Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Envtest exports rest.Config for the secure endpoint of kube-apiserver #984

Closed
wants to merge 2 commits into from
Closed

✨ Envtest exports rest.Config for the secure endpoint of kube-apiserver #984

wants to merge 2 commits into from

Conversation

everpeace
Copy link

@everpeace everpeace commented Jun 6, 2020
edited

fixes #983

This PR added:

  • internal.integration.APISever: expose TLSClientConfig to connect its secure endpoint
  • envtest.Environment: introduce SecureConfig that just contains kube-apiserver's secure endpoint and its TLSClientConfig.

Note: To work with SecureConfig, users will have to set authn information like this.

te := &envtest.Environment{
  KubeAPIServerFlags: append(
    envtest.DefaultKubeAPIServerFlags, 
    "--basic-auth-file=my-file", "--authorization-mode=RBAC",
  ),
}
te.Start()
cfg := rest.CopyConfig(te.SecureConfig)
cfg.Username = "myname"
cfg.Password = "mypassword"

// This client can send a request as "myname" user.
client.New(cfg)

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 6, 2020
@k8s-ci-robot
Copy link
Contributor

Welcome @everpeace!

It looks like this is your first PR to kubernetes-sigs/controller-runtime 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/controller-runtime has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 6, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @everpeace. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 6, 2020
@everpeace everpeace changed the title :sparkles Envtest exports rest.Config for the secure endpoint of kube-apiserver ✨ Envtest exports rest.Config for the secure endpoint of kube-apiserver Jun 6, 2020
@everpeace
Copy link
Author

/assign @droot

@vincepri
Copy link
Member

/assign @alvaroaleman @DirectXMan12

@james-w
Copy link

james-w commented Jul 29, 2020

Hi, I also had a need to do this, so I am using this branch and it is working well for me, thanks.

@vincepri
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 29, 2020
@everpeace everpeace force-pushed the envtest-exports-tlsconfig-for-kubeapiserver branch from 7db3b83 to 034f8e3 Compare July 29, 2020 16:15
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: everpeace
To complete the pull request process, please assign alvaroaleman
You can assign the PR to them by writing /assign @alvaroaleman in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 29, 2020
@everpeace
envtest expose 'SecureConfig' for user conveinience.
7dd198f 
Please note that this just contains secure endpoint itself and its CA
certs.  User will have to set authentication information by themselves
and configure some authn module in kube-apiserver.
@everpeace everpeace force-pushed the envtest-exports-tlsconfig-for-kubeapiserver branch from 034f8e3 to 7dd198f Compare July 29, 2020 16:24
@DirectXMan12
Copy link
Contributor

I'm tempted to approve this as-is (it looks pretty reasonable), but it's also kind of a half-measure, due to forcing folks to override the apiserver flags, etc. Can we think of a good way around that? I've got a pretty complicated prototype hanging around over at #645 -- maybe we could adapt/simplify that?

@james-w
Copy link

james-w commented Aug 18, 2020

Yeah, it's a half-measure for testing with auth, but at least this allows for that testing to take place. Without this change users would have to resort to horrible hacks to get access to the secure port, even with overriding auth apiserver flags. What about merging this to at least make it possible to do these things, and then look at improvements to make it a better experience?

@everpeace
Copy link
Author

I agree that it's kind of half-measure and this should be more simple. However, as james pointed out, users currently have heavy pain to access to a secure endpoint. So, I would like to add 👍 to james' idea. WDYT?

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 19, 2020
@everpeace
Copy link
Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 19, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 17, 2021
@everpeace
Copy link
Author

/lifecycle stale

alvaroaleman
alvaroaleman reviewed Mar 14, 2021
View reviewed changes
Copy link
Member

@alvaroaleman alvaroaleman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am very sorry this didn't get any attention for so long, it appears I missed it in my queue :(

pkg/envtest/server.go
// te := &envtest.Environment{
// KubeAPIServerFlags: append(
// envtest.DefaultKubeAPIServerFlags,
// "--basic-auth-file=my-file", "--authorization-mode=RBAC",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@everpeace what about extending envtest to generate a token-auth-file with a token that is member of the system:masters group so this just works by default?

Also, a test would be great 🙃

If you do not have time to pick that up, we can also merge this as-is and I will address my comments in a follow-up.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alvaroaleman Thank you for your review!!

If you do not have time to pick that up, we can also merge this as-is and I will address my comments in a follow-up.

sorry... I couldn't spare time to do this currently. I'm very glad if we take this way 🙇 🙇

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alvaroaleman As I understand it you suggestion is just to provide a static user in the token-auth-file? I think it would be better to have an option to add individual users (maybe in addition to a default) so that you can specify particular groups that the user may be a member of.

One example of where this may be useful is testing CSRs, where the API server uses the requesting parties credentials to become part of the CSR request. Typically here you'd want to be able to specify the exact groups that the user belongs to to be able to get the right groups plumbed into that CSR

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JoelSpeed you can just create a SA and then use impersonation for that. @DirectXMan12 is working on an updated version of this afaik

@alvaroaleman alvaroaleman mentioned this pull request Mar 15, 2021
Closed
@lobziik
Copy link
Member

lobziik commented Mar 18, 2021

Works well for me. I applied this patch on 0.8.2 release, works as expected.
Would be awesome to have it merged!

@lobziik lobziik mentioned this pull request Apr 14, 2021
Closed
@everpeace
Copy link
Author

/close
because of #1486 .

@everpeace everpeace closed this Apr 21, 2021
@everpeace everpeace deleted the envtest-exports-tlsconfig-for-kubeapiserver branch April 21, 2021 06:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alvaroaleman alvaroaleman alvaroaleman left review comments

@JoelSpeed JoelSpeed JoelSpeed left review comments

@alenkacz alenkacz Awaiting requested review from alenkacz

@joelanford joelanford Awaiting requested review from joelanford

Assignees

@DirectXMan12 DirectXMan12

@droot droot

@alvaroaleman alvaroaleman

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
10 participants
@everpeace @k8s-ci-robot @vincepri @james-w @DirectXMan12 @fejta-bot @lobziik @alvaroaleman @JoelSpeed @droot