Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow a verifyoptionsfunc to indicate that no certpool is available #84864

Merged
merged 2 commits into from
Nov 8, 2019
Merged

allow a verifyoptionsfunc to indicate that no certpool is available #84864

merged 2 commits into from
Nov 8, 2019
+39 −15

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Nov 6, 2019

xref #82141

Adds bool to VerifyFunc. If the bool is false, then the returned VerifyOptions are ignored and the authenticator will express "no opinion". This allows a clear signal for cases where a CertPool is eventually expected, but not currently present.

/kind bug
/priority important-soon
@kubernetes/sig-auth-pr-reviews

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. kind/bug Categorizes issue or PR as related to a bug. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 6, 2019
@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Nov 6, 2019
@deads2k
Copy link
Contributor Author

deads2k commented Nov 6, 2019

/retest

1 similar comment
@deads2k
Copy link
Contributor Author

deads2k commented Nov 6, 2019

/retest

@k8s-ci-robot k8s-ci-robot added area/test sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Nov 6, 2019
liggitt
liggitt reviewed Nov 7, 2019
View reviewed changes
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go Outdated
if uncastObj == nil {
return x509.VerifyOptions{}, false
}
castObj, ok := uncastObj.(*caBundleAndVerifier)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the type of an atomic.Value can't be changed once set. if we have a non-nil value that isn't the correct type, that's a programming error we should hard-fail on

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the type of an atomic.Value can't be changed once set. if we have a non-nil value that isn't the correct type, that's a programming error we should hard-fail on

updated to panic

liggitt
liggitt reviewed Nov 7, 2019
View reviewed changes
test/integration/scheduler/taint_test.go Outdated
@@ -656,6 +656,8 @@ func TestTaintBasedEvictions(t *testing.T) {
for i, test := range tests {
t.Run(test.name, func(t *testing.T) {
context := initTestMaster(t, "taint-based-evictions", admission)
defer context.closeFn()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unrelated?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unrelated?

found it working on this one, just a forgotten close

@deads2k
Copy link
Contributor Author

deads2k commented Nov 7, 2019

comments addressed

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liggitt
Copy link
Member

liggitt commented Nov 7, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 7, 2019
@deads2k
Copy link
Contributor Author

deads2k commented Nov 7, 2019

/retest

@k8s-ci-robot k8s-ci-robot merged commit 9dfcc36 into kubernetes:master Nov 8, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Nov 8, 2019
@deads2k deads2k mentioned this pull request Nov 12, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@caesarxuchao caesarxuchao Awaiting requested review from caesarxuchao

@enj enj Awaiting requested review from enj

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.17
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@deads2k @k8s-ci-robot @liggitt