Skip to content

Commit

Permalink
Support pulling requestheader CA from extension-apiserver-authenticat…
Browse files Browse the repository at this point in the history 
…ion ConfigMap without client CA

This commit prevents extension API server from erroring out during bootstrap when the core
API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't
present in extension-apiserver-authentication ConfigMap in kube-system.

This can happen in cluster setups where core API server uses Webhook token authentication.

Fixes: kubernetes#65724
  • Loading branch information
@rtripat
rtripat committed Aug 8, 2018
1 parent 8770d12 commit db828a4
Showing 1 changed file with 13 additions and 3 deletions.
16 changes: 13 additions & 3 deletions staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,11 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,

clientCA, err := s.getClientCA()
if err != nil {
return err
if _, ignorable := err.(ignorableError); !ignorable {
return err
} else {
glog.Warning(err)
}
}
if err = c.ApplyClientCert(clientCA.ClientCA, servingInfo); err != nil {
return fmt.Errorf("unable to load client CA file: %v", err)
Expand Down Expand Up @@ -200,7 +204,11 @@ func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticato

clientCA, err := s.getClientCA()
if err != nil {
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err
if _, ignorable := err.(ignorableError); !ignorable {
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err
} else {
glog.Warning(err)
}
}
requestHeader, err := s.getRequestHeader()
if err != nil {
Expand Down Expand Up @@ -240,7 +248,7 @@ func (s *DelegatingAuthenticationOptions) getClientCA() (*ClientCertAuthenticati
return nil, err
}
if incluster == nil {
return nil, fmt.Errorf("cluster doesn't provide client-ca-file")
return &s.ClientCert, ignorableError{fmt.Errorf("cluster doesn't provide client-ca-file in configmap/%s in %s, so client certificate authentication to extension api-server won't work.", authenticationConfigMapName, authenticationConfigMapNamespace)}
}
return incluster, nil
}
Expand Down Expand Up @@ -394,3 +402,5 @@ func (s *DelegatingAuthenticationOptions) newTokenAccessReview() (authentication

return client.TokenReviews(), nil
}

type ignorableError struct{ error }

0 comments on commit db828a4

Please sign in to comment.