pmem-csi-driver: support insecure scheduler endpoint

There are scenarios (for example, OpenShift) where configuring an https URL in the scheduler simply cannot be done (lack of DNS, certificate handling). In that case, a scheduler extender listening on a node port without TLS is better than no scheduler extender. The security risk associated with not using encryption is acceptable because the information is not particularly sensitive (pod names and node names) and what an attacker could learn from that is partly available to anyone anyway (storage capacity on each node).
intel · Jul 15, 2021 · 048767a · 048767a
1 parent fce1017
commit 048767a
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 9 deletions.
diff --git a/deploy/kustomize/driver/pmem-csi.yaml b/deploy/kustomize/driver/pmem-csi.yaml
@@ -165,6 +165,8 @@ spec:
         - -mode=webhooks
         - -drivername=$(PMEM_CSI_DRIVER_NAME)
         - -nodeSelector={"storage":"pmem"}
+        # ca.crt is present in pmem-csi-intel-com-controller-secret but not required for anything at
+        # the moment.
         - -caFile=/certs/ca.crt
         - -certFile=/certs/tls.crt
         - -keyFile=/certs/tls.key

diff --git a/pkg/pmem-csi-driver/main.go b/pkg/pmem-csi-driver/main.go
@@ -35,9 +35,9 @@ func init() {
 	flag.StringVar(&config.NodeID, "nodeid", "nodeid", "node id")
 	flag.StringVar(&config.Endpoint, "endpoint", "unix:///tmp/pmem-csi.sock", "PMEM CSI endpoint")
 	flag.Var(&config.Mode, "mode", "driver run mode")
-	flag.StringVar(&config.CAFile, "caFile", "ca.pem", "Root CA certificate file to use for verifying connections")
-	flag.StringVar(&config.CertFile, "certFile", "pmem-controller.pem", "SSL certificate file to used by the PMEM-CSI controller for authenticating client connections")
-	flag.StringVar(&config.KeyFile, "keyFile", "pmem-controller-key.pem", "Private key file associated to certificate")
+	flag.StringVar(&config.CAFile, "caFile", "ca.pem", "Root CA certificate file to use for verifying clients (optional, can be empty)")
+	flag.StringVar(&config.CertFile, "certFile", "pmem-controller.pem", "SSL certificate file to be used by the PMEM-CSI controller")
+	flag.StringVar(&config.KeyFile, "keyFile", "pmem-controller-key.pem", "Private key file associated with the certificate")
 
 	flag.Float64Var(&config.KubeAPIQPS, "kube-api-qps", 5, "QPS to use while communicating with the Kubernetes apiserver. Defaults to 5.0.")
 	flag.IntVar(&config.KubeAPIBurst, "kube-api-burst", 10, "Burst to use while communicating with the Kubernetes apiserver. Defaults to 10.")
@@ -47,7 +47,8 @@ func init() {
 	flag.StringVar(&config.metricsPath, "metricsPath", "/metrics", "The HTTP path where prometheus metrics will be exposed. Default is `/metrics`.")
 
 	/* Controller mode options */
-	flag.StringVar(&config.schedulerListen, "schedulerListen", "", "controller: listen address (like :8000) for scheduler extender and mutating webhook, disabled by default")
+	flag.StringVar(&config.schedulerListen, "schedulerListen", "", "controller: HTTPS listen address (like :8000) for scheduler extender and mutating webhook, disabled by default (needs caFile, certFile, keyFile)")
+	flag.StringVar(&config.insecureSchedulerListen, "insecureSchedulerListen", "", "controller: HTTP listen address (like :8001) for scheduler extender and mutating webhook, disabled by default (does not use TLS config)")
 	flag.Var(&config.nodeSelector, "nodeSelector", "controller: reschedule PVCs with a selected node where PMEM-CSI is not meant to run because the node does not have these labels (represented as JSON map)")
 
 	/* Node mode options */

diff --git a/pkg/pmem-csi-driver/pmem-csi-driver.go b/pkg/pmem-csi-driver/pmem-csi-driver.go
@@ -127,7 +127,8 @@ type Config struct {
 	KubeAPIBurst int
 
 	// parameters for Kubernetes scheduler extender
-	schedulerListen string
+	schedulerListen         string
+	insecureSchedulerListen string
 
 	// parameters for rescheduler and raw namespace conversion
 	nodeSelector types.NodeSelector
@@ -236,7 +237,7 @@ func (csid *csiDriver) Run(ctx context.Context) error {
 			}
 		}
 
-		if csid.cfg.schedulerListen != "" {
+		if csid.cfg.schedulerListen != "" || csid.cfg.insecureSchedulerListen != "" {
 			// Factory for the driver's namespace.
 			namespace := os.Getenv("POD_NAMESPACE")
 			if namespace == "" {
@@ -259,8 +260,15 @@ func (csid *csiDriver) Run(ctx context.Context) error {
 			if err != nil {
 				return fmt.Errorf("create scheduler: %v", err)
 			}
-			if _, err := csid.startHTTPSServer(ctx, cancel, csid.cfg.schedulerListen, sched, true /* TLS */); err != nil {
-				return err
+			if csid.cfg.schedulerListen != "" {
+				if _, err := csid.startHTTPSServer(ctx, cancel, csid.cfg.schedulerListen, sched, true /* TLS */); err != nil {
+					return err
+				}
+			}
+			if csid.cfg.insecureSchedulerListen != "" {
+				if _, err := csid.startHTTPSServer(ctx, cancel, csid.cfg.insecureSchedulerListen, sched, false /* not TLS */); err != nil {
+					return err
+				}
 			}
 		}
 
@@ -385,7 +393,7 @@ func (csid *csiDriver) startHTTPSServer(ctx context.Context, cancel func(), list
 	logger := pmemlog.Get(ctx).WithName(name).WithValues("listen", listen)
 	var config *tls.Config
 	if useTLS {
-		c, err := pmemgrpc.LoadServerTLS(ctx, csid.cfg.CAFile, csid.cfg.CertFile, csid.cfg.KeyFile, "")
+		c, err := pmemgrpc.LoadServerTLS(ctx, csid.cfg.CAFile, csid.cfg.CertFile, csid.cfg.KeyFile, "" /* any peer can connect */)
 		if err != nil {
 			return "", fmt.Errorf("initialize HTTPS config: %v", err)
 		}