This change updates the transport.Config .Dial and .TLS.GetCert fields
to use a struct wrapper. This indirection via a pointer allows the
functions to be compared and thus makes them valid to use as map keys.
This change is then leveraged by the existing global exec auth and TLS
config caches to return the same authenticator and TLS config even when
distinct but identical rest configs were used to create distinct
clientsets.
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 831d95b6a021c2767effe85e461309cb6a0fdcec
enhance client-go DebugURLTiming roundtripper using golang httptrace
to provide timing statistics for:
- dns lookup
- tcp dialing
- tls handshake
- time to get a connection from the pool
- time to process a request
Kubernetes-commit: 72c35be086fed5f70fd11dc96ca34298573bff05
* Updates ImpersonationConfig in rest/config.go to include UID
attribute, and pass it through when copying the config
* Updates ImpersonationConfig in transport/config.go to include UID
attribute
* In transport/round_tripper.go, Set the "Impersonate-Uid" header in
requests based on the UID value in the config
* Update auth_test.go integration test to specify a UID through the new
rest.ImpersonationConfig field rather than manually setting the
Impersonate-Uid header
Signed-off-by: Margo Crawford <margaretc@vmware.com>
Kubernetes-commit: d9ddfb26e10ee353fc4617b66d2c9274bf6d1c08
* Fix staticcheck failures for vendor/k8s.io/client-go/transport
* avoid the possibility of a hang
Kubernetes-commit: 02d20442a5a5f5e1d3f1ef8e6fb14945462bc36c
`debuggingRoundTripper` is a useful throbleshooting tool to debug of Kubernetes API requests and their timing.
Unfortunately, as of today, it can only be used via the `DebugWrappers` function, which automatically adjust the amount of debug information exposed by the roundTripper based on the configured `klog` verbosity.
While `DebugWrappers` definitely fits the purpose for clients using `klog`, this is currently hard to be used for controllers using `controller-runtime`, which uses `github.com/go-logr/logr` for logging.
In this PR we change the visibility of `newDebuggingRoundTripper` and `debugLevel` in order to be directly accessible from users of the `k8s.io/client-go/transport` package.
In particular, the changes proposed in this PR allow users of `controller-runtime` to use the `debuggingRoundTripper` to intercept Kubernetes API requests as follows
```go
import (
ctrl "sigs.k8s.io/controller-runtime"
)
func init() {
ctrl.SetLogger(zap.New())
}
func main() {
// wrap the http transport used by the Kubernetes client
restConfig, err := ctrl.GetConfig()
checkError(setupLog, err, "unable to get kubernetes client config")
restConfig.Wrap(func(rt http.RoundTripper) http.RoundTripper {
return transport.NewDebuggingRoundTripper(rt, transport.DebugJustURL)
})
...
}
```
Kubernetes-commit: 8de53ce96cb58d56fd00e91d8bcf7761ab498b83
The bazel test failures are caused by (oauth2: turn Transport.CancelRequest into a no-op)[858c2ad4c8]:
0f29369cfe...858c2ad4c8
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: eea0fea657e5955dedcb6e39bad4dca57d70553c
With support of http, https, and socks5 proxy support. We already
support configuring this via environmnet variables, but this approach
becomes inconvenient dealing with multiple clusters on different
networks, that require different proxies to connect to. Most solutions
require wrapping clients (like kubectl) in bash scripts.
Part of: https://github.com/kubernetes/client-go/issues/351
Kubernetes-commit: f3f666d5f1f6f74a8c948a5c64af993696178244
Introduce a verbosity level for the start and stop notifications,
so that regular calls to commands such as:
"kubectl auth ..."
would only contain the "yes" / "no" output.
Kubernetes-commit: b2677b1e572ae1cd8b823683e88005b7857d8938
Close outbound connections when using a cert callback and certificates rotate. This means that we won't get into a situation where we have open TLS connections using expires certs, which would get unauthorized errors at the apiserver
Attempt to retrieve a new certificate if open connections near expiry, to prevent the case where the cert expires but we haven't yet opened a new TLS connection and so GetClientCertificate hasn't been called.
Move certificate rotation logic to a separate function
Rely on generic transport approach to handle closing TLS client connections in exec plugin; no need to use a custom dialer as this is now the default behaviour of the transport when faced with a cert callback. As a result of handling this case, it is now safe to apply the transport approach even in cases where there is a custom Dialer (this will not affect kubelet connrotation behaviour, because that uses a custom transport, not just a dialer).
Check expiry of the full TLS certificate chain that will be presented, not only the leaf. Only do this check when the certificate actually rotates. Start the certificate as a zero value, not nil, so that we don't see a rotation when there is in fact no client certificate
Drain the timer when we first initialize it, to prevent immediate rotation. Additionally, calling Stop() on the timer isn't necessary.
Don't close connections on the first 'rotation'
Remove RotateCertFromDisk and RotateClientCertFromDisk flags.
Instead simply default to rotating certificates from disk whenever files are exclusively provided.
Add integration test for client certificate rotation
Simplify logic; rotate every 5 mins
Instead of trying to be clever and checking for rotation just before an
expiry, let's match the logic of the new apiserver cert rotation logic
as much as possible. We write a controller that checks for rotation
every 5 mins. We also check on every new connection.
Respond to review
Fix kubelet certificate rotation logic
The kubelet rotation logic seems to be broken because it expects its
cert files to end up as cert data whereas in fact they end up as a
callback. We should just call the tlsConfig GetCertificate callback
as this obtains a current cert even in cases where a static cert is
provided, and check that for validity.
Later on we can refactor all of the kubelet logic so that all it does is
write files to disk, and the cert rotation work does the rest.
Only read certificates once a second at most
Respond to review
1) Don't blat the cert file names
2) Make it more obvious where we have a neverstop
3) Naming
4) Verbosity
Avoid cache busting
Use filenames as cache keys when rotation is enabled, and add the
rotation later in the creation of the transport.
Caller should start the rotating dialer
Add continuous request rotation test
Rebase: use context in List/Watch
Swap goroutine around
Retry GETs on net.IsProbableEOF
Refactor certRotatingDialer
For simplicity, don't affect cert callbacks
To reduce change surface, lets not try to handle the case of a changing
GetCert callback in this PR. Reverting this commit should be sufficient
to handle that case in a later PR.
This PR will focus only on rotating certificate and key files.
Therefore, we don't need to modify the exec auth plugin.
Fix copyright year
Kubernetes-commit: 929b1559a0b855d996257ab3ad5364605edc253d
Golang automatically enables transport level gzip, but local network
clients may wish to disable it for better CPU usage and lower latency
(scheduler, controller-manager). Allow DisableCompression on rest.Config
to modify the underlying transport. This impacts the transport cache,
but it is expected that most clients connecting to the same servers
within a process will have the same compression config.
Kubernetes-commit: dee6de70d0e4ad381bd5de01b6d1fbd4fde004bc
The ContextCanceller transport wrapper blocks all API requests
after the provided context is closed. Used with the leader election
step down, a controller can ensure that new requests are not made
after the client has stepped down.
Kubernetes-commit: fe74efb1f90826b1903d2908ff9e528329bebea0
Properly wrapping a transport can be tricky. Make the normal case
(adding a non-nil transport wrapper to a config) easier with a helper.
Also enforce a rough ordering, which in the future we can use to
simplify the WrapTransport mechanism down into an array of functions
we execute in order and avoid wrapping altogether.
Kubernetes-commit: 1f590e697ef64812620c787720b4b5942027e4a1
