openstack verifier: support IPv6

Add IPv6 support to the openstack verifier and polish up a few error messages.

cmd/kops-controller/pkg/server/server.go

@@ -144,7 +144,8 @@ func (s *Server) bootstrap(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		klog.Infof("bootstrap %s verify err: %v", r.RemoteAddr, err)
 		w.WriteHeader(http.StatusForbidden)
-		_, _ = w.Write([]byte(fmt.Sprintf("failed to verify token: %v", err)))
+		// don't return the error; this allows us to have richer errors without security implications
+		_, _ = w.Write([]byte("failed to verify token"))
 		return
 	}
 

upup/pkg/fi/cloudup/openstack/verifier.go

@@ -19,6 +19,7 @@ package openstack
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/http"
 	"os"
 	"strings"
@@ -142,15 +143,18 @@ func (o openstackVerifier) VerifyToken(ctx context.Context, rawRequest *http.Req
 		}
 	}
 	// ensure that request is coming from same machine
-	requestAddr := strings.Split(rawRequest.RemoteAddr, ":")[0]
+	requestAddr, _, err := net.SplitHostPort(rawRequest.RemoteAddr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid remote address %q: %v", rawRequest.RemoteAddr, err)
+	}
 	if !stringInSlice(requestAddr, addrs) {
-		return nil, fmt.Errorf("authentication request address does not match to server addresses")
+		return nil, fmt.Errorf("authentication request address %q does not match server addresses %v", requestAddr, addrs)
 	}
 
 	// check from kubernetes API does the instance already exist
 	_, err = o.kubeClient.CoreV1().Nodes().Get(ctx, instance.Name, v1.GetOptions{})
 	if err == nil {
-		return nil, fmt.Errorf("server is already joined to kubernetes cluster")
+		return nil, fmt.Errorf("server %q is already joined to kubernetes cluster", instance.Name)
 	}
 	if err != nil && !errors.IsNotFound(err) {
 		return nil, fmt.Errorf("got error while querying kubernetes api: %w", err)