kube icon indicating copy to clipboard operation
kube copied to clipboard

Published 20 hours ago verified publisher icon kube-rs

Support `tls-server-name` field of the kubeconfig cluster configuration

Open AntonAM opened this issue 3 years ago • 10 comments

Would you like to work on this feature?

maybe

What problem are you trying to solve?

Currently kube-rs doesn't support tls-server-name for the cluster definition in the kubeconfig and just ignores it. That doesn't allow to specify correct host for the SNI. We felt it when using kubectl-view-allocation k8s plugin with Teleport (issue there: https://github.com/gravitational/teleport/issues/15106 ), where correct server name in the SNI is required to reach right endpoint, since multiple services are multiplexed on one port.

Describe the solution you'd like

Support tls-server-name field as per k8s docs - it should be transferred as part of SNI during TSL handshake.

Describe alternatives you've considered

Documentation, Adoption, Migration Strategy

https://kubernetes.io/docs/reference/config-api/client-authentication.v1/

Target crate for feature

kube-client

AntonAM avatar Aug 24 '22 21:08 AntonAM

This is (afaikt) a feature for authentication for RefreshableToken::Exec bubbling down through our Config from the Kubeconfig's Cluster (where it is supposed to be).

If I understand it right, it involves extending our ExecCredential (in particular the spec), and then do something with it in the auth_exec fn? I'm not really sure what.

I can see some light uses of it in client-go but it doesn't really explain. Help would be appreciated with this one.

clux avatar Aug 30 '22 18:08 clux

IIUC, this setting should be somehow propagated to the TLS library in use (rustls / openssl).

Maybe, these links will help. rustls: https://docs.rs/rustls/latest/rustls/client/trait.ServerCertVerifier.html, https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html#method.set_certificate_verifier openssl: https://docs.rs/openssl/latest/openssl/ssl/struct.SslConnectorBuilder.html#method.set_servername_callback

MikailBag avatar Sep 11 '22 18:09 MikailBag

As I see, client-go passes tls-server-name to the underlying TLS layer here: https://github.com/kubernetes/client-go/blob/037b5fd01db4432f8f6bb6139ff2b6dd00008b99/transport/transport.go#L94

Documentation for crypto/tls.Config is https://pkg.go.dev/crypto/tls#Config

This specific field is documented as follows:

ServerName is used to verify the hostname on the returned certificates unless InsecureSkipVerify is given. It is also included in the client's handshake to support virtual hosting unless it is an IP address.

MikailBag avatar Sep 17 '22 14:09 MikailBag

@MikailBag yep, you are right, it's and server name to provide to TLS layer, when it connects to the server. And so it can perform necessary checks and SNI can be used correctly 👍

AntonAM avatar Sep 18 '22 19:09 AntonAM

This is now supported for rustls via https://github.com/kube-rs/kube/pull/1104 thanks to @MikailBag 's initial PR and it's released in 0.77.0.

Unfortunately, it is not done for openssl yet (where the upstream pr in hyper-openssl is not responded to) and I couldn't find a way to do it directly .

clux avatar Dec 15 '22 15:12 clux

That crate doesn't seem to be very active, is forking hyper-openssl an option until that PR is merged? 🤔

goenning avatar Apr 05 '23 09:04 goenning

Someone would have to step up to do that type of slog though.

As a potential alternative; we just closed all the rustls issues on main after the last rustls/hyper-rustls bump. So switching to rustls-tls feature should be more viable for apps now.

clux avatar Apr 05 '23 10:04 clux

I'll give it a go, I recall seeing some caveats on README which made me pick openssl instead.

goenning avatar Apr 05 '23 10:04 goenning

Hello, is there some news on this front?

yann-soubeyrand avatar Oct 03 '23 13:10 yann-soubeyrand