remove exist client hooks

cmd/kube-apiserver/app/server.go

@@ -313,27 +313,9 @@ func CreateKubeAPIServerConfig(
 		}
 	}
 
-	clientCA, err := readCAorNil(s.Authentication.ClientCert.ClientCA)
-	if err != nil {
-		return nil, nil, nil, nil, err
-	}
-	requestHeaderProxyCA, err := readCAorNil(s.Authentication.RequestHeader.ClientCAFile)
-	if err != nil {
-		return nil, nil, nil, nil, err
-	}
-
 	config := &master.Config{
 		GenericConfig: genericConfig,
 		ExtraConfig: master.ExtraConfig{
-			ClientCARegistrationHook: master.ClientCARegistrationHook{
-				ClientCA:                         clientCA,
-				RequestHeaderUsernameHeaders:     s.Authentication.RequestHeader.UsernameHeaders,
-				RequestHeaderGroupHeaders:        s.Authentication.RequestHeader.GroupHeaders,
-				RequestHeaderExtraHeaderPrefixes: s.Authentication.RequestHeader.ExtraHeaderPrefixes,
-				RequestHeaderCA:                  requestHeaderProxyCA,
-				RequestHeaderAllowedNames:        s.Authentication.RequestHeader.AllowedNames,
-			},
-
 			APIResourceConfigSource: storageFactory.APIResourceConfigSource,
 			StorageFactory:          storageFactory,
 			EventTTL:                s.EventTTL,

pkg/master/BUILD

@@ -3,7 +3,6 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 go_library(
     name = "go_default_library",
     srcs = [
-        "client_ca_hook.go",
         "client_util.go",
         "controller.go",
         "doc.go",
@@ -109,7 +108,6 @@ go_library(
         "//staging/src/k8s.io/api/storage/v1:go_default_library",
         "//staging/src/k8s.io/api/storage/v1alpha1:go_default_library",
         "//staging/src/k8s.io/api/storage/v1beta1:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
@@ -141,7 +139,6 @@ go_test(
     size = "medium",
     timeout = "long",
     srcs = [
-        "client_ca_hook_test.go",
         "controller_test.go",
         "import_known_versions_test.go",
         "master_openapi_test.go",
@@ -166,9 +163,7 @@ go_test(
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/apitesting/naming:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",

pkg/master/client_ca_hook.go

@@ -1,142 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package master
-
-import (
-	"encoding/json"
-	"fmt"
-	"time"
-
-	corev1 "k8s.io/api/core/v1"
-	apiequality "k8s.io/apimachinery/pkg/api/equality"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/apimachinery/pkg/util/wait"
-	genericapiserver "k8s.io/apiserver/pkg/server"
-	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
-)
-
-// ClientCARegistrationHook defines CA registration hook request structure
-type ClientCARegistrationHook struct {
-	ClientCA []byte
-
-	RequestHeaderUsernameHeaders     []string
-	RequestHeaderGroupHeaders        []string
-	RequestHeaderExtraHeaderPrefixes []string
-	RequestHeaderCA                  []byte
-	RequestHeaderAllowedNames        []string
-}
-
-// PostStartHook initializes client CA configmap for the API server
-func (h ClientCARegistrationHook) PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
-	// initializing CAs is important so that aggregated API servers can come up with "normal" config.
-	// We've seen lagging etcd before, so we want to retry this a few times before we decide to crashloop
-	// the API server on it.
-	err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
-		// retry building the config since sometimes the server can be in an in-between state which caused
-		// some kind of auto detection failure as I recall from other post start hooks.
-		// TODO see if this is still true and fix the RBAC one too if it isn't.
-		client, err := corev1client.NewForConfig(hookContext.LoopbackClientConfig)
-		if err != nil {
-			utilruntime.HandleError(err)
-			return false, nil
-		}
-
-		return h.tryToWriteClientCAs(client)
-	})
-
-	// if we're never able to make it through initialization, kill the API server
-	if err != nil {
-		return fmt.Errorf("unable to initialize client CA configmap: %v", err)
-	}
-
-	return nil
-}
-
-// tryToWriteClientCAs is here for unit testing with a fake client.  This is a wait.ConditionFunc so the bool
-// indicates if the condition was met.  True when its finished, false when it should retry.
-func (h ClientCARegistrationHook) tryToWriteClientCAs(client corev1client.CoreV1Interface) (bool, error) {
-	if err := createNamespaceIfNeeded(client, metav1.NamespaceSystem); err != nil {
-		utilruntime.HandleError(err)
-		return false, nil
-	}
-
-	data := map[string]string{}
-	if len(h.ClientCA) > 0 {
-		data["client-ca-file"] = string(h.ClientCA)
-	}
-
-	if len(h.RequestHeaderCA) > 0 {
-		var err error
-
-		// encoding errors aren't going to get better, so just fail on them.
-		data["requestheader-username-headers"], err = jsonSerializeStringSlice(h.RequestHeaderUsernameHeaders)
-		if err != nil {
-			return false, err
-		}
-		data["requestheader-group-headers"], err = jsonSerializeStringSlice(h.RequestHeaderGroupHeaders)
-		if err != nil {
-			return false, err
-		}
-		data["requestheader-extra-headers-prefix"], err = jsonSerializeStringSlice(h.RequestHeaderExtraHeaderPrefixes)
-		if err != nil {
-			return false, err
-		}
-		data["requestheader-client-ca-file"] = string(h.RequestHeaderCA)
-		data["requestheader-allowed-names"], err = jsonSerializeStringSlice(h.RequestHeaderAllowedNames)
-		if err != nil {
-			return false, err
-		}
-	}
-
-	// write errors may work next time if we retry, so queue for retry
-	if err := writeConfigMap(client, "extension-apiserver-authentication", data); err != nil {
-		utilruntime.HandleError(err)
-		return false, nil
-	}
-
-	return true, nil
-}
-
-func jsonSerializeStringSlice(in []string) (string, error) {
-	out, err := json.Marshal(in)
-	if err != nil {
-		return "", err
-	}
-	return string(out), err
-}
-
-func writeConfigMap(client corev1client.ConfigMapsGetter, name string, data map[string]string) error {
-	existing, err := client.ConfigMaps(metav1.NamespaceSystem).Get(name, metav1.GetOptions{})
-	if apierrors.IsNotFound(err) {
-		_, err := client.ConfigMaps(metav1.NamespaceSystem).Create(&corev1.ConfigMap{
-			ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: name},
-			Data:       data,
-		})
-		return err
-	}
-	if err != nil {
-		return err
-	}
-
-	if !apiequality.Semantic.DeepEqual(existing.Data, data) {
-		existing.Data = data
-		_, err = client.ConfigMaps(metav1.NamespaceSystem).Update(existing)
-	}
-	return err
-}

pkg/master/client_ca_hook_test.go

@@ -1,247 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package master
-
-import (
-	"reflect"
-	"testing"
-
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/diff"
-	"k8s.io/client-go/kubernetes/fake"
-	clienttesting "k8s.io/client-go/testing"
-)
-
-func TestWriteClientCAs(t *testing.T) {
-	tests := []struct {
-		name               string
-		hook               ClientCARegistrationHook
-		preexistingObjs    []runtime.Object
-		expectedConfigMaps map[string]*corev1.ConfigMap
-		expectUpdate       bool
-	}{
-		{
-			name: "basic",
-			hook: ClientCARegistrationHook{
-				ClientCA:                         []byte("foo"),
-				RequestHeaderUsernameHeaders:     []string{"alfa", "bravo", "charlie"},
-				RequestHeaderGroupHeaders:        []string{"delta"},
-				RequestHeaderExtraHeaderPrefixes: []string{"echo", "foxtrot"},
-				RequestHeaderCA:                  []byte("bar"),
-				RequestHeaderAllowedNames:        []string{"first", "second"},
-			},
-			expectedConfigMaps: map[string]*corev1.ConfigMap{
-				"extension-apiserver-authentication": {
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"client-ca-file":                     "foo",
-						"requestheader-username-headers":     `["alfa","bravo","charlie"]`,
-						"requestheader-group-headers":        `["delta"]`,
-						"requestheader-extra-headers-prefix": `["echo","foxtrot"]`,
-						"requestheader-client-ca-file":       "bar",
-						"requestheader-allowed-names":        `["first","second"]`,
-					},
-				},
-			},
-		},
-		{
-			name: "skip extension-apiserver-authentication",
-			hook: ClientCARegistrationHook{
-				RequestHeaderCA:           []byte("bar"),
-				RequestHeaderAllowedNames: []string{"first", "second"},
-			},
-			expectedConfigMaps: map[string]*corev1.ConfigMap{
-				"extension-apiserver-authentication": {
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"requestheader-username-headers":     `null`,
-						"requestheader-group-headers":        `null`,
-						"requestheader-extra-headers-prefix": `null`,
-						"requestheader-client-ca-file":       "bar",
-						"requestheader-allowed-names":        `["first","second"]`,
-					},
-				},
-			},
-		},
-		{
-			name: "skip extension-apiserver-authentication",
-			hook: ClientCARegistrationHook{
-				ClientCA: []byte("foo"),
-			},
-			expectedConfigMaps: map[string]*corev1.ConfigMap{
-				"extension-apiserver-authentication": {
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"client-ca-file": "foo",
-					},
-				},
-			},
-		},
-		{
-			name: "empty allowed names",
-			hook: ClientCARegistrationHook{
-				RequestHeaderCA: []byte("bar"),
-			},
-			expectedConfigMaps: map[string]*corev1.ConfigMap{
-				"extension-apiserver-authentication": {
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"requestheader-username-headers":     `null`,
-						"requestheader-group-headers":        `null`,
-						"requestheader-extra-headers-prefix": `null`,
-						"requestheader-client-ca-file":       "bar",
-						"requestheader-allowed-names":        `null`,
-					},
-				},
-			},
-		},
-		{
-			name: "overwrite extension-apiserver-authentication",
-			hook: ClientCARegistrationHook{
-				ClientCA: []byte("foo"),
-			},
-			preexistingObjs: []runtime.Object{
-				&corev1.ConfigMap{
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"client-ca-file": "other",
-					},
-				},
-			},
-			expectedConfigMaps: map[string]*corev1.ConfigMap{
-				"extension-apiserver-authentication": {
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"client-ca-file": "foo",
-					},
-				},
-			},
-			expectUpdate: true,
-		},
-		{
-			name: "overwrite extension-apiserver-authentication requestheader",
-			hook: ClientCARegistrationHook{
-				RequestHeaderUsernameHeaders:     []string{},
-				RequestHeaderGroupHeaders:        []string{},
-				RequestHeaderExtraHeaderPrefixes: []string{},
-				RequestHeaderCA:                  []byte("bar"),
-				RequestHeaderAllowedNames:        []string{},
-			},
-			preexistingObjs: []runtime.Object{
-				&corev1.ConfigMap{
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"requestheader-username-headers":     `null`,
-						"requestheader-group-headers":        `null`,
-						"requestheader-extra-headers-prefix": `null`,
-						"requestheader-client-ca-file":       "something",
-						"requestheader-allowed-names":        `null`,
-					},
-				},
-			},
-			expectedConfigMaps: map[string]*corev1.ConfigMap{
-				"extension-apiserver-authentication": {
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"requestheader-username-headers":     `[]`,
-						"requestheader-group-headers":        `[]`,
-						"requestheader-extra-headers-prefix": `[]`,
-						"requestheader-client-ca-file":       "bar",
-						"requestheader-allowed-names":        `[]`,
-					},
-				},
-			},
-			expectUpdate: true,
-		},
-		{
-			name: "namespace exists",
-			hook: ClientCARegistrationHook{
-				ClientCA: []byte("foo"),
-			},
-			preexistingObjs: []runtime.Object{
-				&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: metav1.NamespaceSystem}},
-			},
-			expectedConfigMaps: map[string]*corev1.ConfigMap{
-				"extension-apiserver-authentication": {
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"client-ca-file": "foo",
-					},
-				},
-			},
-		},
-		{
-			name: "skip on no change",
-			hook: ClientCARegistrationHook{
-				RequestHeaderUsernameHeaders:     []string{},
-				RequestHeaderGroupHeaders:        []string{},
-				RequestHeaderExtraHeaderPrefixes: []string{},
-				RequestHeaderCA:                  []byte("bar"),
-				RequestHeaderAllowedNames:        []string{},
-			},
-			preexistingObjs: []runtime.Object{
-				&corev1.ConfigMap{
-					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
-					Data: map[string]string{
-						"requestheader-username-headers":     `[]`,
-						"requestheader-group-headers":        `[]`,
-						"requestheader-extra-headers-prefix": `[]`,
-						"requestheader-client-ca-file":       "bar",
-						"requestheader-allowed-names":        `[]`,
-					},
-				},
-			},
-			expectedConfigMaps: map[string]*corev1.ConfigMap{},
-			expectUpdate:       false,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			client := fake.NewSimpleClientset(test.preexistingObjs...)
-			test.hook.tryToWriteClientCAs(client.CoreV1())
-
-			actualConfigMaps, updated := getFinalConfigMaps(client)
-			if !reflect.DeepEqual(test.expectedConfigMaps, actualConfigMaps) {
-				t.Fatalf("%s: %v", test.name, diff.ObjectReflectDiff(test.expectedConfigMaps, actualConfigMaps))
-			}
-			if test.expectUpdate != updated {
-				t.Fatalf("%s: expected %v, got %v", test.name, test.expectUpdate, updated)
-			}
-		})
-	}
-}
-
-func getFinalConfigMaps(client *fake.Clientset) (map[string]*corev1.ConfigMap, bool) {
-	ret := map[string]*corev1.ConfigMap{}
-	updated := false
-
-	for _, action := range client.Actions() {
-		if action.Matches("create", "configmaps") {
-			obj := action.(clienttesting.CreateAction).GetObject().(*corev1.ConfigMap)
-			ret[obj.Name] = obj
-		}
-		if action.Matches("update", "configmaps") {
-			updated = true
-			obj := action.(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap)
-			ret[obj.Name] = obj
-		}
-	}
-	return ret, updated
-}

pkg/master/master.go

@@ -125,7 +125,6 @@ const (
 // ExtraConfig defines extra configuration for the master
 type ExtraConfig struct {
 	ClusterAuthenticationInfo clusterauthenticationtrust.ClusterAuthenticationInfo
-	ClientCARegistrationHook  ClientCARegistrationHook
 
 	APIResourceConfigSource  serverstorage.APIResourceConfigSource
 	StorageFactory           serverstorage.StorageFactory