Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to x509 auth #450

Merged
merged 18 commits into from
May 30, 2024
Merged

Switch to x509 auth #450

merged 18 commits into from
May 30, 2024

Conversation

neoaggelos
Copy link
Contributor

@neoaggelos neoaggelos commented May 29, 2024
edited
Loading

Summary

Use a separate CA for client certificates, and switch to x509 auth for all kubeconfigs

Changes

  • Add clusterConfig.Certificates.ClientCA{Cert,Key}
  • Add bootstrapConfig.ClientCA{Cert,Key}
  • Store the client ca (and admin client) certs in the cluster config
  • Generate client certificates for kube-proxy and kubelet when joining worker nodes
  • Generate client certificates for kubernetes components
  • Use x509 cert auth for all generated configs
  • Pass pre-generated client certificates when bootstrapping the node or joining a cluster

Notes

  • If the client ca cert is not set in the cluster config, we return the cluster CA instead (since they used to be the same)
  • We do not yet disable the auth token webhook to ensure a proper migration path for existing clusters

@neoaggelos neoaggelos requested a review from a team as a code owner May 29, 2024 05:31
bschimke95
bschimke95 approved these changes May 29, 2024
View reviewed changes
Copy link
Contributor

@bschimke95 bschimke95 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (after tests are passing), great work - only minor nits

src/k8s/api/v1/bootstrap_config.go Outdated Show resolved Hide resolved
src/k8s/cmd/example/main.go Outdated Show resolved Hide resolved
@neoaggelos neoaggelos merged commit b3812bd into main May 30, 2024
13 checks passed
@neoaggelos neoaggelos deleted the dev/x509-auth branch May 30, 2024 17:48
neoaggelos added a commit that referenced this pull request May 30, 2024
@neoaggelos
Switch to x509 auth (#450)
8c1f186 
* separate client ca
* create useful CompleteWorkerNodePKI tests
* require a client CA to be present for worker nodes
* allow preseeding client certificates through bootstrap and join configs
@neoaggelos neoaggelos mentioned this pull request May 30, 2024
Merged
bschimke95 pushed a commit that referenced this pull request Jun 3, 2024
@neoaggelos
Switch to x509 auth (#450) (#454)
8e6aee1 
* separate client ca
* create useful CompleteWorkerNodePKI tests
* require a client CA to be present for worker nodes
* allow preseeding client certificates through bootstrap and join configs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bschimke95 bschimke95 bschimke95 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@neoaggelos @bschimke95