-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 give the front proxy a distinct config for direct(internal) shard communication. #2382
🐛 give the front proxy a distinct config for direct(internal) shard communication. #2382
Conversation
} | ||
kubeConfig.Clusters = map[string]*clientcmdapi.Cluster{ | ||
"base": { | ||
CertificateAuthority: filepath.Join(workDirPath, ".kcp/serving-ca.crt"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
normally you would provide a server name here, we overwrite it for convenience
c.ShardsConfig, err = clientcmd.NewNonInteractiveDeferredLoadingClientConfig( | ||
&clientcmd.ClientConfigLoadingRules{ExplicitPath: c.Options.ShardsKubeconfig}, | ||
// We override the Server here so that the user doesn't have to specify unused server value | ||
// The Server must have HTTPS scheme otherwise CA won't be loaded (see IsConfigTransportTLS method) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alternatively we could provide certificates via separate flags and construct the config manually
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would probably be my preference, but I'm ok merging as-is and adjusting later if we decide to go that route, unless @sttts @stevekuznetsov prefer making the change now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would require at least 2 flags, one for the client cert pair and the other one for the public CA's certificate.
On the other hand kubeconfig has an advantage of specifying other means of authNZ, although I'm not sure we would ever use i.e. tokens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for merging as is.
a8fc11d
to
5adbfa6
Compare
@@ -88,6 +90,9 @@ func (o *Options) Validate() []error { | |||
if o.MappingFile == "" { | |||
errs = append(errs, fmt.Errorf("--mapping-file is required")) | |||
} | |||
if len(o.ShardsKubeconfig) == 0 { | |||
errs = append(errs, fmt.Errorf("--shards-kubeconfig is required")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the flag is now required
pkg/proxy/options/options.go
Outdated
@@ -56,6 +57,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { | |||
fs.StringVar(&o.MappingFile, "mapping-file", o.MappingFile, "Config file mapping paths to backends") | |||
fs.StringVar(&o.RootDirectory, "root-directory", o.RootDirectory, "Root directory.") | |||
fs.StringVar(&o.RootKubeconfig, "root-kubeconfig", o.RootKubeconfig, "The path to the kubeconfig of the root shard.") | |||
fs.StringVar(&o.ShardsKubeconfig, "shards-kubeconfig", o.ShardsKubeconfig, "The path to the kubeconfig used for communication with other shards.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit - AFAICS these credentials are used to create ClusterWorkspace informers for all shards (including root), so I'd s/other/all here
It's still a little confusing given we also require root-kubeconfig, but perhaps that can be deprecated/removed in a future iteration
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, i'm not sure. In general we need a privileged credentials for making wildcard requests against all shards. In addition to that we also need access to the root cluster for identities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not blocking on it, but as previously mentioned I'd adjust the description slightly e.g:
The path to the kubeconfig used for communication with all shards.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry, fixed :)
&clientcmd.ClientConfigLoadingRules{ExplicitPath: c.Options.ShardsKubeconfig}, | ||
// We override the Server here so that the user doesn't have to specify unused server value | ||
// The Server must have HTTPS scheme otherwise CA won't be loaded (see IsConfigTransportTLS method) | ||
&clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: "https://fakeserver.io"}}).ClientConfig() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fakeserver override here looks strange, is that needed, or can we just use whatever is specified in the shard kubeconfig?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I see now that the server is empty in the file, if it can't remain empty here would it perhaps be better to default it to the root-shard URL?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, please see #2382 (comment) for alternatives.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But even if we stick with the kubeconfig approach instead of the separate flags (which personally I think is fine, and probably easier if folks already have a cert based root-kubeconfig that allows access to all shards), we could switch the fakeserver.io to the root shard URL, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, we could do that. I think we could do that just to read the new config and then erase the host value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to hear one more opinion on it. I'm not convinced we should change it to use the root shard URL.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hope that's okay with you :)
5adbfa6
to
a3a003b
Compare
a3a003b
to
07eac6e
Compare
pkg/proxy/options/options.go
Outdated
@@ -56,6 +57,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { | |||
fs.StringVar(&o.MappingFile, "mapping-file", o.MappingFile, "Config file mapping paths to backends") | |||
fs.StringVar(&o.RootDirectory, "root-directory", o.RootDirectory, "Root directory.") | |||
fs.StringVar(&o.RootKubeconfig, "root-kubeconfig", o.RootKubeconfig, "The path to the kubeconfig of the root shard.") | |||
fs.StringVar(&o.ShardsKubeconfig, "shards-kubeconfig", o.ShardsKubeconfig, "The path to the kubeconfig used for communication with all shards") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add that the server name is replaced later on with the shard hostname.
it holds a path to the kubeconfig which is used to communicate with shards
07eac6e
to
9d1434c
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
Summary
The front proxy needs a direct and privileged way of authNZ with any shard. At the same time it needs to be able to validate an incoming certificate from a shard.
This PR allows the above by introducing a kubeconfig that holds a client certificate and a CA certificate for validating incoming certs.
The new kubeconfig can be passed via
shards-kubeconfig
flag.Previously an incorrect configuration was used for communication with shards. As a result the proxy didn't work in a multi shard environment.
Related issue(s)
required by #342
fixes #2274