🐛 give the front proxy a distinct config for direct(internal) shard communication. #2382
Conversation
| } | ||
| kubeConfig.Clusters = map[string]*clientcmdapi.Cluster{ | ||
| "base": { | ||
| CertificateAuthority: filepath.Join(workDirPath, ".kcp/serving-ca.crt"), |
There was a problem hiding this comment.
normally you would provide a server name here, we overwrite it for convenience
| c.ShardsConfig, err = clientcmd.NewNonInteractiveDeferredLoadingClientConfig( | ||
| &clientcmd.ClientConfigLoadingRules{ExplicitPath: c.Options.ShardsKubeconfig}, | ||
| // We override the Server here so that the user doesn't have to specify unused server value | ||
| // The Server must have HTTPS scheme otherwise CA won't be loaded (see IsConfigTransportTLS method) |
There was a problem hiding this comment.
alternatively we could provide certificates via separate flags and construct the config manually
There was a problem hiding this comment.
That would probably be my preference, but I'm ok merging as-is and adjusting later if we decide to go that route, unless @sttts @stevekuznetsov prefer making the change now.
There was a problem hiding this comment.
It would require at least 2 flags, one for the client cert pair and the other one for the public CA's certificate.
On the other hand kubeconfig has an advantage of specifying other means of authNZ, although I'm not sure we would ever use i.e. tokens.
p0lyn0mial
force-pushed
the
front-proxy-shards-kubeconfig
branch
from
a8fc11d
to
5adbfa6
Compare
| @@ -88,6 +90,9 @@ func (o *Options) Validate() []error { | |||
| if o.MappingFile == "" { | |||
| errs = append(errs, fmt.Errorf("--mapping-file is required")) | |||
| } | |||
| if len(o.ShardsKubeconfig) == 0 { | |||
| errs = append(errs, fmt.Errorf("--shards-kubeconfig is required")) | |||
There was a problem hiding this comment.
the flag is now required
pkg/proxy/options/options.go
Outdated
| @@ -56,6 +57,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { | |||
| fs.StringVar(&o.MappingFile, "mapping-file", o.MappingFile, "Config file mapping paths to backends") | |||
| fs.StringVar(&o.RootDirectory, "root-directory", o.RootDirectory, "Root directory.") | |||
| fs.StringVar(&o.RootKubeconfig, "root-kubeconfig", o.RootKubeconfig, "The path to the kubeconfig of the root shard.") | |||
| fs.StringVar(&o.ShardsKubeconfig, "shards-kubeconfig", o.ShardsKubeconfig, "The path to the kubeconfig used for communication with other shards.") | |||
There was a problem hiding this comment.
nit - AFAICS these credentials are used to create ClusterWorkspace informers for all shards (including root), so I'd s/other/all here
It's still a little confusing given we also require root-kubeconfig, but perhaps that can be deprecated/removed in a future iteration
There was a problem hiding this comment.
yeah, i'm not sure. In general we need a privileged credentials for making wildcard requests against all shards. In addition to that we also need access to the root cluster for identities.
There was a problem hiding this comment.
Not blocking on it, but as previously mentioned I'd adjust the description slightly e.g:
The path to the kubeconfig used for communication with all shards.
| &clientcmd.ClientConfigLoadingRules{ExplicitPath: c.Options.ShardsKubeconfig}, | ||
| // We override the Server here so that the user doesn't have to specify unused server value | ||
| // The Server must have HTTPS scheme otherwise CA won't be loaded (see IsConfigTransportTLS method) | ||
| &clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: "https://fakeserver.io"}}).ClientConfig() |
There was a problem hiding this comment.
The fakeserver override here looks strange, is that needed, or can we just use whatever is specified in the shard kubeconfig?
There was a problem hiding this comment.
Oh I see now that the server is empty in the file, if it can't remain empty here would it perhaps be better to default it to the root-shard URL?
There was a problem hiding this comment.
yes, please see #2382 (comment) for alternatives.
There was a problem hiding this comment.
But even if we stick with the kubeconfig approach instead of the separate flags (which personally I think is fine, and probably easier if folks already have a cert based root-kubeconfig that allows access to all shards), we could switch the fakeserver.io to the root shard URL, right?
There was a problem hiding this comment.
sure, we could do that. I think we could do that just to read the new config and then erase the host value.
There was a problem hiding this comment.
I'd like to hear one more opinion on it. I'm not convinced we should change it to use the root shard URL.
There was a problem hiding this comment.
I hope that's okay with you :)
openshift-merge-robot
added
the
needs-rebase
p0lyn0mial
force-pushed
the
front-proxy-shards-kubeconfig
branch
from
5adbfa6
to
a3a003b
Compare
openshift-merge-robot
removed
the
needs-rebase
p0lyn0mial
force-pushed
the
front-proxy-shards-kubeconfig
branch
from
a3a003b
to
07eac6e
Compare
pkg/proxy/options/options.go
Outdated
| @@ -56,6 +57,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { | |||
| fs.StringVar(&o.MappingFile, "mapping-file", o.MappingFile, "Config file mapping paths to backends") | |||
| fs.StringVar(&o.RootDirectory, "root-directory", o.RootDirectory, "Root directory.") | |||
| fs.StringVar(&o.RootKubeconfig, "root-kubeconfig", o.RootKubeconfig, "The path to the kubeconfig of the root shard.") | |||
| fs.StringVar(&o.ShardsKubeconfig, "shards-kubeconfig", o.ShardsKubeconfig, "The path to the kubeconfig used for communication with all shards") | |||
There was a problem hiding this comment.
add that the server name is replaced later on with the shard hostname.
it holds a path to the kubeconfig which is used to communicate with shards
p0lyn0mial
force-pushed
the
front-proxy-shards-kubeconfig
branch
from
07eac6e
to
9d1434c
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest |
Summary
The front proxy needs a direct and privileged way of authNZ with any shard. At the same time it needs to be able to validate an incoming certificate from a shard.
This PR allows the above by introducing a kubeconfig that holds a client certificate and a CA certificate for validating incoming certs.
The new kubeconfig can be passed via
shards-kubeconfigflag.Previously an incorrect configuration was used for communication with shards. As a result the proxy didn't work in a multi shard environment.
Related issue(s)
required by #342
fixes #2274