Skip to content

Commit

Permalink
Fix webhook certificate auth with nodeutil
Browse files Browse the repository at this point in the history 
1. Routes were not setup and causing panics
2. The CA was not being loaded into the webhook auth and as such only
   token auth was available.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
  • Loading branch information
@cpuguy83 @helayoty
cpuguy83 authored and helayoty committed Sep 12, 2022
1 parent fbfa28c commit f831252
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
17 changes: 17 additions & 0 deletions cmd/virtual-kubelet/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"errors"
"flag"
"fmt"
"net/http"
"os"
"path/filepath"
"strconv"
Expand All @@ -34,6 +35,7 @@ import (
"github.com/virtual-kubelet/virtual-kubelet/node"
"github.com/virtual-kubelet/virtual-kubelet/node/nodeutil"
v1 "k8s.io/api/core/v1"
"k8s.io/apiserver/pkg/server/dynamiccertificates"

"github.com/virtual-kubelet/virtual-kubelet/log"
logruslogger "github.com/virtual-kubelet/virtual-kubelet/log/logrus"
Expand Down Expand Up @@ -120,6 +122,11 @@ func main() {
return nil
}

configureRoutes := func(cfg *nodeutil.NodeConfig) error {
mux := http.NewServeMux()
cfg.Handler = mux
return nodeutil.AttachProviderRoutes(mux)(cfg)
}
withWebhookAuth := func(cfg *nodeutil.NodeConfig) error {
if !webhookAuth {
return nil
Expand All @@ -134,6 +141,15 @@ func main() {
if webhookAuthzUnauthedCacheTTL > 0 {
cfg.AuthzConfig.AllowCacheTTL = webhookAuthzUnauthedCacheTTL
}

if clientCACert != "" {
ca, err := dynamiccertificates.NewDynamicCAContentFromFile("client-ca", clientCACert)
if err != nil {
return err
}
cfg.AuthnConfig.ClientCertificateCAContentProvider = ca
go ca.Run(1, context.TODO().Done())
}
return nil
})
if err != nil {
Expand Down Expand Up @@ -179,6 +195,7 @@ func main() {
p, err := azprovider.NewACIProvider(cfgPath, cfg, os.Getenv("VKUBELET_POD_IP"), int32(listenPort), clusterDomain)
return p, nil, err
},
configureRoutes,
withClient,
withTaint,
withVersion,
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,14 @@ require (
github.com/pkg/errors v0.9.1
github.com/sirupsen/logrus v1.6.0
github.com/spf13/cobra v1.0.0
github.com/spf13/pflag v1.0.5 // indirect
github.com/thoas/go-funk v0.9.1
github.com/virtual-kubelet/virtual-kubelet v1.6.0
go.opencensus.io v0.22.3
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
gotest.tools v2.2.0+incompatible
k8s.io/api v0.19.10
k8s.io/apimachinery v0.19.10
k8s.io/apiserver v0.19.10
k8s.io/client-go v0.19.10
k8s.io/klog v1.0.0
)
Expand Down

0 comments on commit f831252

Please sign in to comment.