Merge pull request #130560 from stlaz/remote-uid-config-beta

RemoteRequestHeaderUID: bump to beta, enabled by default
2025-07-23 11:50:44 +00:00 · 2025-03-18 06:31:49 -07:00 · 2025-03-18 06:31:49 -07:00 · 8312d8e85e
commit 8312d8e85e
parent 8559194e11 b3890d9fa0
4 changed files with 72 additions and 61 deletions
--- a/pkg/features/versioned_kube_features.go
+++ b/pkg/features/versioned_kube_features.go
@ -299,6 +299,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate

 	genericfeatures.RemoteRequestHeaderUID: {
 		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
 	},

 	genericfeatures.ResilientWatchCacheInitialization: {
--- a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go
+++ b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go
@ -343,6 +343,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate

 	RemoteRequestHeaderUID: {
 		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
 	},

 	ResilientWatchCacheInitialization: {
--- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go
@ -57,7 +57,6 @@ import (
 	utilflowcontrol "k8s.io/apiserver/pkg/util/flowcontrol"
 	apiserverproxyutil "k8s.io/apiserver/pkg/util/proxy"
 	"k8s.io/client-go/transport"
-	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/component-base/metrics"
 	"k8s.io/component-base/metrics/legacyregistry"
@ -134,10 +133,11 @@ func TestProxyHandler(t *testing.T) {
 		expectedCalled     bool
 		expectedHeaders    map[string][]string

-		enableFeatureGates []featuregate.Feature
+		remoteRequestHeaderUIDFeature bool
 	}{
 		"no target": {
-			expectedStatusCode: http.StatusNotFound,
+			expectedStatusCode:            http.StatusNotFound,
+			remoteRequestHeaderUIDFeature: true,
 		},
 		"no user": {
 			apiService: &apiregistration.APIService{
@ -153,8 +153,43 @@ func TestProxyHandler(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusInternalServerError,
-			expectedBody:       "missing user",
+			expectedStatusCode:            http.StatusInternalServerError,
+			expectedBody:                  "missing user",
+			remoteRequestHeaderUIDFeature: true,
+		},
+		"[-RemoteRequestHeaderUID] proxy with user, insecure": {
+			user: &user.DefaultInfo{
+				Name:   "username",
+				UID:    "6b60d791-1af9-4513-92e5-e4252a1e0a78",
+				Groups: []string{"one", "two"},
+			},
+			path: "/request/path",
+			apiService: &apiregistration.APIService{
+				ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"},
+				Spec: apiregistration.APIServiceSpec{
+					Service:               &apiregistration.ServiceReference{Port: ptr.To[int32](443)},
+					Group:                 "foo",
+					Version:               "v1",
+					InsecureSkipTLSVerify: true,
+				},
+				Status: apiregistration.APIServiceStatus{
+					Conditions: []apiregistration.APIServiceCondition{
+						{Type: apiregistration.Available, Status: apiregistration.ConditionTrue},
+					},
+				},
+			},
+			remoteRequestHeaderUIDFeature: false,
+			expectedStatusCode:            http.StatusOK,
+			expectedCalled:                true,
+			expectedHeaders: map[string][]string{
+				"X-Forwarded-Proto": {"https"},
+				"X-Forwarded-Uri":   {"/request/path"},
+				"X-Forwarded-For":   {"127.0.0.1"},
+				"X-Remote-User":     {"username"},
+				"User-Agent":        {"Go-http-client/1.1"},
+				"Accept-Encoding":   {"gzip"},
+				"X-Remote-Group":    {"one", "two"},
+			},
 		},
 		"proxy with user, insecure": {
 			user: &user.DefaultInfo{
@ -177,19 +212,21 @@ func TestProxyHandler(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusOK,
-			expectedCalled:     true,
+			remoteRequestHeaderUIDFeature: true,
+			expectedStatusCode:            http.StatusOK,
+			expectedCalled:                true,
 			expectedHeaders: map[string][]string{
 				"X-Forwarded-Proto": {"https"},
 				"X-Forwarded-Uri":   {"/request/path"},
 				"X-Forwarded-For":   {"127.0.0.1"},
 				"X-Remote-User":     {"username"},
+				"X-Remote-Uid":      {"6b60d791-1af9-4513-92e5-e4252a1e0a78"},
 				"User-Agent":        {"Go-http-client/1.1"},
 				"Accept-Encoding":   {"gzip"},
 				"X-Remote-Group":    {"one", "two"},
 			},
 		},
-		"[RemoteRequestHeaderUID] proxy with user, insecure": {
+		"[-RemoteRequestHeaderUID] proxy with user, cabundle": {
 			user: &user.DefaultInfo{
 				Name:   "username",
 				UID:    "6b60d791-1af9-4513-92e5-e4252a1e0a78",
@ -199,10 +236,10 @@ func TestProxyHandler(t *testing.T) {
 			apiService: &apiregistration.APIService{
 				ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"},
 				Spec: apiregistration.APIServiceSpec{
-					Service:               &apiregistration.ServiceReference{Port: ptr.To[int32](443)},
-					Group:                 "foo",
-					Version:               "v1",
-					InsecureSkipTLSVerify: true,
+					Service:  &apiregistration.ServiceReference{Name: "test-service", Namespace: "test-ns", Port: ptr.To[int32](443)},
+					Group:    "foo",
+					Version:  "v1",
+					CABundle: testCACrt,
 				},
 				Status: apiregistration.APIServiceStatus{
 					Conditions: []apiregistration.APIServiceCondition{
@ -210,15 +247,14 @@ func TestProxyHandler(t *testing.T) {
 					},
 				},
 			},
-			enableFeatureGates: []featuregate.Feature{features.RemoteRequestHeaderUID},
-			expectedStatusCode: http.StatusOK,
-			expectedCalled:     true,
+			remoteRequestHeaderUIDFeature: false,
+			expectedStatusCode:            http.StatusOK,
+			expectedCalled:                true,
 			expectedHeaders: map[string][]string{
 				"X-Forwarded-Proto": {"https"},
 				"X-Forwarded-Uri":   {"/request/path"},
 				"X-Forwarded-For":   {"127.0.0.1"},
 				"X-Remote-User":     {"username"},
-				"X-Remote-Uid":      {"6b60d791-1af9-4513-92e5-e4252a1e0a78"},
 				"User-Agent":        {"Go-http-client/1.1"},
 				"Accept-Encoding":   {"gzip"},
 				"X-Remote-Group":    {"one", "two"},
@ -245,42 +281,9 @@ func TestProxyHandler(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusOK,
-			expectedCalled:     true,
-			expectedHeaders: map[string][]string{
-				"X-Forwarded-Proto": {"https"},
-				"X-Forwarded-Uri":   {"/request/path"},
-				"X-Forwarded-For":   {"127.0.0.1"},
-				"X-Remote-User":     {"username"},
-				"User-Agent":        {"Go-http-client/1.1"},
-				"Accept-Encoding":   {"gzip"},
-				"X-Remote-Group":    {"one", "two"},
-			},
-		},
-		"[RemoteRequestHeaderUID] proxy with user, cabundle": {
-			user: &user.DefaultInfo{
-				Name:   "username",
-				UID:    "6b60d791-1af9-4513-92e5-e4252a1e0a78",
-				Groups: []string{"one", "two"},
-			},
-			path: "/request/path",
-			apiService: &apiregistration.APIService{
-				ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"},
-				Spec: apiregistration.APIServiceSpec{
-					Service:  &apiregistration.ServiceReference{Name: "test-service", Namespace: "test-ns", Port: ptr.To[int32](443)},
-					Group:    "foo",
-					Version:  "v1",
-					CABundle: testCACrt,
-				},
-				Status: apiregistration.APIServiceStatus{
-					Conditions: []apiregistration.APIServiceCondition{
-						{Type: apiregistration.Available, Status: apiregistration.ConditionTrue},
-					},
-				},
-			},
-			enableFeatureGates: []featuregate.Feature{features.RemoteRequestHeaderUID},
-			expectedStatusCode: http.StatusOK,
-			expectedCalled:     true,
+			remoteRequestHeaderUIDFeature: true,
+			expectedStatusCode:            http.StatusOK,
+			expectedCalled:                true,
 			expectedHeaders: map[string][]string{
 				"X-Forwarded-Proto": {"https"},
 				"X-Forwarded-Uri":   {"/request/path"},
@ -313,7 +316,8 @@ func TestProxyHandler(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusServiceUnavailable,
+			remoteRequestHeaderUIDFeature: true,
+			expectedStatusCode:            http.StatusServiceUnavailable,
 		},
 		"service unresolveable": {
 			user: &user.DefaultInfo{
@ -337,7 +341,8 @@ func TestProxyHandler(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusServiceUnavailable,
+			remoteRequestHeaderUIDFeature: true,
+			expectedStatusCode:            http.StatusServiceUnavailable,
 		},
 		"fail on bad serving cert": {
 			user: &user.DefaultInfo{
@ -359,7 +364,8 @@ func TestProxyHandler(t *testing.T) {
 					},
 				},
 			},
-			expectedStatusCode: http.StatusServiceUnavailable,
+			remoteRequestHeaderUIDFeature: true,
+			expectedStatusCode:            http.StatusServiceUnavailable,
 		},
 		"fail on bad serving cert w/o SAN and increase SAN error counter metrics": {
 			user: &user.DefaultInfo{
@ -382,9 +388,10 @@ func TestProxyHandler(t *testing.T) {
 					},
 				},
 			},
-			serviceCertOverride:    svcCrtNoSAN,
-			increaseSANWarnCounter: true,
-			expectedStatusCode:     http.StatusServiceUnavailable,
+			serviceCertOverride:           svcCrtNoSAN,
+			increaseSANWarnCounter:        true,
+			remoteRequestHeaderUIDFeature: true,
+			expectedStatusCode:            http.StatusServiceUnavailable,
 		},
 	}

@ -394,9 +401,7 @@ func TestProxyHandler(t *testing.T) {
 		legacyregistry.Reset()

 		t.Run(name, func(t *testing.T) {
-			for _, f := range tc.enableFeatureGates {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, f, true)
-			}
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RemoteRequestHeaderUID, tc.remoteRequestHeaderUIDFeature)

 			targetServer := httptest.NewUnstartedServer(target)
 			serviceCert := tc.serviceCertOverride
--- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
+++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
@ -1117,6 +1117,10 @@
    lockToDefault: false
    preRelease: Alpha
    version: "1.32"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.33"
 - name: ResilientWatchCacheInitialization
  versionedSpecs:
  - default: true