Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support loading a custom TLS server name from kubeconfig #270

Merged
merged 1 commit into from
Dec 30, 2023
Merged

Support loading a custom TLS server name from kubeconfig #270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions kubernetes_asyncio/client/configuration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,10 @@ def __init__(self, host=None,
self.assert_hostname = None
"""Set this to True/False to enable/disable SSL hostname verification.
"""
self.tls_server_name = None
"""SSL/TLS Server Name Indication (SNI)
Set this to the SNI value expected by Kubernetes API.
"""

self.connection_pool_maxsize = 100
"""This value is passed to the aiohttp to limit simultaneous connections.
Expand Down
5 changes: 5 additions & 0 deletions kubernetes_asyncio/client/rest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@
configuration.cert_file, keyfile=configuration.key_file
)

self.server_hostname = configuration.tls_server_name

if not configuration.verify_ssl:
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
Expand Down Expand Up @@ -135,6 +137,9 @@
if query_params:
args["url"] += '?' + urlencode(query_params)

if self.server_hostname:
args["server_hostname"] = self.server_hostname

Check warning on line 141 in kubernetes_asyncio/client/rest.py

View check run for this annotation

Codecov / codecov/patch

kubernetes_asyncio/client/rest.py#L140-L141 

Added lines #L140 - L141 were not covered by tests

# For `POST`, `PUT`, `PATCH`, `OPTIONS`, `DELETE`
if method in ['POST', 'PUT', 'PATCH', 'OPTIONS', 'DELETE']:
if (
Expand Down
4 changes: 3 additions & 1 deletion kubernetes_asyncio/config/kube_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -393,14 +393,16 @@ def _load_cluster_info(self):
temp_file_path=self._temp_file_path).as_file()
if 'insecure-skip-tls-verify' in self._cluster:
self.verify_ssl = not self._cluster['insecure-skip-tls-verify']
if 'tls-server-name' in self._cluster:
self.tls_server_name = self._cluster['tls-server-name']

def _set_config(self, client_configuration):

if 'token' in self.__dict__:
client_configuration.api_key['BearerToken'] = self.token

# copy these keys directly from self to configuration object
keys = ['host', 'ssl_ca_cert', 'cert_file', 'key_file', 'verify_ssl']
keys = ['host', 'ssl_ca_cert', 'cert_file', 'key_file', 'verify_ssl', 'tls_server_name']
for key in keys:
if key in self.__dict__:
setattr(client_configuration, key, getattr(self, key))
Expand Down
34 changes: 34 additions & 0 deletions kubernetes_asyncio/config/kube_config_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ def _raise_exception(st):
TEST_CLIENT_KEY_BASE64 = _base64(TEST_CLIENT_KEY)
TEST_CLIENT_CERT = "client-cert"
TEST_CLIENT_CERT_BASE64 = _base64(TEST_CLIENT_CERT)
TEST_TLS_SERVER_NAME = "kubernetes.io"

TEST_OIDC_TOKEN = "test-oidc-token"
TEST_OIDC_INFO = "{\"name\": \"test\"}"
Expand Down Expand Up @@ -443,6 +444,13 @@ class TestKubeConfigLoader(BaseTestCase):
"user": "exec_cred_user_certificate"
}
},
{
"name": "tls-server-name",
"context": {
"cluster": "tls-server-name",
"user": "ssl"
}
},
],
"clusters": [
{
Expand Down Expand Up @@ -488,6 +496,16 @@ class TestKubeConfigLoader(BaseTestCase):
"insecure-skip-tls-verify": False,
}
},
{
"name": "tls-server-name",
"cluster": {
"server": TEST_SSL_HOST,
"certificate-authority-data":
TEST_CERTIFICATE_AUTH_BASE64,
"insecure-skip-tls-verify": False,
"tls-server-name": TEST_TLS_SERVER_NAME,
}
},
],
"users": [
{
Expand Down Expand Up @@ -863,6 +881,22 @@ async def test_ssl_verification(self):
active_context="ssl_verification").load_and_set(actual)
self.assertEqual(expected, actual)

async def test_tls_server_name(self):
expected = FakeConfig(
host=TEST_SSL_HOST,
token=BEARER_TOKEN_FORMAT % TEST_DATA_BASE64,
cert_file=self._create_temp_file(TEST_CLIENT_CERT),
key_file=self._create_temp_file(TEST_CLIENT_KEY),
ssl_ca_cert=self._create_temp_file(TEST_CERTIFICATE_AUTH),
verify_ssl=True,
tls_server_name=TEST_TLS_SERVER_NAME
)
actual = FakeConfig()
await KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
active_context="tls-server-name").load_and_set(actual)
self.assertEqual(expected, actual)

def test_list_contexts(self):
loader = KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
Expand Down
2 changes: 1 addition & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ python-dateutil>=2.5.3 # BSD
setuptools>=21.0.0 # PSF/ZPL
urllib3>=1.24.2 # MIT
pyyaml>=3.12 # MIT
aiohttp>=3.7.0,<4.0.0 # # Apache-2.0
aiohttp>=3.9.0,<4.0.0 # # Apache-2.0
23 changes: 23 additions & 0 deletions scripts/rest_client_server_hostname_patch.diff
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
diff --git a/kubernetes_asyncio/client/rest.py b/kubernetes_asyncio/client/rest.py
index c5be7990..9e0daab4 100644
--- a/kubernetes_asyncio/client/rest.py
+++ b/kubernetes_asyncio/client/rest.py
@@ -56,6 +56,8 @@ class RESTClientObject(object):
configuration.cert_file, keyfile=configuration.key_file
)

+ self.server_hostname = configuration.tls_server_name
+
if not configuration.verify_ssl:
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
@@ -135,6 +137,9 @@ class RESTClientObject(object):
if query_params:
args["url"] += '?' + urlencode(query_params)

+ if self.server_hostname:
+ args["server_hostname"] = self.server_hostname
+
# For `POST`, `PUT`, `PATCH`, `OPTIONS`, `DELETE`
if method in ['POST', 'PUT', 'PATCH', 'OPTIONS', 'DELETE']:
if re.search('json', headers['Content-Type'], re.IGNORECASE):
2 changes: 2 additions & 0 deletions scripts/update-client.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ echo ">>> fix generated rest client for patching with strategic merge..."
patch "${CLIENT_ROOT}/client/rest.py" "${SCRIPT_ROOT}/rest_client_patch.diff"
echo ">>> fix generated rest client by increasing aiohttp read buffer to 2MiB..."
patch "${CLIENT_ROOT}/client/rest.py" "${SCRIPT_ROOT}/rest_client_patch_read_bufsize.diff"
echo ">>> fix generated rest client to support customer server hostname TLS verification..."
patch "${CLIENT_ROOT}/client/rest.py" "${SCRIPT_ROOT}/rest_client_server_hostname_patch.diff"


echo ">>> Remove invalid tests (workaround https://github.com/OpenAPITools/openapi-generator/issues/5377)"
Expand Down