Storage does not validate client certificate

[slashben]

The current implementation does not validate peer TLS certificates and any client can connect it and pull data. It should only be the Kubernetes API server that is allowed to do queries.

[matthyx]

@slashben do we want to fix that?

[slashben]

we must, but it should be fairly simple

[slashben]

it should be set up in ClientCA in the SecureServingInfo
see more here
https://pkg.go.dev/k8s.io/apiserver/pkg/server#SecureServingInfo

[matthyx]

it should be set up in ClientCA in the SecureServingInfo see more here https://pkg.go.dev/k8s.io/apiserver/pkg/server#SecureServingInfo

nice, do we want to add a config entry for that certificate? or should we read it from somewhere in the downward API?

[slashben]

Wait, we have two problems here.

One is we need to have the client certificate of the API server (it can be take with kubectl get configmap -n kube-public cluster-info -o jsonpath='{.data.kubeconfig}' | yq | jq .clusters[0].cluster."certificate-authority-data" , I guess we can read it during the helm installation)

The second is that we do not generate server certificate 😞

apiVersion: apiregistration.k8s.io/v1                                                                                                   
kind: APIService                                                                                                                        
metadata:
  spec:                                                                                                                                │
    insecureSkipTLSVerify: true

[slashben]

@matthyx see my PRs (they were tested locally)