Merge pull request #66394 from rtripat/i-65724

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Support pulling requestheader CA from extension-apiserver-authentication ConfigMap without client CA

This commit prevents extension API server from erroring out during bootstrap when the core
API server doesn't support certificate based authentication for it's clients i.e. client-ca isn't
present in extension-apiserver-authentication ConfigMap in kube-system.

This can happen in cluster setups where core API server uses Webhook token authentication.

Fixes: https://github.com/kubernetes/kubernetes/issues/65724

**Which issue(s) this PR fixes** 
Fixes #65724

**Special notes for your reviewer**:

**Release note**:
```release-note
Allows extension API server to dynamically discover the requestheader CA certificate when the core API server doesn't use certificate based authentication for it's clients
```
This commit is contained in:
Kubernetes Submit Queue 2018-08-08 06:30:27 -07:00 committed by GitHub
commit 446eef54c5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -160,7 +160,11 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,
clientCA, err := s.getClientCA() clientCA, err := s.getClientCA()
if err != nil { if err != nil {
return err if _, ignorable := err.(ignorableError); !ignorable {
return err
} else {
glog.Warning(err)
}
} }
if err = c.ApplyClientCert(clientCA.ClientCA, servingInfo); err != nil { if err = c.ApplyClientCert(clientCA.ClientCA, servingInfo); err != nil {
return fmt.Errorf("unable to load client CA file: %v", err) return fmt.Errorf("unable to load client CA file: %v", err)
@ -200,7 +204,11 @@ func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticato
clientCA, err := s.getClientCA() clientCA, err := s.getClientCA()
if err != nil { if err != nil {
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err if _, ignorable := err.(ignorableError); !ignorable {
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err
} else {
glog.Warning(err)
}
} }
requestHeader, err := s.getRequestHeader() requestHeader, err := s.getRequestHeader()
if err != nil { if err != nil {
@ -240,7 +248,7 @@ func (s *DelegatingAuthenticationOptions) getClientCA() (*ClientCertAuthenticati
return nil, err return nil, err
} }
if incluster == nil { if incluster == nil {
return nil, fmt.Errorf("cluster doesn't provide client-ca-file") return &s.ClientCert, ignorableError{fmt.Errorf("cluster doesn't provide client-ca-file in configmap/%s in %s, so client certificate authentication to extension api-server won't work.", authenticationConfigMapName, authenticationConfigMapNamespace)}
} }
return incluster, nil return incluster, nil
} }
@ -394,3 +402,5 @@ func (s *DelegatingAuthenticationOptions) newTokenAccessReview() (authentication
return client.TokenReviews(), nil return client.TokenReviews(), nil
} }
type ignorableError struct{ error }