avoid reloading keystone ca file for every request

remove comma in known-flags
kubernetes · Nov 1, 2016 · c3e42e1 · c3e42e1
1 parent 67749d6
commit c3e42e1
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 21 deletions.
diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt
@@ -189,7 +189,7 @@ experimental-bootstrap-kubeconfig
 experimental-keystone-url
 experimental-mounter-path
 experimental-mounter-rootfs-path
-experimental-keystone-ca-file,
+experimental-keystone-ca-file
 experimental-nvidia-gpus
 experimental-prefix
 experimental-runtime-integration-type

diff --git a/pkg/genericapiserver/options/server_run_options.go b/pkg/genericapiserver/options/server_run_options.go
@@ -380,9 +380,8 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 		"If passed, activates the keystone authentication plugin.")
 
 	fs.StringVar(&s.KeystoneCAFile, "experimental-keystone-ca-file", s.KeystoneCAFile, ""+
-		"If set, any keystone request presenting a client certificate signed by one of "+
-		"the authorities in the experimental-keystone-ca-file is authenticated with an identity "+
-		"corresponding to the CommonName of the client certificate.")
+		"If set, the Keystone server's certificate will be verified by one of the authorities "+
+		"in the experimental-keystone-ca-file, otherwise the host's root CA set will be used.")
 
 	// See #14282 for details on how to test/try this option out.
 	// TODO: remove this comment once this option is tested in CI.

diff --git a/plugin/pkg/auth/authenticator/password/keystone/keystone.go b/plugin/pkg/auth/authenticator/password/keystone/keystone.go
@@ -27,13 +27,15 @@ import (
 	"github.com/rackspace/gophercloud/openstack"
 	"k8s.io/kubernetes/pkg/auth/user"
 	certutil "k8s.io/kubernetes/pkg/util/cert"
+	netutil "k8s.io/kubernetes/pkg/util/net"
 )
 
 // KeystoneAuthenticator contacts openstack keystone to validate user's credentials passed in the request.
 // The keystone endpoint is passed during apiserver startup
 type KeystoneAuthenticator struct {
 	authURL string
-	caFile  string
+	TLSClientConfig *tls.Config
+	caFile string
 }
 
 // AuthenticatePassword checks the username, password via keystone call
@@ -44,7 +46,7 @@ func (keystoneAuthenticator *KeystoneAuthenticator) AuthenticatePassword(usernam
 		Password:         password,
 	}
 
-	_, err := AuthenticatedClient(opts, keystoneAuthenticator.caFile)
+	_, err := keystoneAuthenticator.AuthenticatedClient(opts)
 	if err != nil {
 		glog.Info("Failed: Starting openstack authenticate client:" + err.Error())
 		return nil, false, errors.New("Failed to authenticate")
@@ -55,30 +57,20 @@ func (keystoneAuthenticator *KeystoneAuthenticator) AuthenticatePassword(usernam
 
 // AuthenticatedClient logs in to an OpenStack cloud found at the identity endpoint specified by options, acquires a
 // token, and returns a Client instance that's ready to operate.
-func AuthenticatedClient(options gophercloud.AuthOptions, caFile string) (*gophercloud.ProviderClient, error) {
+func (keystoneAuthenticator *KeystoneAuthenticator) AuthenticatedClient(options gophercloud.AuthOptions) (*gophercloud.ProviderClient, error) {
 	client, err := openstack.NewClient(options.IdentityEndpoint)
 	if err != nil {
 		return nil, err
 	}
 
-	config := &tls.Config{}
-	if caFile !="" {
-		roots, err := certutil.NewPool(caFile)
-		if err != nil {
-			return nil, err
-		}
-		config.RootCAs = roots
+	if keystoneAuthenticator.caFile != "" {
+		client.HTTPClient.Transport = netutil.SetOldTransportDefaults(&http.Transport{TLSClientConfig: keystoneAuthenticator.TLSClientConfig})
 	}
-	client.HTTPClient.Transport = &http.Transport{TLSClientConfig: config, }
 
 	err = openstack.Authenticate(client, options)
-	if err != nil {
-		return nil, err
-	}
-	return client, nil
+	return client, err
 }
 
-
 // NewKeystoneAuthenticator returns a password authenticator that validates credentials using openstack keystone
 func NewKeystoneAuthenticator(authURL string, caFile string) (*KeystoneAuthenticator, error) {
 	if !strings.HasPrefix(authURL, "https") {
@@ -87,6 +79,15 @@ func NewKeystoneAuthenticator(authURL string, caFile string) (*KeystoneAuthentic
 	if authURL == "" {
 		return nil, errors.New("Auth URL is empty")
 	}
+	if caFile != "" {
+		roots, err := certutil.NewPool(caFile)
+		if err != nil {
+			return nil, err
+		}
+		config := &tls.Config{}
+		config.RootCAs = roots
+		return &KeystoneAuthenticator{authURL, config, caFile}, nil
+	}
 
-	return &KeystoneAuthenticator{authURL, caFile}, nil
+	return &KeystoneAuthenticator{authURL: authURL}, nil
 }