search

GoogleCloudPlatform / k8s-cloud-provider

Support code for implementing a Kubernetes cloud provider for Google Cloud Platform
Apache License 2.0
37 stars 46 forks source link

Implement BackendService traits #182

Closed kl52752 closed 5 months ago

kl52752 commented 6 months ago
kl52752 commented 6 months ago

/cc @mag-kol /cc @AwesomePatrol

/assign @bowei

bowei commented 6 months ago

This seems to be a huge number of optional values. Are we sure we can't just set the outer struct as optional, but leave the rest of the values required?

kl52752 commented 6 months ago

can't just set the outer struct as optional, but leave the rest of the values required?

BackendService is very complex structure. Looking at the SecuritySettings field there are 3 fields but each of them has restrictions when can be set and this restriction depends on LoadBalancingScheme.

type SecuritySettings struct {
    // AwsV4Authentication: The configuration needed to generate a signature
    // for access to private storage buckets that support AWS's Signature
    // Version 4 for authentication. Allowed only for INTERNET_IP_PORT and
    // INTERNET_FQDN_PORT NEG backends.
    AwsV4Authentication *AWSV4Signature `json:"awsV4Authentication,omitempty"`

    // ClientTlsPolicy: Optional. A URL referring to a
    // networksecurity.ClientTlsPolicy resource that describes how clients
    // should authenticate with this service's backends. clientTlsPolicy
    // only applies to a global BackendService with the loadBalancingScheme
    // set to INTERNAL_SELF_MANAGED. If left blank, communications are not
    // encrypted.
    ClientTlsPolicy string `json:"clientTlsPolicy,omitempty"`

    // SubjectAltNames: Optional. A list of Subject Alternative Names (SANs)
    // that the client verifies during a mutual TLS handshake with an
    // server/endpoint for this BackendService. When the server presents its
    // X.509 certificate to the client, the client inspects the
    // certificate's subjectAltName field. If the field contains one of the
    // specified values, the communication continues. Otherwise, it fails.
    // This additional check enables the client to verify that the server is
    // authorized to run the requested service. Note that the contents of
    // the server certificate's subjectAltName field are configured by the
    // Public Key Infrastructure which provisions server identities. Only
    // applies to a global BackendService with loadBalancingScheme set to
    // INTERNAL_SELF_MANAGED. Only applies when BackendService has an
    // attached clientTlsPolicy with clientCertificate (mTLS mode).
    SubjectAltNames []string `json:"subjectAltNames,omitempty"`

And this model when fields value depends on other setting are more.

bowei commented 5 months ago

We should file a TODO to track making this less verbose/onerous to deal with.

/lgtm /approve

google-oss-prow[bot] commented 5 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bowei, kl52752

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/GoogleCloudPlatform/k8s-cloud-provider/blob/master/OWNERS)~~ [bowei] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment