mirror of
https://github.com/kubernetes/client-go.git
synced 2025-07-16 08:15:56 +00:00
kubernetes mutual (2-way) x509 comment
Kubernetes-commit: 48260b4a77b423b178ec5e262ac67be52d49f455
This commit is contained in:
parent
c1466acf62
commit
ff3618ffb3
@ -96,6 +96,32 @@ func TLSConfigFor(c *Config) (*tls.Config, error) {
|
||||
}
|
||||
|
||||
if c.HasCA() {
|
||||
/*
|
||||
kubernetes mutual (2-way) x509 between client and apiserver:
|
||||
|
||||
1. apiserver sending its apiserver certificate along with its publickey to client
|
||||
>2. client verifies the apiserver certificate sent against its cluster certificate authority data
|
||||
3. client sending its client certificate along with its public key to the apiserver
|
||||
4. apiserver verifies the client certificate sent against its cluster certificate authority data
|
||||
|
||||
description:
|
||||
here, with this block,
|
||||
cluster certificate authority data gets loaded into TLS before the handshake process
|
||||
for client to later during the handshake verify the apiserver certificate
|
||||
|
||||
normal args related to this stage:
|
||||
--certificate-authority='':
|
||||
Path to a cert file for the certificate authority
|
||||
|
||||
(retrievable from "kubectl options" command)
|
||||
(suggested by @deads2k)
|
||||
|
||||
see also:
|
||||
- for the step 1, see: staging/src/k8s.io/apiserver/pkg/server/options/serving.go
|
||||
- for the step 3, see: a few lines below in this file
|
||||
- for the step 4, see: staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
|
||||
*/
|
||||
|
||||
rootCAs, err := rootCertPool(c.TLS.CAData)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load root certificates: %w", err)
|
||||
@ -121,6 +147,35 @@ func TLSConfigFor(c *Config) (*tls.Config, error) {
|
||||
}
|
||||
|
||||
if c.HasCertAuth() || c.HasCertCallback() {
|
||||
|
||||
/*
|
||||
kubernetes mutual (2-way) x509 between client and apiserver:
|
||||
|
||||
1. apiserver sending its apiserver certificate along with its publickey to client
|
||||
2. client verifies the apiserver certificate sent against its cluster certificate authority data
|
||||
>3. client sending its client certificate along with its public key to the apiserver
|
||||
4. apiserver verifies the client certificate sent against its cluster certificate authority data
|
||||
|
||||
description:
|
||||
here, with this callback function,
|
||||
client certificate and pub key get loaded into TLS during the handshake process
|
||||
for apiserver to later in the step 4 verify the client certificate
|
||||
|
||||
normal args related to this stage:
|
||||
--client-certificate='':
|
||||
Path to a client certificate file for TLS
|
||||
--client-key='':
|
||||
Path to a client key file for TLS
|
||||
|
||||
(retrievable from "kubectl options" command)
|
||||
(suggested by @deads2k)
|
||||
|
||||
see also:
|
||||
- for the step 1, see: staging/src/k8s.io/apiserver/pkg/server/options/serving.go
|
||||
- for the step 2, see: a few lines above in this file
|
||||
- for the step 4, see: staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
|
||||
*/
|
||||
|
||||
tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||
// Note: static key/cert data always take precedence over cert
|
||||
// callback.
|
||||
|
Loading…
Reference in New Issue
Block a user