Update http.Transport if it already exists in ExecProvider #66395
Conversation
k8s-ci-robot
added
release-note
|
/assign @mikedanese |
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
awly
force-pushed
the
fix-kubelet-exec-plugin-startup
branch
from
5262e8e
to
4471282
Compare
k8s-ci-robot
added
size/M
|
@liggitt good point, not sure how i forgot about that :| Changed to handle existing Transport in ExecProvider and use stdlib |
awly
changed the title
| cert, err := getCert() | ||
| if err != nil { | ||
| return nil, err | ||
| if t, ok := c.Transport.(*http.Transport); ok && t != nil { |
There was a problem hiding this comment.
what does this do when run with --v=6? might need a func TransportFor(transport http.RoundTripper) (*http.Transport, error) helper in pkg/util/net to unwrap nested debugging transports (see DialerFor as an example)
There was a problem hiding this comment.
Just tested, --v=6 works fine.
But I agree with your point, someone can introduce a wrapper eventually, breaking this.
Added a TransportFor helper.
| } | ||
| getCert := t.TLSClientConfig.GetClientCertificate | ||
| t.TLSClientConfig.GetClientCertificate = func(hi *tls.CertificateRequestInfo) (*tls.Certificate, error) { | ||
| // If previous GetCert is present and returns a valid non-nil |
There was a problem hiding this comment.
trying to think through the implications if you use client cert rotation and an exec plugin... the client cert rotation code would always win. does that make sense?
There was a problem hiding this comment.
where are we checking if the returned cert is valid?
There was a problem hiding this comment.
where are we checking if the returned cert is valid?
refreshCredsLocked does validation. It fetches the actual certificate, validates and caches it. GetClientCertificate returns the cached copy.
I added cert expiry validation too in this PR, just in case.
trying to think through the implications if you use client cert rotation and an exec plugin... the client cert rotation code would always win. does that make sense?
Is cert rotation and exec plugin a valid configuration? Does it mean "fetch initial cert via plugin but then rotate manually"?
Our use case relies on exec plugin to bootstrap a fresh cert whenever needed and cert rotation in kubelet is disabled.
There was a problem hiding this comment.
refreshCredsLocked does validation.
I was referring to what the previous GetCert was returning ("If previous GetCert is present and returns a valid non-nil..."), not what the exec plugin returned
Is cert rotation and exec plugin a valid configuration?
I don't know, but this is allowing it :)
There was a problem hiding this comment.
I was referring to what the previous GetCert was returning ("If previous GetCert is present and returns a valid non-nil..."), not what the exec plugin returned
Ah, gotcha. I don't think it's this plugin's job to check that. If something returns a certificate here, it better be valid. Otherwise it's a bug.
I'd rather leave it as is, WDYT?
There was a problem hiding this comment.
For the sanity of the next person who tries to debug this, I think it would be better to return an error if GetClientCertificate is not nil. That would effectively disallow client cert rotation to be used with the exec plugin, right? I'd be happy to avoid this complexity.
There was a problem hiding this comment.
I think it would be better to return an error if GetClientCertificate is not nil. That would effectively disallow client cert rotation to be used with the exec plugin, right? I'd be happy to avoid this complexity.
that seems like a reasonable starting point. mixing the two gets weird.
There was a problem hiding this comment.
SGTM, made it an error in both cases
| if getCert != nil { | ||
| cert, err := getCert(hi) | ||
| if err != nil { | ||
| return nil, err |
There was a problem hiding this comment.
would we want to check the exec plugin in an error case? (I know this is pre-existing, just trying to understand the implications and whether they are different if we're dealing with an existing transport vs a GetCert func)
There was a problem hiding this comment.
Makes sense to me, added.
It's an unlikely configuration, but doesn't hurt.
k8s-ci-robot
added
size/L
|
@liggitt thanks for the comments, PTAL |
|
FYI, I'd like to cherry-pick this into 1.11.2. |
|
|
||
| // TransportFor returns the root *http.Transport behind all wrapper | ||
| // RoundTrippers. Wrappers must implement RoundTripperWrapper. | ||
| func TransportFor(transport http.RoundTripper) (*http.Transport, error) { | ||
| if transport == nil { |
There was a problem hiding this comment.
This shifts the nil check from every caller to here. transport.Config.Transport can be nil with valid config, afaik (just not in kubelet)
| } | ||
| getCert := t.TLSClientConfig.GetClientCertificate | ||
| t.TLSClientConfig.GetClientCertificate = func(hi *tls.CertificateRequestInfo) (*tls.Certificate, error) { | ||
| // If previous GetCert is present and returns a valid non-nil |
There was a problem hiding this comment.
For the sanity of the next person who tries to debug this, I think it would be better to return an error if GetClientCertificate is not nil. That would effectively disallow client cert rotation to be used with the exec plugin, right? I'd be happy to avoid this complexity.
| if certBlock == nil { | ||
| return errors.New("can't parse client certificate returned by exec plugin as PEM block") | ||
| } | ||
| x509Cert, err := x509.ParseCertificate(certBlock.Bytes) |
There was a problem hiding this comment.
Use the cert on line 402 so you don't have to parse the pem twice.
There was a problem hiding this comment.
You mean manually parse ClientKeyData and build tls.Certificate via a literal?
It feels like more work and easy to miss some validations that tls.X509KeyPair does
| if err != nil { | ||
| return fmt.Errorf("failed parsing x509 client certificate returned by exec plugin: %v", err) | ||
| } | ||
| if time.Now().After(x509Cert.NotAfter) { |
There was a problem hiding this comment.
are we already checking time client-side elsewhere? this makes us vulnerable to client clock skew
There was a problem hiding this comment.
I don't know if we're checking it elsewhere. It should be kube-apiserver's responsibility to verify cert validity on incoming requests. Could you clarify how this makes us vulnerable?
awly
force-pushed
the
fix-kubelet-exec-plugin-startup
branch
from
97ab95f
to
527b23b
Compare
|
@liggitt @mikedanese PTAL. Turns out we can just set |
| } | ||
| return a.cert() | ||
| if c.TLS.GetCert != nil { | ||
| return errors.New("can't add TLC certificate callback: transport.Config.TLS.GetCert already set") |
awly
force-pushed
the
fix-kubelet-exec-plugin-startup
branch
2 times, most recently
from
e619672
to
7293fab
Compare
Instead of Transport. This fixes ExecPlugin, which fails if restclient.Config.Transport is set.
awly
force-pushed
the
fix-kubelet-exec-plugin-startup
branch
from
7293fab
to
3357b5e
Compare
|
I'm reasonably happy with this. /lgtm |
k8s-ci-robot
added
the
lgtm
|
Moved cert expiry check out to #66632 |
|
/retest |
1 similar comment
|
/retest |
|
/lgtm |
k8s-ci-robot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awly, liggitt, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
/sig cli |
k8s-ci-robot
added
the
sig/cli
What this PR does / why we need it:
This unbreaks ExecPlugin. Without the change, we hit this error
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/transport/transport.go#L32
Release note: