Add ability to specify CA certs to use for TLS authentication.

[staebler]

Closes #1064.

Adds insecureSkipTLSVerify and caBundle to the broker spec. The insecureSkipTLSVerify field allows the user to communicate with the broker via TLS in an insecure manner by ignoring TLS verification. The caBundle field allows the user to specify root CAs to use when verifying TLS.

Modifies ups-broker walkthrough example to support using TLS.

Updates the OSB client to include the changes from kubernetes-retired/go-open-service-broker-client#55. These changes bring support to the OSB client for skipping TLS verification and supplying root CAs.

As a consequence of doing a glide update, the github.com/golang/glog and github.com/gorilla/mux dependencies were update as well.

github.com/golang/glog changelog:

• README: change code.google.com link to GitHub
• Merge pull request Adding Service Catalog API Spec #13 from michael-berlin/fix_log_before_flag_parse
• Fix problem that -log_dir will not be respected when anything is logged before flag.Parse().

github.com/gorilla/mux changelog:

• Prefer scheme on child route when building URLs.
• Use scheme from parent router when building URLs.
• Fix typo
• Add test and fix for escaped query values.
• Update docs.
• Add tests for support for queries in URL reversing.
• Add support for queries in URL reversing.
• Update Walking Routes Section
• Fix invalid example code
• Removing half of conflict marker (examine types and determine proper validation for each type #268)
• Update README with example for Router.Walk
• Update ancestors parameter for WalkFunc for matcher subrouters
• Update Walk to match all subrouters

[staebler]

This is no longer in-progress.

[arschles]

This looks reasonable to me, but I left 1 comment on the helm chart. My apologies for the long delay in reviewing!

[arschles]

not 100% sure on this, but iirc this will collapse --tlsKey onto the same line as --tlsCert. The solution would be to rewrite this as {{ if .Values.tls.key -}}. Same with the above if as well.

[staebler]

Both {{- if .Values.tls.key }} and {{ if .Values.tls.key -}} will yield the same yaml. The former will chomp the whitespace to the left, removing the newline from the previous line. The latter will chomp the whitespace to the right, removing the newline from the current line. In the end, they both will leave one newline. Using the left-side chomp seems to be a little less troublesome when the line after the if block is not at the same indentation level as the if block. With the right-side chomp, we would remove the spaces on the following line and leave the spaces on the current line, resulting in the following line being at the indentation of the current line.

For reference, the helm chart template guide [1] uses the left chomp in its example.

Here is the relevant snippet of the output from running helm install charts/ups-broker --name ups-broker --namespace ups-broker --set tls.cert=fake-cert --set tls.key=fake-key --dry-run --debug.

        imagePullPolicy: Always
        args:
        - --port
        - "8080"
        - --tlsCert
        - "fake-cert"
        - --tlsKey
        - "fake-key"
        ports:
        - containerPort: 8080

[1] https://github.com/kubernetes/helm/blob/master/docs/chart_template_guide/control_structures.md

[arschles]

good catch - I stand corrected, thanks @staebler

[MHBauer]

now I know it's called chomp. that document is way too difficult to find.

[arschles]

@staebler looks like this needs a rebase too (just for generated code), so I've tagged as such. Can you please ping me on the Kubernetes slack (@arschles) when you're ready for a re-review? I'll be able to get to it much faster that way. Thanks.

[pmorie]

You might add a comment explaining what the commented out fields are here.

[pmorie]

One change requested - make it so you cannot set both the insecure flag and CA bundle at the same time.

[pmorie]

I think there should be a validation that ensures that you cannot set InsecureSkipTLSVerify and CABundle at the same time.

[staebler]

Seems reasonable. Validation has been added.

[nilebox]

LGTM, just a nit for validation error message.

[nilebox]

The JSON field name is caBundle (and the other is insecureSkipTLSVerify), so it should be:

allErrs = append(allErrs, field.Invalid(fldPath.Child("caBundle"), spec.CABundle, "caBundle cannot be used when insecureSkipTLSVerify is true"))

[pmorie]

THanks a bunch!

[arschles]

This has 2 LGTMs (I am also LGTM on this, fwiw), so I am merging

[MHBauer]

Do these bytes represent something specific?

[staebler]

No, nothing specific. Just a test set of bytes that can test that the cheksum is created correctly.