Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

🌱 Handle TLSOpts.GetCertificate in webhook #2291

Merged

Conversation

vincepri
Copy link
Member

This change rewrites some of the webhook server logic to better handle the user setting a custom configuration for the TLS options by providing a custom GetCertificate function. When that's present, we won't start a certwatcher routine. The change also updates the documentation to better clarify when each of the options are effective.

Fixed #2269

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 27, 2023
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 27, 2023
@vincepri
Copy link
Member Author

/assign @sbueringer

}()

// load CA to verify client certificate
if s.ClientCAName != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think configuring ClientCAs / ClientAuth is an orthogonal feature to GetCertificate so it shouldn't be inside this if

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 Problem is that we're using CertDir and CertCAName to get the certificate from the local file

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But that's only a matter of writing different godoc comments, right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also decouple by deprecating ClientCAName and introducing ClientCAFile

Then it's only a bit hacky until we remove ClientCAName

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Folks can configure CA validation through TLS options if they wish to do so outside the CertDir. The current comments seem fine to me in those cases, wdyt? cc @alvaroaleman

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll update the PR in a bit

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PTAL, opted to both return errors, and allow to use ClientCAName w/ GetCertificate if folks still want

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, mind adding a testcase for GetCertificate not getting overriden if present?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm as well

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ptal

@vincepri vincepri force-pushed the tls-opts-getcertificate branch 2 times, most recently from 1e52202 to abe23de Compare May 2, 2023 21:53
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 2, 2023
This change rewrites some of the webhook server logic to better handle
the user setting a custom configuration for the TLS options by providing
a custom GetCertificate function. When that's present, we won't start
a certwatcher routine. The change also updates the documentation to
better clarify when each of the options are effective.

Signed-off-by: Vince Prignano <vincepri@redhat.com>
@vincepri vincepri force-pushed the tls-opts-getcertificate branch from abe23de to bd12701 Compare May 2, 2023 21:54
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 2, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alvaroaleman, vincepri

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [alvaroaleman,vincepri]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 94bb74b into kubernetes-sigs:main May 2, 2023
@sbueringer
Copy link
Member

/lgtm

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Optimize webhook.Server start procedure when tls.Config.GetCertificate is configured via Server.TLSOpts
4 participants