diff --git a/pkg/features/versioned_kube_features.go b/pkg/features/versioned_kube_features.go index 94125ad9b19..446ecb8d524 100644 --- a/pkg/features/versioned_kube_features.go +++ b/pkg/features/versioned_kube_features.go @@ -299,6 +299,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate genericfeatures.RemoteRequestHeaderUID: { {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, + {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta}, }, genericfeatures.ResilientWatchCacheInitialization: { diff --git a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go index e7fab291aa4..ed30e1d70ba 100644 --- a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go +++ b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go @@ -343,6 +343,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate RemoteRequestHeaderUID: { {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, + {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta}, }, ResilientWatchCacheInitialization: { diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go index a19cdd22fad..a15ea8aa4e7 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go @@ -57,7 +57,6 @@ import ( utilflowcontrol "k8s.io/apiserver/pkg/util/flowcontrol" apiserverproxyutil "k8s.io/apiserver/pkg/util/proxy" "k8s.io/client-go/transport" - "k8s.io/component-base/featuregate" featuregatetesting "k8s.io/component-base/featuregate/testing" "k8s.io/component-base/metrics" "k8s.io/component-base/metrics/legacyregistry" @@ -134,10 +133,11 @@ func TestProxyHandler(t *testing.T) { expectedCalled bool expectedHeaders map[string][]string - enableFeatureGates []featuregate.Feature + remoteRequestHeaderUIDFeature bool }{ "no target": { - expectedStatusCode: http.StatusNotFound, + expectedStatusCode: http.StatusNotFound, + remoteRequestHeaderUIDFeature: true, }, "no user": { apiService: &apiregistration.APIService{ @@ -153,8 +153,43 @@ func TestProxyHandler(t *testing.T) { }, }, }, - expectedStatusCode: http.StatusInternalServerError, - expectedBody: "missing user", + expectedStatusCode: http.StatusInternalServerError, + expectedBody: "missing user", + remoteRequestHeaderUIDFeature: true, + }, + "[-RemoteRequestHeaderUID] proxy with user, insecure": { + user: &user.DefaultInfo{ + Name: "username", + UID: "6b60d791-1af9-4513-92e5-e4252a1e0a78", + Groups: []string{"one", "two"}, + }, + path: "/request/path", + apiService: &apiregistration.APIService{ + ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"}, + Spec: apiregistration.APIServiceSpec{ + Service: &apiregistration.ServiceReference{Port: ptr.To[int32](443)}, + Group: "foo", + Version: "v1", + InsecureSkipTLSVerify: true, + }, + Status: apiregistration.APIServiceStatus{ + Conditions: []apiregistration.APIServiceCondition{ + {Type: apiregistration.Available, Status: apiregistration.ConditionTrue}, + }, + }, + }, + remoteRequestHeaderUIDFeature: false, + expectedStatusCode: http.StatusOK, + expectedCalled: true, + expectedHeaders: map[string][]string{ + "X-Forwarded-Proto": {"https"}, + "X-Forwarded-Uri": {"/request/path"}, + "X-Forwarded-For": {"127.0.0.1"}, + "X-Remote-User": {"username"}, + "User-Agent": {"Go-http-client/1.1"}, + "Accept-Encoding": {"gzip"}, + "X-Remote-Group": {"one", "two"}, + }, }, "proxy with user, insecure": { user: &user.DefaultInfo{ @@ -177,19 +212,21 @@ func TestProxyHandler(t *testing.T) { }, }, }, - expectedStatusCode: http.StatusOK, - expectedCalled: true, + remoteRequestHeaderUIDFeature: true, + expectedStatusCode: http.StatusOK, + expectedCalled: true, expectedHeaders: map[string][]string{ "X-Forwarded-Proto": {"https"}, "X-Forwarded-Uri": {"/request/path"}, "X-Forwarded-For": {"127.0.0.1"}, "X-Remote-User": {"username"}, + "X-Remote-Uid": {"6b60d791-1af9-4513-92e5-e4252a1e0a78"}, "User-Agent": {"Go-http-client/1.1"}, "Accept-Encoding": {"gzip"}, "X-Remote-Group": {"one", "two"}, }, }, - "[RemoteRequestHeaderUID] proxy with user, insecure": { + "[-RemoteRequestHeaderUID] proxy with user, cabundle": { user: &user.DefaultInfo{ Name: "username", UID: "6b60d791-1af9-4513-92e5-e4252a1e0a78", @@ -199,10 +236,10 @@ func TestProxyHandler(t *testing.T) { apiService: &apiregistration.APIService{ ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"}, Spec: apiregistration.APIServiceSpec{ - Service: &apiregistration.ServiceReference{Port: ptr.To[int32](443)}, - Group: "foo", - Version: "v1", - InsecureSkipTLSVerify: true, + Service: &apiregistration.ServiceReference{Name: "test-service", Namespace: "test-ns", Port: ptr.To[int32](443)}, + Group: "foo", + Version: "v1", + CABundle: testCACrt, }, Status: apiregistration.APIServiceStatus{ Conditions: []apiregistration.APIServiceCondition{ @@ -210,15 +247,14 @@ func TestProxyHandler(t *testing.T) { }, }, }, - enableFeatureGates: []featuregate.Feature{features.RemoteRequestHeaderUID}, - expectedStatusCode: http.StatusOK, - expectedCalled: true, + remoteRequestHeaderUIDFeature: false, + expectedStatusCode: http.StatusOK, + expectedCalled: true, expectedHeaders: map[string][]string{ "X-Forwarded-Proto": {"https"}, "X-Forwarded-Uri": {"/request/path"}, "X-Forwarded-For": {"127.0.0.1"}, "X-Remote-User": {"username"}, - "X-Remote-Uid": {"6b60d791-1af9-4513-92e5-e4252a1e0a78"}, "User-Agent": {"Go-http-client/1.1"}, "Accept-Encoding": {"gzip"}, "X-Remote-Group": {"one", "two"}, @@ -245,42 +281,9 @@ func TestProxyHandler(t *testing.T) { }, }, }, - expectedStatusCode: http.StatusOK, - expectedCalled: true, - expectedHeaders: map[string][]string{ - "X-Forwarded-Proto": {"https"}, - "X-Forwarded-Uri": {"/request/path"}, - "X-Forwarded-For": {"127.0.0.1"}, - "X-Remote-User": {"username"}, - "User-Agent": {"Go-http-client/1.1"}, - "Accept-Encoding": {"gzip"}, - "X-Remote-Group": {"one", "two"}, - }, - }, - "[RemoteRequestHeaderUID] proxy with user, cabundle": { - user: &user.DefaultInfo{ - Name: "username", - UID: "6b60d791-1af9-4513-92e5-e4252a1e0a78", - Groups: []string{"one", "two"}, - }, - path: "/request/path", - apiService: &apiregistration.APIService{ - ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"}, - Spec: apiregistration.APIServiceSpec{ - Service: &apiregistration.ServiceReference{Name: "test-service", Namespace: "test-ns", Port: ptr.To[int32](443)}, - Group: "foo", - Version: "v1", - CABundle: testCACrt, - }, - Status: apiregistration.APIServiceStatus{ - Conditions: []apiregistration.APIServiceCondition{ - {Type: apiregistration.Available, Status: apiregistration.ConditionTrue}, - }, - }, - }, - enableFeatureGates: []featuregate.Feature{features.RemoteRequestHeaderUID}, - expectedStatusCode: http.StatusOK, - expectedCalled: true, + remoteRequestHeaderUIDFeature: true, + expectedStatusCode: http.StatusOK, + expectedCalled: true, expectedHeaders: map[string][]string{ "X-Forwarded-Proto": {"https"}, "X-Forwarded-Uri": {"/request/path"}, @@ -313,7 +316,8 @@ func TestProxyHandler(t *testing.T) { }, }, }, - expectedStatusCode: http.StatusServiceUnavailable, + remoteRequestHeaderUIDFeature: true, + expectedStatusCode: http.StatusServiceUnavailable, }, "service unresolveable": { user: &user.DefaultInfo{ @@ -337,7 +341,8 @@ func TestProxyHandler(t *testing.T) { }, }, }, - expectedStatusCode: http.StatusServiceUnavailable, + remoteRequestHeaderUIDFeature: true, + expectedStatusCode: http.StatusServiceUnavailable, }, "fail on bad serving cert": { user: &user.DefaultInfo{ @@ -359,7 +364,8 @@ func TestProxyHandler(t *testing.T) { }, }, }, - expectedStatusCode: http.StatusServiceUnavailable, + remoteRequestHeaderUIDFeature: true, + expectedStatusCode: http.StatusServiceUnavailable, }, "fail on bad serving cert w/o SAN and increase SAN error counter metrics": { user: &user.DefaultInfo{ @@ -382,9 +388,10 @@ func TestProxyHandler(t *testing.T) { }, }, }, - serviceCertOverride: svcCrtNoSAN, - increaseSANWarnCounter: true, - expectedStatusCode: http.StatusServiceUnavailable, + serviceCertOverride: svcCrtNoSAN, + increaseSANWarnCounter: true, + remoteRequestHeaderUIDFeature: true, + expectedStatusCode: http.StatusServiceUnavailable, }, } @@ -394,9 +401,7 @@ func TestProxyHandler(t *testing.T) { legacyregistry.Reset() t.Run(name, func(t *testing.T) { - for _, f := range tc.enableFeatureGates { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, f, true) - } + featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RemoteRequestHeaderUID, tc.remoteRequestHeaderUIDFeature) targetServer := httptest.NewUnstartedServer(target) serviceCert := tc.serviceCertOverride diff --git a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml index 15ba70ded5b..73403202f20 100644 --- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml +++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml @@ -1117,6 +1117,10 @@ lockToDefault: false preRelease: Alpha version: "1.32" + - default: true + lockToDefault: false + preRelease: Beta + version: "1.33" - name: ResilientWatchCacheInitialization versionedSpecs: - default: true