Setup TLS with CA Cert for vsphere cloud provider #64758
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
size/XL
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
@wgliang Thanks for the feedback. For some reason your comments disappeared when we pushed new commits. Some points you brought up that should be hopefully sorted now:
Remaining points that you brought up:
|
|
@mariantalla |
mariantalla
changed the title
|
@wgliang Thanks, changed the title! Please keep commenting even though it's still in progress. Would love to hear your thoughts on test cases and packages in particular. |
|
@mariantalla |
|
/test pull-kubernetes-node-e2e |
- Extend config to take a path to a CA Certificate - Use the CA Cert when establishing a connection with the SOAP client Testing We provide certs and keys for tests as fixtures, `vclib/fixtures`. Those were created (and can be regenerated) using `vclib/fixtures/createCerts.sh`. At the moment it's possible to configure a CA path and at the same time allow insecure communication between vsphere cloud provider and vcenter. This may change in the future; we might opt for overwriting the insecure communication if a CA is configured / log and transparently pass the arguments to the vcenter command / other. To be discussed. At the moment the CA is a global level configuration. In other words, all vcenter servers need to use certificates signed by the same CA. There might be use cases for different CA per vcenter server; to be discussed.
./hack/update-bazel.sh
Also remove comments that are not useful anymore.
This will help with bazel tests, which seem to use a different working directory from local test runs.
... and rename `InvalidCaCertPath` to `InvalidCertPath`.
|
PTAL |
|
Thanks @mariantalla @hoegaarden lgtm /approve |
| @@ -175,3 +210,25 @@ func (connection *VSphereConnection) UpdateCredentials(username string, password | |||
| connection.Username = username | |||
| connection.Password = password | |||
| } | |||
|
|
|||
| func normalizeThumbprint(original string) (string, error) { | |||
There was a problem hiding this comment.
What is the use case that would require this normalization?
| t.Fatalf("Cannot add CA to CAPool") | ||
| } | ||
|
|
||
| server := httptest.NewUnstartedServer(http.HandlerFunc(handler)) |
There was a problem hiding this comment.
Note that you could also use govmomi/simulator for these types of tests: https://github.com/vmware/govmomi/blob/b3251638696a6f4ac905fe904091e9840982c602/simulator/simulator_test.go#L353-L370
| if len(server.TLS.Certificates) < 1 || len(server.TLS.Certificates[0].Certificate) < 1 { | ||
| t.Fatal("Expected server.TLS.Certificates not to be empty") | ||
| } | ||
| x509LeafCert := server.TLS.Certificates[0].Certificate[0] |
There was a problem hiding this comment.
Even without simulator, you can use HostCertificateInfo.FromCertificate https://github.com/vmware/govmomi/blob/b3251638696a6f4ac905fe904091e9840982c602/simulator/simulator_test.go#L353-L358
Maybe this also avoids the need for the normalization function?
|
@dougm @divyenpatel @wgliang Is there anything left to do for us to get the lgtm -- i think that's missing to get this merged, isn't it? |
|
@divyenpatel approved via review, but we need his '/lgtm' to add the label. |
|
/assign @divyenpatel |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: divyenpatel, dougm, mariantalla The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test pull-kubernetes-kubemark-e2e-gce-big |
|
/test pull-kubernetes-e2e-gce |
|
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/test pull-kubernetes-e2e-gce |
3 similar comments
|
/test pull-kubernetes-e2e-gce |
|
/test pull-kubernetes-e2e-gce |
|
/test pull-kubernetes-e2e-gce |
|
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
/sig vmware |
k8s-ci-robot
added
the
area/provider/vmware
Testing
We provide certs and keys for tests as fixtures,
vclib/fixtures.Those were created (and can be regenerated) using
vclib/fixtures/createCerts.sh.At the moment it's possible to configure a CA path and at the same time allow insecure
communication between vsphere cloud provider and vcenter. This may
change in the future; we might opt for overwriting the insecure
communication if a CA is configured / log and transparently pass the
arguments to the vcenter command / other. To be discussed.
At the moment the CA is a global level configuration. In other
words, all vcenter servers need to use certificates signed by the same
CA. There might be use cases for different CA per vcenter server; to be
discussed.
What this PR does / why we need it:
This PR adds the option of configuring a trusted CA for the communication between the vsphere cloud provider and the vcenter control plane.
Which issue(s) this PR fixes:
Fixes #64222
Special notes for your reviewer:
Release note: