skip certificate authority generation
if data.ExternalCA() {
//TODO: implement validation of existing kubeconfig files
config, err := getKubeConfig(data.Cfg(), kubeConfigFileName)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this new behavior covered either directly or indirectly in the _tests file?

/assign @fabriziopandini

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not yet, I'll update the tests tomorrow.

fabriziopandini
fabriziopandini reviewed Nov 2, 2018
View reviewed changes
Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yagonobre thanks for this PR, this is definitely a step in the right direction!

However, IMO we should change where the validation is triggered in order to fail as soon as possible in case we are in external CA mode (certificate authority certs existing without keys), but without all proper certificates and kubeconfig file in places.

In order to do so, I think that the kubeconfig validation should happen before, ideally when building ìnitData/inside theexternalCA` function here. wdyt?

@timothysc @neolit123 opinions?

@neolit123
Copy link
Member

In order to do so, I think that the kubeconfig validation should happen before, ideally when building ìnitData/inside theexternalCA` function here. wdyt?

+1

@neolit123
Copy link
Member

@fabriziopandini
@yagonobre reported in slack that golint is not happy with kubeconfig.KubeConfigSpec it should be called kubeconfig.Spec. the alternative is to use hack/.golint_failures.

options:

  1. try SpecKubeConfig
  2. move to Spec
  3. modify hack/.golint_failures

my vote is to try 1, then 2.

@fabriziopandini
Copy link
Member

@neolit123 @yagonobre IMO KubeConfigSpec struct should not be changed to public, but instead, a new func ValidateKubeconfigsForExternalCA should be exposed and then invoked by ExternalCA
(my comments above/on the issue are on the same line too)

@yagonobre
Copy link
Member Author

@fabriziopandini make senses, I'll update soon

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 3, 2018
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 3, 2018
fabriziopandini
fabriziopandini approved these changes Nov 4, 2018
View reviewed changes
Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yagonobre thanks for this update to this PR!
IMO this is ready to merge as soon as the new ValidateKubeconfigsForExternalCA func is covered by tests as required by @timothysc
/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 4, 2018
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 4, 2018
@yagonobre
Copy link
Member Author

Updated with some tests

@yagonobre
Copy link
Member Author

/test pull-kubernetes-e2e-gce-100-performance
/test pull-kubernetes-kubemark-e2e-gce-big

timothysc
timothysc approved these changes Nov 5, 2018
View reviewed changes
Copy link
Member

@timothysc timothysc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 5, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini, timothysc, yagonobre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@neolit123
Copy link
Member

/retest

1 similar comment
@neolit123
Copy link
Member

/retest

@k8s-ci-robot k8s-ci-robot merged commit faed5aa into kubernetes:master Nov 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@timothysc timothysc timothysc approved these changes

@fabriziopandini fabriziopandini fabriziopandini approved these changes

@liztio liztio Awaiting requested review from liztio

Assignees

@timothysc timothysc

@fabriziopandini fabriziopandini

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Missing validation of kubeconfig files in case of external CA mode
5 participants
@yagonobre @neolit123 @fabriziopandini @k8s-ci-robot @timothysc