Add Controller configuration to specify client CA #4664
Conversation
wenyingd
force-pushed
the
support_client_ca
branch
from
a5700d1
to
2061b31
Compare
Codecov Report
@@ Coverage Diff @@
## main #4664 +/- ##
==========================================
- Coverage 71.95% 68.83% -3.12%
==========================================
Files 406 403 -3
Lines 60766 59781 -985
==========================================
- Hits 43723 41153 -2570
- Misses 14113 15782 +1669
+ Partials 2930 2846 -84
*This pull request uses carry forward flags. Click here to find out more.
|
| apiserverAuthentication: | ||
| {{- with .Values.apiserverAuthentication }} | ||
| clientCAFile: {{ .clientCAFile | quote }} | ||
| {{- end }} |
There was a problem hiding this comment.
I feel apiserverAuthentication is a too narrowed scope which can hardly group other configurations. It could just be apiserver or in the root group directly given apiserver is a generic component and not specific to one feature, and the other similar configurations tlsCipherSuites, tlsMinVersion are already in the root group.
wenyingd
force-pushed
the
support_client_ca
branch
2 times, most recently
from
86490e1
to
8fa141c
Compare
pkg/config/controller/config.go
Outdated
| @@ -69,6 +69,9 @@ type ControllerConfig struct { | |||
| IPsecCSRSignerConfig IPsecCSRSignerConfig `yaml:"ipsecCSRSigner"` | |||
| // Multicluster configuration options. | |||
| Multicluster MulticlusterConfig `yaml:"multicluster,omitempty"` | |||
| // APIServerClientCAFile is the file path of the certificate bundle for all the signers that is recognized for incoming | |||
| // client certificates. | |||
| APIServerClientCAFile string `yaml:"apiserverClientCAFile,omitempty"` | |||
There was a problem hiding this comment.
Move it under TLSMinVersion which is also related to apiserver.
| @@ -74,6 +74,10 @@ tlsCipherSuites: {{ .Values.tlsCipherSuites | quote }} | |||
| # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. | |||
| tlsMinVersion: {{ .Values.tlsMinVersion | quote }} | |||
|
|
|||
| # File path of the certificate bundle for all the signers that is recognized for incoming client | |||
| # certificates. | |||
| apiserverClientCAFile: {{ .Values.apiserverClientCAFile | quote }} | |||
There was a problem hiding this comment.
Like we don't name the other similar configurations apiserverTLSMinVersion, it could just be clientCAFile, I think there is no ambiguity that this is for client authentication.
wenyingd
force-pushed
the
support_client_ca
branch
from
8fa141c
to
483581c
Compare
In the existing logic, Antrea Controller retrieves the client CA from ConfigMap kube-system/extension-apiserver-authentication, which is published by kube-apiserver. In some cases, the incoming connection is from the client with a certificate signed by a different CA bundle. This patch adds a configuration in antrea-controller to allow user to specify the client CA. Antrea Controller will use it to validate the incoming client certificate in a mTLS connection. Signed-off-by: wenyingd <wenyingd@vmware.com>
wenyingd
force-pushed
the
support_client_ca
branch
from
483581c
to
fecb91e
Compare
|
/test-all |
|
@jianjuns I suggested a minor update on the configuration placement. Please let us know if it makes sense to you. |
Works for me. |
In the current implementation, Antrea Controller retrieves the client CA from ConfigMap kube-system/extension-apiserver-authentication, which is published by kube-apiserver. In some use cases, the incoming connection is from a client with a certificate signed by a different CA bundle. This patch adds a configuration parameter for antrea-controller that allows users to specify the client CA. Antrea Controller will use it to validate the incoming client certificate in a TLS connection. Signed-off-by: wenyingd <wenyingd@vmware.com>
In the existing logic, Antrea Controller retrieves the client CA from ConfigMap kube-system/extension-apiserver-authentication, which is published by kube-apiserver. In some cases, the incoming connection is from the client with a certificate signed by a different CA bundle.
This patch adds a configuration in antrea-controller to allow user to specify the client CA. Antrea Controller will use it to validate the incoming client certificate in a mTLS connection.