-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Controller configuration to specify client CA #4664
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated manifest to include the added configuration item.
a5700d1
to
2061b31
Compare
Codecov Report
@@ Coverage Diff @@
## main #4664 +/- ##
==========================================
- Coverage 71.95% 68.83% -3.12%
==========================================
Files 406 403 -3
Lines 60766 59781 -985
==========================================
- Hits 43723 41153 -2570
- Misses 14113 15782 +1669
+ Partials 2930 2846 -84
*This pull request uses carry forward flags. Click here to find out more.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. @tnqn should review too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, a comment on the configuration placement.
apiserverAuthentication: | ||
{{- with .Values.apiserverAuthentication }} | ||
clientCAFile: {{ .clientCAFile | quote }} | ||
{{- end }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel apiserverAuthentication is a too narrowed scope which can hardly group other configurations. It could just be apiserver or in the root group directly given apiserver is a generic component and not specific to one feature, and the other similar configurations tlsCipherSuites, tlsMinVersion are already in the root group.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated.
86490e1
to
8fa141c
Compare
pkg/config/controller/config.go
Outdated
@@ -69,6 +69,9 @@ type ControllerConfig struct { | |||
IPsecCSRSignerConfig IPsecCSRSignerConfig `yaml:"ipsecCSRSigner"` | |||
// Multicluster configuration options. | |||
Multicluster MulticlusterConfig `yaml:"multicluster,omitempty"` | |||
// APIServerClientCAFile is the file path of the certificate bundle for all the signers that is recognized for incoming | |||
// client certificates. | |||
APIServerClientCAFile string `yaml:"apiserverClientCAFile,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move it under TLSMinVersion which is also related to apiserver.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
@@ -74,6 +74,10 @@ tlsCipherSuites: {{ .Values.tlsCipherSuites | quote }} | |||
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. | |||
tlsMinVersion: {{ .Values.tlsMinVersion | quote }} | |||
|
|||
# File path of the certificate bundle for all the signers that is recognized for incoming client | |||
# certificates. | |||
apiserverClientCAFile: {{ .Values.apiserverClientCAFile | quote }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like we don't name the other similar configurations apiserverTLSMinVersion, it could just be clientCAFile
, I think there is no ambiguity that this is for client authentication.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated.
8fa141c
to
483581c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM but you need to make -C build/charts/ helm-docs
In the existing logic, Antrea Controller retrieves the client CA from ConfigMap kube-system/extension-apiserver-authentication, which is published by kube-apiserver. In some cases, the incoming connection is from the client with a certificate signed by a different CA bundle. This patch adds a configuration in antrea-controller to allow user to specify the client CA. Antrea Controller will use it to validate the incoming client certificate in a mTLS connection. Signed-off-by: wenyingd <wenyingd@vmware.com>
483581c
to
fecb91e
Compare
/test-all |
@jianjuns I suggested a minor update on the configuration placement. Please let us know if it makes sense to you. |
Works for me. |
In the current implementation, Antrea Controller retrieves the client CA from ConfigMap kube-system/extension-apiserver-authentication, which is published by kube-apiserver. In some use cases, the incoming connection is from a client with a certificate signed by a different CA bundle. This patch adds a configuration parameter for antrea-controller that allows users to specify the client CA. Antrea Controller will use it to validate the incoming client certificate in a TLS connection. Signed-off-by: wenyingd <wenyingd@vmware.com>
In the existing logic, Antrea Controller retrieves the client CA from ConfigMap kube-system/extension-apiserver-authentication, which is published by kube-apiserver. In some cases, the incoming connection is from the client with a certificate signed by a different CA bundle.
This patch adds a configuration in antrea-controller to allow user to specify the client CA. Antrea Controller will use it to validate the incoming client certificate in a mTLS connection.