Unverified Commit 446eef54 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #66394 from rtripat/i-65724

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Support pulling requestheader CA from extension-apiserver-authentication ConfigMap without client CA This commit prevents extension API server from erroring out during bootstrap when the core API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't present in extension-apiserver-authentication ConfigMap in kube-system. This can happen in cluster setups where core API server uses Webhook token authentication. Fixes: https://github.com/kubernetes/kubernetes/issues/65724 **Which issue(s) this PR fixes** Fixes #65724 **Special notes for your reviewer**: **Release note**: ```release-note Allows extension API server to dynamically discover the requestheader CA certificate when the core API server doesn't use certificate based authentication for it's clients ```
parents 6800f9e1 db828a44
...@@ -160,7 +160,11 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo, ...@@ -160,7 +160,11 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,
clientCA, err := s.getClientCA() clientCA, err := s.getClientCA()
if err != nil { if err != nil {
return err if _, ignorable := err.(ignorableError); !ignorable {
return err
} else {
glog.Warning(err)
}
} }
if err = c.ApplyClientCert(clientCA.ClientCA, servingInfo); err != nil { if err = c.ApplyClientCert(clientCA.ClientCA, servingInfo); err != nil {
return fmt.Errorf("unable to load client CA file: %v", err) return fmt.Errorf("unable to load client CA file: %v", err)
...@@ -200,7 +204,11 @@ func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticato ...@@ -200,7 +204,11 @@ func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticato
clientCA, err := s.getClientCA() clientCA, err := s.getClientCA()
if err != nil { if err != nil {
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err if _, ignorable := err.(ignorableError); !ignorable {
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err
} else {
glog.Warning(err)
}
} }
requestHeader, err := s.getRequestHeader() requestHeader, err := s.getRequestHeader()
if err != nil { if err != nil {
...@@ -240,7 +248,7 @@ func (s *DelegatingAuthenticationOptions) getClientCA() (*ClientCertAuthenticati ...@@ -240,7 +248,7 @@ func (s *DelegatingAuthenticationOptions) getClientCA() (*ClientCertAuthenticati
return nil, err return nil, err
} }
if incluster == nil { if incluster == nil {
return nil, fmt.Errorf("cluster doesn't provide client-ca-file") return &s.ClientCert, ignorableError{fmt.Errorf("cluster doesn't provide client-ca-file in configmap/%s in %s, so client certificate authentication to extension api-server won't work.", authenticationConfigMapName, authenticationConfigMapNamespace)}
} }
return incluster, nil return incluster, nil
} }
...@@ -394,3 +402,5 @@ func (s *DelegatingAuthenticationOptions) newTokenAccessReview() (authentication ...@@ -394,3 +402,5 @@ func (s *DelegatingAuthenticationOptions) newTokenAccessReview() (authentication
return client.TokenReviews(), nil return client.TokenReviews(), nil
} }
type ignorableError struct{ error }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment