Skip to content

Validate kubeconfig files in case of external CA mode #70537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
k8s-ci-robot merged 2 commits into from
Nov 5, 2018
Merged

Validate kubeconfig files in case of external CA mode #70537

k8s-ci-robot merged 2 commits into from
Nov 5, 2018

Conversation

@yagonobre
Copy link
Member

@yagonobre yagonobre commented Nov 1, 2018
edited
Loading

What type of PR is this?
/kind bug
What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes kubernetes/kubeadm#1203

Does this PR introduce a user-facing change?:

kubeadm: validate kubeconfig files in case of external CA mode.

/assign @timothysc
/assign @fabriziopandini

@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Nov 1, 2018
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Nov 1, 2018
@neolit123
Copy link
Member

neolit123 commented Nov 1, 2018

@yagonobre thanks.
please use this format for the release note:

kubeadm: validate kubeconfig files in case of external CA mode.

@neolit123
Copy link
Member

neolit123 commented Nov 1, 2018

/priority important-longterm
(?)

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Nov 1, 2018
neolit123
neolit123 reviewed Nov 1, 2018
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on a quick look.
added two minor nits.

cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go Outdated
Copy link
Member

@neolit123 neolit123 Nov 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can be done as follows, optionally:

if !os.IsNotExist(err) {
	return err
}
...

cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go Outdated
Copy link
Member

@neolit123 neolit123 Nov 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"%s" -> "%q"

@yagonobre
Copy link
Member Author

yagonobre commented Nov 1, 2018

@neolit123 done

@neolit123
Copy link
Member

neolit123 commented Nov 1, 2018

/ok-to-test

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 1, 2018
timothysc
timothysc reviewed Nov 1, 2018
View reviewed changes
cmd/kubeadm/app/cmd/phases/kubeconfig.go Outdated
Copy link
Contributor

@timothysc timothysc Nov 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this new behavior covered either directly or indirectly in the _tests file?

/assign @fabriziopandini

Copy link
Member Author

@yagonobre yagonobre Nov 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not yet, I'll update the tests tomorrow.

fabriziopandini
fabriziopandini reviewed Nov 2, 2018
View reviewed changes
Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yagonobre thanks for this PR, this is definitely a step in the right direction!

However, IMO we should change where the validation is triggered in order to fail as soon as possible in case we are in external CA mode (certificate authority certs existing without keys), but without all proper certificates and kubeconfig file in places.

In order to do so, I think that the kubeconfig validation should happen before, ideally when building ìnitData/inside theexternalCA` function here. wdyt?

@timothysc @neolit123 opinions?

@neolit123
Copy link
Member

neolit123 commented Nov 2, 2018

In order to do so, I think that the kubeconfig validation should happen before, ideally when building ìnitData/inside theexternalCA` function here. wdyt?

+1

@neolit123
Copy link
Member

neolit123 commented Nov 2, 2018

@fabriziopandini
@yagonobre reported in slack that golint is not happy with kubeconfig.KubeConfigSpec it should be called kubeconfig.Spec. the alternative is to use hack/.golint_failures.

options:

  1. try SpecKubeConfig
  2. move to Spec
  3. modify hack/.golint_failures

my vote is to try 1, then 2.

@fabriziopandini
Copy link
Member

fabriziopandini commented Nov 2, 2018

@neolit123 @yagonobre IMO KubeConfigSpec struct should not be changed to public, but instead, a new func ValidateKubeconfigsForExternalCA should be exposed and then invoked by ExternalCA
(my comments above/on the issue are on the same line too)

@yagonobre
Copy link
Member Author

yagonobre commented Nov 2, 2018

@fabriziopandini make senses, I'll update soon

@yagonobre yagonobre force-pushed the validate-kubeconfig branch from 26f5cd4 to 315002d Compare November 3, 2018 03:13
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 3, 2018
@yagonobre yagonobre force-pushed the validate-kubeconfig branch from 315002d to a5cf391 Compare November 3, 2018 03:17
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 3, 2018
@yagonobre yagonobre force-pushed the validate-kubeconfig branch from a5cf391 to 0b991fc Compare November 3, 2018 03:24
fabriziopandini
fabriziopandini approved these changes Nov 4, 2018
View reviewed changes
Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yagonobre thanks for this update to this PR!
IMO this is ready to merge as soon as the new ValidateKubeconfigsForExternalCA func is covered by tests as required by @timothysc
/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 4, 2018
@yagonobre yagonobre force-pushed the validate-kubeconfig branch from 0b991fc to e7623b2 Compare November 4, 2018 20:50
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 4, 2018
@yagonobre
Copy link
Member Author

yagonobre commented Nov 4, 2018

Updated with some tests

@yagonobre yagonobre force-pushed the validate-kubeconfig branch from e7623b2 to eb49aa4 Compare November 4, 2018 20:52
@yagonobre yagonobre force-pushed the validate-kubeconfig branch from eb49aa4 to e1320bb Compare November 4, 2018 20:58
@yagonobre
Copy link
Member Author

yagonobre commented Nov 4, 2018

/test pull-kubernetes-e2e-gce-100-performance
/test pull-kubernetes-kubemark-e2e-gce-big

timothysc
timothysc approved these changes Nov 5, 2018
View reviewed changes
Copy link
Contributor

@timothysc timothysc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 5, 2018
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 5, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini, timothysc, yagonobre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@neolit123
Copy link
Member

neolit123 commented Nov 5, 2018

/retest

1 similar comment
@neolit123
Copy link
Member

neolit123 commented Nov 5, 2018

/retest

@k8s-ci-robot k8s-ci-robot merged commit faed5aa into kubernetes:master Nov 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liztio liztio Awaiting requested review from liztio

3 more reviewers

@neolit123 neolit123 neolit123 left review comments

@timothysc timothysc timothysc approved these changes

@fabriziopandini fabriziopandini fabriziopandini approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@timothysc timothysc

@fabriziopandini fabriziopandini

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing validation of kubeconfig files in case of external CA mode

5 participants

@yagonobre @neolit123 @fabriziopandini @k8s-ci-robot @timothysc