From 074544b3b024156e4ce91de5778281dbe1b47a72 Mon Sep 17 00:00:00 2001
From: p0lyn0mial <lukasz.szaszkiewicz@gmail.com>
Date: Tue, 13 Jun 2017 18:08:35 +0200
Subject: [PATCH] incluster config will be used when creating external shared
 informers.

previously the loopback configuration was used to talk to the server.
As a consequence a custom API server was unable to talk to the root API server.
---
 cmd/kube-apiserver/app/server.go              |  2 +
 .../cmd/federation-apiserver/app/server.go    |  1 +
 .../apiserver/pkg/server/options/serving.go   | 41 ++++++++++++++++---
 3 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
index 68b864312c5..47d003d5f5b 100644
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@@ -553,6 +553,8 @@ func defaultOptions(s *options.ServerRunOptions) error {
 	if err != nil {
 		return fmt.Errorf("error determining service IP ranges: %v", err)
 	}
+	s.SecureServing.ForceLoopbackConfigUsage()
+
 	if err := s.SecureServing.MaybeDefaultWithSelfSignedCerts(s.GenericServerRunOptions.AdvertiseAddress.String(), []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}, []net.IP{apiServerServiceIP}); err != nil {
 		return fmt.Errorf("error creating self-signed certificates: %v", err)
 	}
diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go
index 69e8eaad524..63c748bf18d 100644
--- a/federation/cmd/federation-apiserver/app/server.go
+++ b/federation/cmd/federation-apiserver/app/server.go
@@ -102,6 +102,7 @@ func NonBlockingRun(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
 	if err := s.CloudProvider.DefaultExternalHost(s.GenericServerRunOptions); err != nil {
 		return fmt.Errorf("error setting the external host value: %v", err)
 	}
+	s.SecureServing.ForceLoopbackConfigUsage()
 
 	s.Authentication.ApplyAuthorization(s.Authorization)
 
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
index a53252f72e7..b21f0002c34 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
@@ -24,6 +24,7 @@ import (
 	"net"
 	"path"
 	"strconv"
+	"time"
 
 	"github.com/golang/glog"
 	"github.com/pborman/uuid"
@@ -34,6 +35,7 @@ import (
 	utilflag "k8s.io/apiserver/pkg/util/flag"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	certutil "k8s.io/client-go/util/cert"
 )
 
@@ -45,6 +47,9 @@ type SecureServingOptions struct {
 	ServerCert GeneratableKeyCert
 	// SNICertKeys are named CertKeys for serving secure traffic with SNI support.
 	SNICertKeys []utilflag.NamedCertKey
+
+	// when set determines whether to use loopback configuration to create shared informers.
+	useLoopbackCfg bool
 }
 
 type CertKey struct {
@@ -136,6 +141,7 @@ func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
 	fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
 }
 
+// ApplyTo fills up serving information in the server configuration.
 func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
 	if s.BindPort <= 0 {
 		return nil
@@ -169,16 +175,39 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
 		c.SecureServingInfo.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
 	}
 
-	// create shared informers
-	clientset, err := kubernetes.NewForConfig(c.LoopbackClientConfig)
-	if err != nil {
-		return err
+	// create shared informers, if not explicitly set use in cluster config.
+	// do not fail on an error, this allows an external API server to startup
+	// outside of a kube cluster.
+	var clientCfg *rest.Config
+	err = nil
+	if s.useLoopbackCfg {
+		clientCfg = c.LoopbackClientConfig
+	} else {
+		clientCfg, err = rest.InClusterConfig()
 	}
-	c.SharedInformerFactory = informers.NewSharedInformerFactory(clientset, c.LoopbackClientConfig.Timeout)
-
+	if err != nil {
+		glog.Errorf("Couldn't create in cluster config due to %v. SharedInformerFactory will not be set.", err)
+		return nil
+	}
+	clientset, err := kubernetes.NewForConfig(clientCfg)
+	if err != nil {
+		glog.Errorf("Couldn't create clientset due to %v. SharedInformerFactory will not be set.", err)
+		return nil
+	}
+	c.SharedInformerFactory = informers.NewSharedInformerFactory(clientset, 10*time.Minute)
 	return nil
 }
 
+// ForceLoopbackConfigUsage forces the usage of the loopback configuration
+// to create SharedInformerFactory. The primary client of this method
+// is kube API server, no other API server is the source of truth for kube APIs.
+//
+// Note:
+// this method MUST be called prior to ApplyTo to take an effect.
+func (s *SecureServingOptions) ForceLoopbackConfigUsage() {
+	s.useLoopbackCfg = true
+}
+
 func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 	if s.BindPort <= 0 {
 		return nil