Skip to content

Commit

Permalink
support skipping the validity check of keystone server's certificate
Browse files Browse the repository at this point in the history
  • Loading branch information
dixudx committed Oct 24, 2016
1 parent a7db9bc commit 2323a51
Show file tree
Hide file tree
Showing 6 changed files with 49 additions and 18 deletions.
1 change: 1 addition & 0 deletions cmd/kube-apiserver/app/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ func Run(s *options.APIServer) error {
ServiceAccountLookup: s.ServiceAccountLookup,
ServiceAccountTokenGetter: serviceAccountGetter,
KeystoneURL: s.KeystoneURL,
KeystoneInsecureTLS: s.KeystoneInsecureTLS,
WebhookTokenAuthnConfigFile: s.WebhookTokenAuthnConfigFile,
WebhookTokenAuthnCacheTTL: s.WebhookTokenAuthnCacheTTL,
})
Expand Down
23 changes: 12 additions & 11 deletions federation/cmd/federation-apiserver/app/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,17 +117,18 @@ func Run(s *options.ServerRunOptions) error {
}

apiAuthenticator, securityDefinitions, err := authenticator.New(authenticator.AuthenticatorConfig{
Anonymous: s.AnonymousAuth,
AnyToken: s.EnableAnyToken,
BasicAuthFile: s.BasicAuthFile,
ClientCAFile: s.ClientCAFile,
TokenAuthFile: s.TokenAuthFile,
OIDCIssuerURL: s.OIDCIssuerURL,
OIDCClientID: s.OIDCClientID,
OIDCCAFile: s.OIDCCAFile,
OIDCUsernameClaim: s.OIDCUsernameClaim,
OIDCGroupsClaim: s.OIDCGroupsClaim,
KeystoneURL: s.KeystoneURL,
Anonymous: s.AnonymousAuth,
AnyToken: s.EnableAnyToken,
BasicAuthFile: s.BasicAuthFile,
ClientCAFile: s.ClientCAFile,
TokenAuthFile: s.TokenAuthFile,
OIDCIssuerURL: s.OIDCIssuerURL,
OIDCClientID: s.OIDCClientID,
OIDCCAFile: s.OIDCCAFile,
OIDCUsernameClaim: s.OIDCUsernameClaim,
OIDCGroupsClaim: s.OIDCGroupsClaim,
KeystoneURL: s.KeystoneURL,
KeystoneInsecureTLS: s.KeystoneInsecureTLS,
})
if err != nil {
glog.Fatalf("Invalid Authentication Config: %v", err)
Expand Down
1 change: 1 addition & 0 deletions hack/verify-flags/known-flags.txt
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@ exit-on-lock-contention
experimental-allowed-unsafe-sysctls
experimental-bootstrap-kubeconfig
experimental-keystone-url
experimental-keystone-insecure-tls
experimental-nvidia-gpus
experimental-prefix
experimental-runtime-integration-type
Expand Down
7 changes: 4 additions & 3 deletions pkg/apiserver/authenticator/authn.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ type AuthenticatorConfig struct {
ServiceAccountLookup bool
ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter
KeystoneURL string
KeystoneInsecureTLS bool
WebhookTokenAuthnConfigFile string
WebhookTokenAuthnCacheTTL time.Duration
}
Expand All @@ -76,7 +77,7 @@ func New(config AuthenticatorConfig) (authenticator.Request, *spec.SecurityDefin
hasBasicAuth = true
}
if len(config.KeystoneURL) > 0 {
keystoneAuth, err := newAuthenticatorFromKeystoneURL(config.KeystoneURL)
keystoneAuth, err := newAuthenticatorFromKeystoneURL(config.KeystoneURL, config.KeystoneInsecureTLS)
if err != nil {
return nil, nil, err
}
Expand Down Expand Up @@ -258,8 +259,8 @@ func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Reques
}

// newAuthenticatorFromTokenFile returns an authenticator.Request or an error
func newAuthenticatorFromKeystoneURL(keystoneURL string) (authenticator.Request, error) {
keystoneAuthenticator, err := keystone.NewKeystoneAuthenticator(keystoneURL)
func newAuthenticatorFromKeystoneURL(keystoneURL string, keystoneInsecureTLs bool) (authenticator.Request, error) {
keystoneAuthenticator, err := keystone.NewKeystoneAuthenticator(keystoneURL, keystoneInsecureTLs)
if err != nil {
return nil, err
}
Expand Down
5 changes: 5 additions & 0 deletions pkg/genericapiserver/options/server_run_options.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ type ServerRunOptions struct {
InsecureBindAddress net.IP
InsecurePort int
KeystoneURL string
KeystoneInsecureTLS bool
KubernetesServiceNodePort int
LongRunningRequestRE string
MasterCount int
Expand Down Expand Up @@ -375,6 +376,10 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.KeystoneURL, "experimental-keystone-url", s.KeystoneURL,
"If passed, activates the keystone authentication plugin.")

fs.BoolVar(&s.KeystoneInsecureTLS, "experimental-keystone-insecure-tls", s.KeystoneInsecureTLS,
"If passed, activates the keystone authentication plugin. Boolean value to indicate"+
"whether to skip the validity check of the keystone server's certificate.")

// See #14282 for details on how to test/try this option out.
// TODO: remove this comment once this option is tested in CI.
fs.IntVar(&s.KubernetesServiceNodePort, "kubernetes-service-node-port", s.KubernetesServiceNodePort, ""+
Expand Down
30 changes: 26 additions & 4 deletions plugin/pkg/auth/authenticator/password/keystone/keystone.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ package keystone
import (
"errors"
"strings"
"crypto/tls"
"net/http"

"github.com/golang/glog"
"github.com/rackspace/gophercloud"
Expand All @@ -30,6 +32,7 @@ import (
// The keystone endpoint is passed during apiserver startup
type KeystoneAuthenticator struct {
authURL string
insecureTLS bool
}

// AuthenticatePassword checks the username, password via keystone call
Expand All @@ -40,23 +43,42 @@ func (keystoneAuthenticator *KeystoneAuthenticator) AuthenticatePassword(usernam
Password: password,
}

_, err := openstack.AuthenticatedClient(opts)
_, err := AuthenticatedClient(opts, keystoneAuthenticator.insecureTLS)
if err != nil {
glog.Info("Failed: Starting openstack authenticate client")
glog.Info("Failed: Starting openstack authenticate client: "+ err.Error())
return nil, false, errors.New("Failed to authenticate")
}

return &user.DefaultInfo{Name: username}, true, nil
}

// AuthenticatedClient logs in to an OpenStack cloud found at the identity endpoint specified by options, acquires a
// token, and returns a Client instance that's ready to operate.
func AuthenticatedClient(options gophercloud.AuthOptions, insecureTLS bool) (*gophercloud.ProviderClient, error) {

client, err := openstack.NewClient(options.IdentityEndpoint)
if err != nil {
return nil, err
}

client.HTTPClient.Transport = &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureTLS}, }

err = openstack.Authenticate(client, options)
if err != nil {
return nil, err
}
return client, nil

}

// NewKeystoneAuthenticator returns a password authenticator that validates credentials using openstack keystone
func NewKeystoneAuthenticator(authURL string) (*KeystoneAuthenticator, error) {
func NewKeystoneAuthenticator(authURL string, insecureTLS bool) (*KeystoneAuthenticator, error) {
if !strings.HasPrefix(authURL, "https") {
return nil, errors.New("Auth URL should be secure and start with https")
}
if authURL == "" {
return nil, errors.New("Auth URL is empty")
}

return &KeystoneAuthenticator{authURL}, nil
return &KeystoneAuthenticator{authURL, insecureTLS}, nil
}

0 comments on commit 2323a51

Please sign in to comment.