Actually Use Authentication and Authorization (#615)

DirectXMan12 · arschles · commit eb1f1e731a73 · 2017-04-21T10:29:33.000-07:00
* Add flag to disable auth for testing purposes

Some of the tests run the service catalog API server without a
corresponding Kubernetes API server.  In this case, no delegating
authentication or authorization is possible.  The `--disable-auth`
flag causes the API server setup to skip setting up authentication
and authorization in these cases.

* Update Helm Charts for Auth and Aggregation

This commit updates the helm charts, inserting the requisite options
for running the service catalog behind the master's integrated
API server aggregator.

The new options are:

- `useAggregator`: causes the API server to be registered with the k8s
  API server and points the controller manager at the there instead
  of at the service catalog API server.

- `apiserver.tls.requestHeaderCA`: the CA used to authenticate requests
  from the k8s API server proxy, so that we can trust the authentication
  information that it passes us (because it handles authentication
  itself, and then passes us the extracted information).

- `apiserver.tls.ca`: the CA used to sign the serving certificates for
  the API server.  This is needed by the API registration information,
  so that the k8s API server proxy can verify that it's talking to the
  correct server.

In order to use aggregation, you must also pass
`apiserver.tls.{cert,key}`, instead of letting them be autogenerated
as self-signed certificates.

* Fix up Kubeconfig handling

This commit uncomments and fixes up the Kubeconfig handling, making
it possible to actually pass in Kubeconfigs to use to connect to
the k8s API server and the service catalog API server.

Furthermore, we explicitly try and use in-cluster config for service
catalog API server connections, avoiding a generic error message about
it "possibly" not working in favor of our own warning, which advises
viewers to make sure that the service catalog APIs are registered with
the aggregator.

* Actually die if APIs aren't available

Previously, we'd start (and otherwise appear healthy), but not
actually do anything if the service catalog APIs weren't available.

Now, the controller manager fails if the APIs aren't available, so
that we eventually get restarted.

* Renable authentication and authorization

This re-enables actually applying the effects of the authentication and authorization
options.  The API server will now attempt to delegate authentication and
authorization options to a main Kube API server.

These should work fine now that we're using the 1.6 generic API server
code.

* Ensure walkthrough requestheader certs

This PR makes sure that when running the walkthrough test,
the extensions-apiserver-authentication configmap, which is
autogenerated by the main Kubernetes API server, contains requestheader
certs.  If it doesn't, it augments the configmap with requestheader
certs matching the client certs from the cluster, since GKE does set
these (this might not necessarily be what you normally want, but works
fine for testing).

* Force jenkins to use k8s 1.6.1

This commit tells Jenkins to use a 1.6.1 cluster.  This ensures that we
always know what cluster version we're running tests against, and also
opts us in to using a 1.6 cluster (which is not the default at the time
of authorship of this PR).
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -108,6 +108,7 @@ node {
             --registry gcr.io/${test_project}/catalog/ \
             --version ${version} \
             --cleanup \
+            --fix-auth \
             --create-artifacts
       """
 
@@ -116,6 +117,7 @@ node {
             --version ${version} \
             --with-tpr \
             --cleanup \
+            --fix-auth \
             --create-artifacts
       """
     } catch (Exception e) {
diff --git a/charts/catalog/README.md b/charts/catalog/README.md
@@ -44,6 +44,8 @@ chart and their default values.
 | `apiserver.insecure`  | Whether to expose an insecure endpoint; keep this enabled because there are some outstanding problems with the TLS-secured endpoint | `true` |
 | `apiserver.tls.cert` | Base64-encoded x509 certificate | A self-signed certificate |
 | `apiserver.tls.key` | Base64-encoded private key | The private key for the certificate above |
+| `apiserver.tls.ca` | Base64-encoded CA certificate used to sign the above certificate | |
+| `apiserver.tls.requestHeaderCA` | Base64-encoded CA used to validate request-header authentication, when receiving delegated authentication from an aggregator | *none (will disable requestheader authentication)* |
 | `apiserver.service.type` | Type of service; valid values are `LoadBalancer` and `NodePort` | `NodePort` |
 | `apiserver.service.nodePort.securePort` | If service type is `NodePort`, specifies a port in allowable range (e.g. 30000 - 32767 on minikube); The TLS-enabled endpoint will be exposed here | `30443` |
 | `apiserver.service.nodePort.insecurePort` | If service type is `NodePort`, specifies a port in allowable range (e.g. 30000 - 32767 on minikube); The insecure endpoint, if enabled, will be exposed here | `30080` |
@@ -57,6 +59,7 @@ chart and their default values.
 | `controllerManager.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
 | `controllerManager.resyncInterval` | How often the controller should resync informers; duration format (`20m`, `1h`, etc) | `5m` |
 | `controllerManager.brokerRelistInterval` | How often the controller should relist the catalogs of ready brokers; duration format (`20m`, `1h`, etc) | `24h` |
+| `useAggregator` | whether or not to set up the controller-manager to go through the main Kubernetes API server's API aggregator (requires setting `apiserver.tls.ca` to work) | `false` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to
 `helm install`.
diff --git a/charts/catalog/templates/apiregistration.yaml b/charts/catalog/templates/apiregistration.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.useAggregator }}
+apiVersion: apiregistration.k8s.io/v1alpha1
+kind: APIService
+metadata:
+  name: v1alpha1.servicecatalog.k8s.io
+spec:
+  group: servicecatalog.k8s.io
+  version: v1alpha1
+  service:
+    namespace: {{ .Release.Namespace }}
+    name: {{ template "fullname" . }}-apiserver
+  caBundle: {{ .Values.apiserver.tls.ca }}
+  priority: 100
+{{ end }}
diff --git a/charts/catalog/templates/apiserver-cert-secret.yaml b/charts/catalog/templates/apiserver-cert-secret.yaml
@@ -11,3 +11,6 @@ type: Opaque
 data:
   tls.crt: {{ .Values.apiserver.tls.cert }}
   tls.key: {{ .Values.apiserver.tls.key }}
+{{- if .Values.apiserver.tls.requestHeaderCA }}
+  requestheader-ca.crt: {{ .Values.apiserver.tls.requestHeaderCA }}
+{{- end }}
diff --git a/charts/catalog/templates/apiserver-deployment.yaml b/charts/catalog/templates/apiserver-deployment.yaml
@@ -51,6 +51,9 @@ spec:
         {{- end }}
         - -v
         - "{{ .Values.apiserver.verbosity }}"
+        {{- if .Values.apiserver.tls.requestHeaderCA }}
+        - --requestheader-client-ca-file=/var/run/kubernetes-service-catalog/requestheader-ca.crt
+        {{- end }}
         ports:
         {{- if .Values.apiserver.insecure }}
         - containerPort: 8080
@@ -133,6 +136,10 @@ spec:
             path: apiserver.crt
           - key: tls.key
             path: apiserver.key
+          {{- if .Values.apiserver.tls.requestHeaderCA }}
+          - key: requestheader-ca.crt
+            path: requestheader-ca.crt
+          {{- end }}
       {{- if eq .Values.apiserver.storage.type "etcd" }}
       - name: etcd-data-dir
         emptyDir: {}
diff --git a/charts/catalog/templates/controller-manager-deployment.yaml b/charts/catalog/templates/controller-manager-deployment.yaml
@@ -34,12 +34,14 @@ spec:
         args:
         - --port
         - "8080"
+        {{- if not .Values.useAggregator }}
         - --service-catalog-api-server-url
         {{- if .Values.apiserver.insecure }}
         - http://{{ template "fullname" . }}-apiserver
         {{- else }}
         - https://{{ template "fullname" . }}-apiserver
         {{- end }}
+        {{- end }}
         - -v
         - "{{ .Values.controllerManager.verbosity }}"
         - --resync-interval
diff --git a/charts/catalog/values.yaml b/charts/catalog/values.yaml
@@ -56,3 +56,4 @@ controllerManager:
   resyncInterval: 5m
   # Broker relist interval; format is a duration (`20m`, `1h`, etc)
   brokerRelistInterval: 24h
+useAggregator: false
diff --git a/cmd/apiserver/app/server/options.go b/cmd/apiserver/app/server/options.go
@@ -41,7 +41,9 @@ type ServiceCatalogServerOptions struct {
 	EtcdOptions *EtcdOptions
 	// TPROptions are options for serving with TPR as the backing store
 	TPROptions *TPROptions
-	StopCh     <-chan struct{}
+	// DisableAuth disables delegating authentication and authorization for testing scenarios
+	DisableAuth bool
+	StopCh      <-chan struct{}
 }
 
 func (s *ServiceCatalogServerOptions) addFlags(flags *pflag.FlagSet) {
@@ -52,6 +54,13 @@ func (s *ServiceCatalogServerOptions) addFlags(flags *pflag.FlagSet) {
 		"The type of backing storage this API server should use",
 	)
 
+	flags.BoolVar(
+		&s.DisableAuth,
+		"disable-auth",
+		false,
+		"Disable authentication and authorization for testing purposes",
+	)
+
 	s.GenericServerRunOptions.AddUniversalFlags(flags)
 	s.SecureServingOptions.AddFlags(flags)
 	s.AuthenticationOptions.AddFlags(flags)
diff --git a/cmd/apiserver/app/server/util.go b/cmd/apiserver/app/server/util.go
@@ -17,6 +17,8 @@ limitations under the License.
 package server
 
 import (
+	"github.com/golang/glog"
+
 	genericapiserver "k8s.io/apiserver/pkg/server"
 )
 
@@ -43,22 +45,18 @@ func setupBasicServer(s *ServiceCatalogServerOptions) (*genericapiserver.Config,
 		return nil, err
 	}
 
-	// glog.V(4).Info("Setting up authn (disabled)")
-	// need to figure out what's throwing the `missing clientCA file` err
-	/*
-		if _, err := genericConfig.ApplyDelegatingAuthenticationOptions(serverOptions.AuthenticationOptions); err != nil {
-			glog.Infoln(err)
-			return err
+	if !s.DisableAuth {
+		if err := s.AuthenticationOptions.ApplyTo(genericConfig); err != nil {
+			return nil, err
 		}
-	*/
 
-	// glog.V(4).Infoln("Setting up authz (disabled)")
-	// having this enabled causes the server to crash for any call
-	/*
-		if _, err := genericConfig.ApplyDelegatingAuthorizationOptions(serverOptions.AuthorizationOptions); err != nil {
-			glog.Infoln(err)
-			return err
+		if err := s.AuthorizationOptions.ApplyTo(genericConfig); err != nil {
+			return nil, err
 		}
-	*/
+	} else {
+		// always warn when auth is disabled, since this should only be used for testing
+		glog.Infof("Authentication and authorization disabled for testing purposes")
+	}
+
 	return genericConfig, nil
 }
diff --git a/cmd/controller-manager/app/controller_manager.go b/cmd/controller-manager/app/controller_manager.go
@@ -90,19 +90,20 @@ func Run(controllerManagerOptions *options.ControllerManagerServer) error {
 	// Build the K8s kubeconfig / client / clientBuilder
 	glog.V(4).Info("Building k8s kubeconfig")
 
-	k8sKubeconfig, err := rest.InClusterConfig()
+	var err error
+	var k8sKubeconfig *rest.Config
+	if controllerManagerOptions.K8sAPIServerURL == "" && controllerManagerOptions.K8sKubeconfigPath == "" {
+		k8sKubeconfig, err = rest.InClusterConfig()
+	} else {
+		k8sKubeconfig, err = clientcmd.BuildConfigFromFlags(
+			controllerManagerOptions.K8sAPIServerURL,
+			controllerManagerOptions.K8sKubeconfigPath)
+	}
 	if err != nil {
-		glog.Fatalf("Failed to get kube client config (%s)", err)
+		return fmt.Errorf("failed to get Kubernetes client config: %v", err)
 	}
 	k8sKubeconfig.GroupVersion = &schema.GroupVersion{}
 
-	// k8sKubeconfig, err := clientcmd.BuildConfigFromFlags(
-	// 	controllerManagerOptions.K8sAPIServerURL,
-	// 	controllerManagerOptions.K8sKubeconfigPath)
-	// if err != nil {
-	// 	// TODO: disambiguate API errors
-	// 	return err
-	// }
 	k8sKubeconfig.ContentConfig.ContentType = controllerManagerOptions.ContentType
 	// Override kubeconfig qps/burst settings from flags
 	k8sKubeconfig.QPS = controllerManagerOptions.KubeAPIQPS
@@ -111,21 +112,30 @@ func Run(controllerManagerOptions *options.ControllerManagerServer) error {
 		rest.AddUserAgent(k8sKubeconfig, controllerManagerAgentName),
 	)
 	if err != nil {
-		glog.Fatalf("Invalid k8s API configuration: %v", err)
+		return fmt.Errorf("invalid Kubernetes API configuration: %v", err)
 	}
 
 	glog.V(4).Infof("Building service-catalog kubeconfig for url: %v\n", controllerManagerOptions.ServiceCatalogAPIServerURL)
+
+	var serviceCatalogKubeconfig *rest.Config
 	// Build the service-catalog kubeconfig / clientBuilder
-	serviceCatalogKubeconfig, err := clientcmd.BuildConfigFromFlags(
-		controllerManagerOptions.ServiceCatalogAPIServerURL,
-		// controllerManagerOptions.ServiceCatalogKubeconfigPath,
-		"", // TODO: tolerate missing kubeconfig
-	)
+	if controllerManagerOptions.ServiceCatalogAPIServerURL == "" && controllerManagerOptions.ServiceCatalogKubeconfigPath == "" {
+		// explicitly fall back to InClusterConfig, assuming we're talking to an API server which does aggregation
+		// (BuildConfigFromFlags does this, but gives a more generic warning message than we do here)
+		glog.V(4).Infof("Using inClusterConfig to talk to service catalog API server -- make sure your API server is registered with the aggregator")
+		serviceCatalogKubeconfig, err = rest.InClusterConfig()
+	} else {
+		serviceCatalogKubeconfig, err = clientcmd.BuildConfigFromFlags(
+			controllerManagerOptions.ServiceCatalogAPIServerURL,
+			controllerManagerOptions.ServiceCatalogKubeconfigPath)
+	}
 	if err != nil {
 		// TODO: disambiguate API errors
-		return err
+		return fmt.Errorf("failed to get Service Catalog client configuration: %v", err)
 	}
 
+	// due to using both k8s.io/kubernetes and k8s.io/client-go, we need to convert this object over
+
 	glog.V(4).Info("Starting http server and mux")
 	// Start http server and handlers
 	go func() {
@@ -306,7 +316,7 @@ func StartControllers(s *options.ControllerManagerServer,
 		glog.V(1).Info("Starting shared informers")
 		informerFactory.Start(stop)
 	} else {
-		glog.V(1).Infof("Skipping starting service-catalog controller because servicecatalog/v1alpha1 is not available")
+		return fmt.Errorf("unable to start service-catalog controller: servicecatalog/v1alpha1 is not available")
 	}
 
 	select {}
diff --git a/cmd/controller-manager/app/options/options.go b/cmd/controller-manager/app/options/options.go
@@ -69,9 +69,9 @@ func (s *ControllerManagerServer) AddFlags(fs *pflag.FlagSet) {
 	fs.Int32Var(&s.Port, "port", s.Port, "The port that the controller-manager's http service runs on")
 	fs.StringVar(&s.ContentType, "api-content-type", s.ContentType, "Content type of requests sent to API servers")
 	fs.StringVar(&s.K8sAPIServerURL, "k8s-api-server-url", "", "The URL for the k8s API server")
-	fs.StringVar(&s.K8sKubeconfigPath, "k8s-kubeconfig", s.K8sKubeconfigPath, "Path to k8s core kubeconfig")
+	fs.StringVar(&s.K8sKubeconfigPath, "k8s-kubeconfig", "", "Path to k8s core kubeconfig")
 	fs.StringVar(&s.ServiceCatalogAPIServerURL, "service-catalog-api-server-url", "", "The URL for the service-catalog API server")
-	fs.StringVar(&s.ServiceCatalogKubeconfigPath, "service-catalog-kubeconfig", s.ServiceCatalogKubeconfigPath, "Path to service-catalog kubeconfig")
+	fs.StringVar(&s.ServiceCatalogKubeconfigPath, "service-catalog-kubeconfig", "", "Path to service-catalog kubeconfig")
 	fs.DurationVar(&s.ResyncInterval, "resync-interval", s.ResyncInterval, "The interval on which the controller will resync its informers")
 	fs.DurationVar(&s.BrokerRelistInterval, "broker-relist-interval", s.BrokerRelistInterval, "The interval on which a broker's catalog is relisted after the broker becomes ready")
 	fs.BoolVar(&s.OSBAPIContextProfile, "enable-osb-api-context-profile", s.OSBAPIContextProfile, "Whether or not to send the proposed optional OpenServiceBroker API Context Profile field")
diff --git a/contrib/hack/start-server.sh b/contrib/hack/start-server.sh
@@ -43,7 +43,7 @@ docker run -d --name apiserver \
 	scbuildimage \
 	bin/apiserver -v 10 --etcd-servers http://localhost:2379 \
 		--insecure-bind-address=0.0.0.0 --insecure-port=8081 \
-		--storage-type=etcd
+		--storage-type=etcd --disable-auth
 
 # Wait for apiserver to be up and running
 echo Waiting for API Server to be available...
diff --git a/contrib/hack/test_walkthrough.sh b/contrib/hack/test_walkthrough.sh
@@ -27,6 +27,7 @@ while [[ $# -gt 0 ]]; do
     --with-tpr)       WITH_TPR=1 ;;
     --cleanup)        CLEANUP=1 ;;
     --create-artifacts) CREATE_ARTIFACTS=1 ;;
+    --fix-auth)   FIX_CONFIGMAP=1 ;;
     *) error_exit "Unrecognized command line parameter: $1" ;;
   esac
   shift
@@ -114,6 +115,14 @@ retry -n 10 \
 
 echo 'Deploying service catalog...'
 
+# The API server automatically provisions the configmap, but we need it to contain the requestheader CA as well,
+# which is only provisioned if you pass the appropriate flags to master.  GKE doesn't do this, so we work around it.
+if [[ -n "${FIX_CONFIGMAP:-}" ]] && [[ -z "$(kubectl --namespace kube-system get configmap extension-apiserver-authentication -o jsonpath="{ $.data['requestheader-client-ca-file'] }")" ]]; then
+    full_configmap=$(kubectl --namespace kube-system get configmap extension-apiserver-authentication -o json)
+    echo "$full_configmap" | jq '.data["requestheader-client-ca-file"] = .data["client-ca-file"]' | kubectl --namespace kube-system update configmap extension-apiserver-authentication -f -
+    [[ -n "$(kubectl --namespace kube-system get configmap extension-apiserver-authentication -o jsonpath="{ $.data['requestheader-client-ca-file'] }")" ]] || { echo "Could not add requestheader auth CA to extension-apiserver-authentication configmap."; exit 1; }
+fi
+
 VALUES='debug=true'
 VALUES+=',insecure=true'
 VALUES+=",controllerManager.image=${CONTROLLER_MANAGER_IMAGE}"
diff --git a/contrib/jenkins/init_cluster.sh b/contrib/jenkins/init_cluster.sh
@@ -45,7 +45,7 @@ gcloud auth activate-service-account \
   || { echo "Cannot activate GCloud service account from ${CREDENTIALS}"; exit 1; }
 
 echo "Creating cluster ${CLUSTERNAME}"
-gcloud container clusters create "${CLUSTERNAME}" --project="${PROJECT}" --zone="${ZONE}" \
+gcloud container clusters create "${CLUSTERNAME}" --project="${PROJECT}" --zone="${ZONE}" --cluster-version 1.6.1 \
   || { echo 'Cannot create cluster.'; exit 1; }
 
 echo "Using cluster ${CLUSTERNAME}."
diff --git a/docs/walkthrough.md b/docs/walkthrough.md
@@ -44,6 +44,17 @@ To install the service catalog system with sensible defaults:
 helm install charts/catalog --name catalog --namespace catalog
 ```
 
+**Note:** The service catalog API server will attempt to automatically obtain CA
+certificates for authentication from from the config map
+`extension-apiserver-authentication` in `kube-system`, which is
+autogenerated by the main Kubernetes API server.  In common setups, all
+the appropriate values will be automatically populated.
+
+However, if you do not see the `requestheader-client-ca-file` value in the
+config map (which is the case on some GKE setups), you can either populate
+the configmap with a valid CA certificate, or set the
+`apiserver.tls.requestHeaderCA` option when installing the Helm chart.
+
 **Note:** In the event you need to start the walkthrough over, the easiest way
 is to execute `helm delete --purge catalog`.
 
diff --git a/test/integration/framework.go b/test/integration/framework.go
@@ -83,6 +83,7 @@ func getFreshApiserverAndClient(t *testing.T, storageTypeStr string) (servicecat
 			TPROptions:            tprOptions,
 			AuthenticationOptions: genericserveroptions.NewDelegatingAuthenticationOptions(),
 			AuthorizationOptions:  genericserveroptions.NewDelegatingAuthorizationOptions(),
+			DisableAuth:           true,
 			StopCh:                stopCh,
 		}
 		options.InsecureServingOptions.BindPort = insecurePort
