kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support pulling requestheader CA from extension-apiserver-authentication ConfigMap without client CA 

This commit prevents extension API server from erroring out during bootstrap when the core
API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't
present in extension-apiserver-authentication ConfigMap in kube-system.

This can happen in cluster setups where core API server uses Webhook token authentication.

Fixes: https://github.com/kubernetes/kubernetes/issues/65724

Kubernetes-commit: db828a44406efe09e2db91e6dc88d1292c9a29e1
This commit is contained in:
Tripathi 2018-07-18 15:07:09 -07:00 committed by Kubernetes Publisher
parent db69d648bf
commit 4e7be504bf
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/server/options/authentication.go
View File

@ -160,7 +160,11 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,
clientCA, err := s.getClientCA()
if err != nil {
return err
if _, ignorable := err.(ignorableError); !ignorable {
return err
} else {
glog.Warning(err)
}
}
if err = c.ApplyClientCert(clientCA.ClientCA, servingInfo); err != nil {
return fmt.Errorf("unable to load client CA file: %v", err)
@ -200,7 +204,11 @@ func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticato
clientCA, err := s.getClientCA()
if err != nil {
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err
if _, ignorable := err.(ignorableError); !ignorable {
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err
} else {
glog.Warning(err)
}
}
requestHeader, err := s.getRequestHeader()
if err != nil {
@ -240,7 +248,7 @@ func (s *DelegatingAuthenticationOptions) getClientCA() (*ClientCertAuthenticati
return nil, err
}
if incluster == nil {
return nil, fmt.Errorf("cluster doesn't provide client-ca-file")
return &s.ClientCert, ignorableError{fmt.Errorf("cluster doesn't provide client-ca-file in configmap/%s in %s, so client certificate authentication to extension api-server won't work.", authenticationConfigMapName, authenticationConfigMapNamespace)}
}
return incluster, nil
}
@ -394,3 +402,5 @@ func (s *DelegatingAuthenticationOptions) newTokenAccessReview() (authentication
return client.TokenReviews(), nil
}
type ignorableError struct{ error }