From be8af0de1bf4c78f8ce6e09cff11cf74b6f1b2c6 Mon Sep 17 00:00:00 2001 From: David Eads Date: Fri, 1 Nov 2019 10:38:13 -0400 Subject: [PATCH] remove exist client hooks --- cmd/kube-apiserver/app/server.go | 18 --- pkg/master/BUILD | 5 - pkg/master/client_ca_hook.go | 142 ----------------- pkg/master/client_ca_hook_test.go | 247 ------------------------------ pkg/master/master.go | 1 - 5 files changed, 413 deletions(-) delete mode 100644 pkg/master/client_ca_hook.go delete mode 100644 pkg/master/client_ca_hook_test.go diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index 27372379209..b1380edf72d 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -313,27 +313,9 @@ func CreateKubeAPIServerConfig( } } - clientCA, err := readCAorNil(s.Authentication.ClientCert.ClientCA) - if err != nil { - return nil, nil, nil, nil, err - } - requestHeaderProxyCA, err := readCAorNil(s.Authentication.RequestHeader.ClientCAFile) - if err != nil { - return nil, nil, nil, nil, err - } - config := &master.Config{ GenericConfig: genericConfig, ExtraConfig: master.ExtraConfig{ - ClientCARegistrationHook: master.ClientCARegistrationHook{ - ClientCA: clientCA, - RequestHeaderUsernameHeaders: s.Authentication.RequestHeader.UsernameHeaders, - RequestHeaderGroupHeaders: s.Authentication.RequestHeader.GroupHeaders, - RequestHeaderExtraHeaderPrefixes: s.Authentication.RequestHeader.ExtraHeaderPrefixes, - RequestHeaderCA: requestHeaderProxyCA, - RequestHeaderAllowedNames: s.Authentication.RequestHeader.AllowedNames, - }, - APIResourceConfigSource: storageFactory.APIResourceConfigSource, StorageFactory: storageFactory, EventTTL: s.EventTTL, diff --git a/pkg/master/BUILD b/pkg/master/BUILD index 0d45a3d04e2..cd46f4bf077 100644 --- a/pkg/master/BUILD +++ b/pkg/master/BUILD @@ -3,7 +3,6 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") go_library( name = "go_default_library", srcs = [ - "client_ca_hook.go", "client_util.go", "controller.go", "doc.go", @@ -109,7 +108,6 @@ go_library( "//staging/src/k8s.io/api/storage/v1:go_default_library", "//staging/src/k8s.io/api/storage/v1alpha1:go_default_library", "//staging/src/k8s.io/api/storage/v1beta1:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library", @@ -141,7 +139,6 @@ go_test( size = "medium", timeout = "long", srcs = [ - "client_ca_hook_test.go", "controller_test.go", "import_known_versions_test.go", "master_openapi_test.go", @@ -166,9 +163,7 @@ go_test( "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/apitesting/naming:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", diff --git a/pkg/master/client_ca_hook.go b/pkg/master/client_ca_hook.go deleted file mode 100644 index 4d13b0a51f7..00000000000 --- a/pkg/master/client_ca_hook.go +++ /dev/null @@ -1,142 +0,0 @@ -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package master - -import ( - "encoding/json" - "fmt" - "time" - - corev1 "k8s.io/api/core/v1" - apiequality "k8s.io/apimachinery/pkg/api/equality" - apierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/apimachinery/pkg/util/wait" - genericapiserver "k8s.io/apiserver/pkg/server" - corev1client "k8s.io/client-go/kubernetes/typed/core/v1" -) - -// ClientCARegistrationHook defines CA registration hook request structure -type ClientCARegistrationHook struct { - ClientCA []byte - - RequestHeaderUsernameHeaders []string - RequestHeaderGroupHeaders []string - RequestHeaderExtraHeaderPrefixes []string - RequestHeaderCA []byte - RequestHeaderAllowedNames []string -} - -// PostStartHook initializes client CA configmap for the API server -func (h ClientCARegistrationHook) PostStartHook(hookContext genericapiserver.PostStartHookContext) error { - // initializing CAs is important so that aggregated API servers can come up with "normal" config. - // We've seen lagging etcd before, so we want to retry this a few times before we decide to crashloop - // the API server on it. - err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) { - // retry building the config since sometimes the server can be in an in-between state which caused - // some kind of auto detection failure as I recall from other post start hooks. - // TODO see if this is still true and fix the RBAC one too if it isn't. - client, err := corev1client.NewForConfig(hookContext.LoopbackClientConfig) - if err != nil { - utilruntime.HandleError(err) - return false, nil - } - - return h.tryToWriteClientCAs(client) - }) - - // if we're never able to make it through initialization, kill the API server - if err != nil { - return fmt.Errorf("unable to initialize client CA configmap: %v", err) - } - - return nil -} - -// tryToWriteClientCAs is here for unit testing with a fake client. This is a wait.ConditionFunc so the bool -// indicates if the condition was met. True when its finished, false when it should retry. -func (h ClientCARegistrationHook) tryToWriteClientCAs(client corev1client.CoreV1Interface) (bool, error) { - if err := createNamespaceIfNeeded(client, metav1.NamespaceSystem); err != nil { - utilruntime.HandleError(err) - return false, nil - } - - data := map[string]string{} - if len(h.ClientCA) > 0 { - data["client-ca-file"] = string(h.ClientCA) - } - - if len(h.RequestHeaderCA) > 0 { - var err error - - // encoding errors aren't going to get better, so just fail on them. - data["requestheader-username-headers"], err = jsonSerializeStringSlice(h.RequestHeaderUsernameHeaders) - if err != nil { - return false, err - } - data["requestheader-group-headers"], err = jsonSerializeStringSlice(h.RequestHeaderGroupHeaders) - if err != nil { - return false, err - } - data["requestheader-extra-headers-prefix"], err = jsonSerializeStringSlice(h.RequestHeaderExtraHeaderPrefixes) - if err != nil { - return false, err - } - data["requestheader-client-ca-file"] = string(h.RequestHeaderCA) - data["requestheader-allowed-names"], err = jsonSerializeStringSlice(h.RequestHeaderAllowedNames) - if err != nil { - return false, err - } - } - - // write errors may work next time if we retry, so queue for retry - if err := writeConfigMap(client, "extension-apiserver-authentication", data); err != nil { - utilruntime.HandleError(err) - return false, nil - } - - return true, nil -} - -func jsonSerializeStringSlice(in []string) (string, error) { - out, err := json.Marshal(in) - if err != nil { - return "", err - } - return string(out), err -} - -func writeConfigMap(client corev1client.ConfigMapsGetter, name string, data map[string]string) error { - existing, err := client.ConfigMaps(metav1.NamespaceSystem).Get(name, metav1.GetOptions{}) - if apierrors.IsNotFound(err) { - _, err := client.ConfigMaps(metav1.NamespaceSystem).Create(&corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: name}, - Data: data, - }) - return err - } - if err != nil { - return err - } - - if !apiequality.Semantic.DeepEqual(existing.Data, data) { - existing.Data = data - _, err = client.ConfigMaps(metav1.NamespaceSystem).Update(existing) - } - return err -} diff --git a/pkg/master/client_ca_hook_test.go b/pkg/master/client_ca_hook_test.go deleted file mode 100644 index 69baf28266e..00000000000 --- a/pkg/master/client_ca_hook_test.go +++ /dev/null @@ -1,247 +0,0 @@ -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package master - -import ( - "reflect" - "testing" - - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/diff" - "k8s.io/client-go/kubernetes/fake" - clienttesting "k8s.io/client-go/testing" -) - -func TestWriteClientCAs(t *testing.T) { - tests := []struct { - name string - hook ClientCARegistrationHook - preexistingObjs []runtime.Object - expectedConfigMaps map[string]*corev1.ConfigMap - expectUpdate bool - }{ - { - name: "basic", - hook: ClientCARegistrationHook{ - ClientCA: []byte("foo"), - RequestHeaderUsernameHeaders: []string{"alfa", "bravo", "charlie"}, - RequestHeaderGroupHeaders: []string{"delta"}, - RequestHeaderExtraHeaderPrefixes: []string{"echo", "foxtrot"}, - RequestHeaderCA: []byte("bar"), - RequestHeaderAllowedNames: []string{"first", "second"}, - }, - expectedConfigMaps: map[string]*corev1.ConfigMap{ - "extension-apiserver-authentication": { - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "client-ca-file": "foo", - "requestheader-username-headers": `["alfa","bravo","charlie"]`, - "requestheader-group-headers": `["delta"]`, - "requestheader-extra-headers-prefix": `["echo","foxtrot"]`, - "requestheader-client-ca-file": "bar", - "requestheader-allowed-names": `["first","second"]`, - }, - }, - }, - }, - { - name: "skip extension-apiserver-authentication", - hook: ClientCARegistrationHook{ - RequestHeaderCA: []byte("bar"), - RequestHeaderAllowedNames: []string{"first", "second"}, - }, - expectedConfigMaps: map[string]*corev1.ConfigMap{ - "extension-apiserver-authentication": { - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "requestheader-username-headers": `null`, - "requestheader-group-headers": `null`, - "requestheader-extra-headers-prefix": `null`, - "requestheader-client-ca-file": "bar", - "requestheader-allowed-names": `["first","second"]`, - }, - }, - }, - }, - { - name: "skip extension-apiserver-authentication", - hook: ClientCARegistrationHook{ - ClientCA: []byte("foo"), - }, - expectedConfigMaps: map[string]*corev1.ConfigMap{ - "extension-apiserver-authentication": { - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "client-ca-file": "foo", - }, - }, - }, - }, - { - name: "empty allowed names", - hook: ClientCARegistrationHook{ - RequestHeaderCA: []byte("bar"), - }, - expectedConfigMaps: map[string]*corev1.ConfigMap{ - "extension-apiserver-authentication": { - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "requestheader-username-headers": `null`, - "requestheader-group-headers": `null`, - "requestheader-extra-headers-prefix": `null`, - "requestheader-client-ca-file": "bar", - "requestheader-allowed-names": `null`, - }, - }, - }, - }, - { - name: "overwrite extension-apiserver-authentication", - hook: ClientCARegistrationHook{ - ClientCA: []byte("foo"), - }, - preexistingObjs: []runtime.Object{ - &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "client-ca-file": "other", - }, - }, - }, - expectedConfigMaps: map[string]*corev1.ConfigMap{ - "extension-apiserver-authentication": { - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "client-ca-file": "foo", - }, - }, - }, - expectUpdate: true, - }, - { - name: "overwrite extension-apiserver-authentication requestheader", - hook: ClientCARegistrationHook{ - RequestHeaderUsernameHeaders: []string{}, - RequestHeaderGroupHeaders: []string{}, - RequestHeaderExtraHeaderPrefixes: []string{}, - RequestHeaderCA: []byte("bar"), - RequestHeaderAllowedNames: []string{}, - }, - preexistingObjs: []runtime.Object{ - &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "requestheader-username-headers": `null`, - "requestheader-group-headers": `null`, - "requestheader-extra-headers-prefix": `null`, - "requestheader-client-ca-file": "something", - "requestheader-allowed-names": `null`, - }, - }, - }, - expectedConfigMaps: map[string]*corev1.ConfigMap{ - "extension-apiserver-authentication": { - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "requestheader-username-headers": `[]`, - "requestheader-group-headers": `[]`, - "requestheader-extra-headers-prefix": `[]`, - "requestheader-client-ca-file": "bar", - "requestheader-allowed-names": `[]`, - }, - }, - }, - expectUpdate: true, - }, - { - name: "namespace exists", - hook: ClientCARegistrationHook{ - ClientCA: []byte("foo"), - }, - preexistingObjs: []runtime.Object{ - &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: metav1.NamespaceSystem}}, - }, - expectedConfigMaps: map[string]*corev1.ConfigMap{ - "extension-apiserver-authentication": { - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "client-ca-file": "foo", - }, - }, - }, - }, - { - name: "skip on no change", - hook: ClientCARegistrationHook{ - RequestHeaderUsernameHeaders: []string{}, - RequestHeaderGroupHeaders: []string{}, - RequestHeaderExtraHeaderPrefixes: []string{}, - RequestHeaderCA: []byte("bar"), - RequestHeaderAllowedNames: []string{}, - }, - preexistingObjs: []runtime.Object{ - &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"}, - Data: map[string]string{ - "requestheader-username-headers": `[]`, - "requestheader-group-headers": `[]`, - "requestheader-extra-headers-prefix": `[]`, - "requestheader-client-ca-file": "bar", - "requestheader-allowed-names": `[]`, - }, - }, - }, - expectedConfigMaps: map[string]*corev1.ConfigMap{}, - expectUpdate: false, - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - client := fake.NewSimpleClientset(test.preexistingObjs...) - test.hook.tryToWriteClientCAs(client.CoreV1()) - - actualConfigMaps, updated := getFinalConfigMaps(client) - if !reflect.DeepEqual(test.expectedConfigMaps, actualConfigMaps) { - t.Fatalf("%s: %v", test.name, diff.ObjectReflectDiff(test.expectedConfigMaps, actualConfigMaps)) - } - if test.expectUpdate != updated { - t.Fatalf("%s: expected %v, got %v", test.name, test.expectUpdate, updated) - } - }) - } -} - -func getFinalConfigMaps(client *fake.Clientset) (map[string]*corev1.ConfigMap, bool) { - ret := map[string]*corev1.ConfigMap{} - updated := false - - for _, action := range client.Actions() { - if action.Matches("create", "configmaps") { - obj := action.(clienttesting.CreateAction).GetObject().(*corev1.ConfigMap) - ret[obj.Name] = obj - } - if action.Matches("update", "configmaps") { - updated = true - obj := action.(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap) - ret[obj.Name] = obj - } - } - return ret, updated -} diff --git a/pkg/master/master.go b/pkg/master/master.go index 71958ab4c08..5d22feb8df4 100644 --- a/pkg/master/master.go +++ b/pkg/master/master.go @@ -125,7 +125,6 @@ const ( // ExtraConfig defines extra configuration for the master type ExtraConfig struct { ClusterAuthenticationInfo clusterauthenticationtrust.ClusterAuthenticationInfo - ClientCARegistrationHook ClientCARegistrationHook APIResourceConfigSource serverstorage.APIResourceConfigSource StorageFactory serverstorage.StorageFactory