From 95ee8d4df49aadfc376191b702044024e857de0b Mon Sep 17 00:00:00 2001 From: Jefftree Date: Mon, 3 Feb 2020 19:54:41 -0800 Subject: [PATCH] Support empty root CA for konnectivity Kubernetes-commit: 55b89a6451d253532ede0736d7bc8af62f396596 --- pkg/apis/apiserver/types.go | 13 +++++++------ pkg/apis/apiserver/v1alpha1/types.go | 10 +++++----- pkg/server/egressselector/config.go | 17 +++++++---------- pkg/server/egressselector/egress_selector.go | 18 +++++++++++------- 4 files changed, 30 insertions(+), 28 deletions(-) diff --git a/pkg/apis/apiserver/types.go b/pkg/apis/apiserver/types.go index d6fe4e993..f4d93d577 100644 --- a/pkg/apis/apiserver/types.go +++ b/pkg/apis/apiserver/types.go @@ -114,13 +114,13 @@ type TCPTransport struct { // TLSConfig is the config needed to use TLS when connecting to konnectivity server // +optional - TLSConfig *TLSConfig `json:"tlsConfig,omitempty"` + TLSConfig *TLSConfig } // UDSTransport provides the information to connect to konnectivity server via UDS type UDSTransport struct { // UDSName is the name of the unix domain socket to connect to konnectivity server - // This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity/konnectivity-server.socket) + // This does not use a unix:// prefix. (Eg: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket) UDSName string } @@ -129,22 +129,23 @@ type UDSTransport struct { type TLSConfig struct { // caBundle is the file location of the CA to be used to determine trust with the konnectivity server. // Must be absent/empty HTTPConnect using the plain http - // Must be configured for HTTPConnect using the https protocol + // If absent while using the HTTPConnect protocol with HTTPS + // default to system trust roots // Misconfiguration will cause an error // +optional - CABundle string `json:"caBundle,omitempty"` + CABundle string // clientKey is the file location of the client key to authenticate with the konnectivity server // Must be absent/empty HTTPConnect using the plain http // Must be configured for HTTPConnect using the https protocol // Misconfiguration will cause an error // +optional - ClientKey string `json:"clientKey,omitempty"` + ClientKey string // clientCert is the file location of the client certificate to authenticate with the konnectivity server // Must be absent/empty HTTPConnect using the plain http // Must be configured for HTTPConnect using the https protocol // Misconfiguration will cause an error // +optional - ClientCert string `json:"clientCert,omitempty"` + ClientCert string } diff --git a/pkg/apis/apiserver/v1alpha1/types.go b/pkg/apis/apiserver/v1alpha1/types.go index e561017e2..2fdbcd060 100644 --- a/pkg/apis/apiserver/v1alpha1/types.go +++ b/pkg/apis/apiserver/v1alpha1/types.go @@ -110,17 +110,17 @@ type Transport struct { type TCPTransport struct { // URL is the location of the konnectivity server to connect to. // As an example it might be "https://127.0.0.1:8131" - URL string + URL string `json:"url,omitempty"` // TLSConfig is the config needed to use TLS when connecting to konnectivity server // +optional - TLSConfig *TLSConfig + TLSConfig *TLSConfig `json:"tlsConfig,omitempty"` } // UDSTransport provides the information to connect to konnectivity server via UDS type UDSTransport struct { // UDSName is the name of the unix domain socket to connect to konnectivity server - UDSName string + UDSName string `json:"udsName,omitempty"` } // TLSConfig provides the authentication information to connect to konnectivity server @@ -128,14 +128,14 @@ type UDSTransport struct { type TLSConfig struct { // caBundle is the file location of the CA to be used to determine trust with the konnectivity server. // Must be absent/empty HTTPConnect using the plain http - // Must be configured for HTTPConnect using the https protocol + // If absent while using the HTTPConnect protocol with HTTPS + // default to system trust roots // Misconfiguration will cause an error // +optional CABundle string `json:"caBundle,omitempty"` // clientKey is the file location of the client key to be used in mtls handshakes with the konnectivity server. // Must be absent/empty HTTPConnect using the plain http - // Must be configured for HTTPConnect using the https protocol // Misconfiguration will cause an error // +optional ClientKey string `json:"clientKey,omitempty"` diff --git a/pkg/server/egressselector/config.go b/pkg/server/egressselector/config.go index 2cf06a4e0..77e457363 100644 --- a/pkg/server/egressselector/config.go +++ b/pkg/server/egressselector/config.go @@ -148,16 +148,13 @@ func validateTCPConnection(connection apiserver.Connection, fldPath *field.Path) "nil", "TLSConfig config should be present for HTTPConnect via tcp")) } else if strings.HasPrefix(connection.Transport.TCP.URL, "https://") { - if connection.Transport.TCP.TLSConfig.CABundle == "" { - allErrs = append(allErrs, field.Invalid( - fldPath.Child("tlsConfig", "caBundle"), - "nil", - "HTTPConnect via https requires caBundle")) - } else if exists, err := path.Exists(path.CheckFollowSymlink, connection.Transport.TCP.TLSConfig.CABundle); exists == false || err != nil { - allErrs = append(allErrs, field.Invalid( - fldPath.Child("tlsConfig", "caBundle"), - connection.Transport.TCP.TLSConfig.CABundle, - "HTTPConnect ca bundle does not exist")) + if connection.Transport.TCP.TLSConfig.CABundle != "" { + if exists, err := path.Exists(path.CheckFollowSymlink, connection.Transport.TCP.TLSConfig.CABundle); exists == false || err != nil { + allErrs = append(allErrs, field.Invalid( + fldPath.Child("tlsConfig", "caBundle"), + connection.Transport.TCP.TLSConfig.CABundle, + "HTTPConnect ca bundle does not exist")) + } } if connection.Transport.TCP.TLSConfig.ClientCert == "" { allErrs = append(allErrs, field.Invalid( diff --git a/pkg/server/egressselector/egress_selector.go b/pkg/server/egressselector/egress_selector.go index 919741d78..b528dd7ae 100644 --- a/pkg/server/egressselector/egress_selector.go +++ b/pkg/server/egressselector/egress_selector.go @@ -138,13 +138,17 @@ func createConnectTCPDialer(tcpTransport *apiserver.TCPTransport) (utilnet.DialF return nil, fmt.Errorf("failed to read key pair %s & %s, got %v", clientCert, clientKey, err) } certPool := x509.NewCertPool() - certBytes, err := ioutil.ReadFile(caCert) - if err != nil { - return nil, fmt.Errorf("failed to read cert file %s, got %v", caCert, err) - } - ok := certPool.AppendCertsFromPEM(certBytes) - if !ok { - return nil, fmt.Errorf("failed to append CA cert to the cert pool") + if caCert != "" { + certBytes, err := ioutil.ReadFile(caCert) + if err != nil { + return nil, fmt.Errorf("failed to read cert file %s, got %v", caCert, err) + } + ok := certPool.AppendCertsFromPEM(certBytes) + if !ok { + return nil, fmt.Errorf("failed to append CA cert to the cert pool") + } + } else { + certPool = nil } contextDialer := func(ctx context.Context, network, addr string) (net.Conn, error) { klog.V(4).Infof("Sending request to %q.", addr)