mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-28 05:57:25 +00:00
remove exist client hooks
This commit is contained in:
David Eads
parent
7351c86860
commit
be8af0de1b
@ -313,27 +313,9 @@ func CreateKubeAPIServerConfig(
|
||||
}
|
||||
}
|
||||
|
||||
clientCA, err := readCAorNil(s.Authentication.ClientCert.ClientCA)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
}
|
||||
requestHeaderProxyCA, err := readCAorNil(s.Authentication.RequestHeader.ClientCAFile)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
}
|
||||
|
||||
config := &master.Config{
|
||||
GenericConfig: genericConfig,
|
||||
ExtraConfig: master.ExtraConfig{
|
||||
ClientCARegistrationHook: master.ClientCARegistrationHook{
|
||||
ClientCA: clientCA,
|
||||
RequestHeaderUsernameHeaders: s.Authentication.RequestHeader.UsernameHeaders,
|
||||
RequestHeaderGroupHeaders: s.Authentication.RequestHeader.GroupHeaders,
|
||||
RequestHeaderExtraHeaderPrefixes: s.Authentication.RequestHeader.ExtraHeaderPrefixes,
|
||||
RequestHeaderCA: requestHeaderProxyCA,
|
||||
RequestHeaderAllowedNames: s.Authentication.RequestHeader.AllowedNames,
|
||||
},
|
||||
|
||||
APIResourceConfigSource: storageFactory.APIResourceConfigSource,
|
||||
StorageFactory: storageFactory,
|
||||
EventTTL: s.EventTTL,
|
||||
|
||||
@ -3,7 +3,6 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = [
|
||||
"client_ca_hook.go",
|
||||
"client_util.go",
|
||||
"controller.go",
|
||||
"doc.go",
|
||||
@ -109,7 +108,6 @@ go_library(
|
||||
"//staging/src/k8s.io/api/storage/v1:go_default_library",
|
||||
"//staging/src/k8s.io/api/storage/v1alpha1:go_default_library",
|
||||
"//staging/src/k8s.io/api/storage/v1beta1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
||||
@ -141,7 +139,6 @@ go_test(
|
||||
size = "medium",
|
||||
timeout = "long",
|
||||
srcs = [
|
||||
"client_ca_hook_test.go",
|
||||
"controller_test.go",
|
||||
"import_known_versions_test.go",
|
||||
"master_openapi_test.go",
|
||||
@ -166,9 +163,7 @@ go_test(
|
||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/api/apitesting/naming:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||
|
||||
@ -1,142 +0,0 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package master
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
apiequality "k8s.io/apimachinery/pkg/api/equality"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
genericapiserver "k8s.io/apiserver/pkg/server"
|
||||
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
|
||||
)
|
||||
|
||||
// ClientCARegistrationHook defines CA registration hook request structure
|
||||
type ClientCARegistrationHook struct {
|
||||
ClientCA []byte
|
||||
|
||||
RequestHeaderUsernameHeaders []string
|
||||
RequestHeaderGroupHeaders []string
|
||||
RequestHeaderExtraHeaderPrefixes []string
|
||||
RequestHeaderCA []byte
|
||||
RequestHeaderAllowedNames []string
|
||||
}
|
||||
|
||||
// PostStartHook initializes client CA configmap for the API server
|
||||
func (h ClientCARegistrationHook) PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
|
||||
// initializing CAs is important so that aggregated API servers can come up with "normal" config.
|
||||
// We've seen lagging etcd before, so we want to retry this a few times before we decide to crashloop
|
||||
// the API server on it.
|
||||
err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
|
||||
// retry building the config since sometimes the server can be in an in-between state which caused
|
||||
// some kind of auto detection failure as I recall from other post start hooks.
|
||||
// TODO see if this is still true and fix the RBAC one too if it isn't.
|
||||
client, err := corev1client.NewForConfig(hookContext.LoopbackClientConfig)
|
||||
if err != nil {
|
||||
utilruntime.HandleError(err)
|
||||
return false, nil
|
||||
}
|
||||
|
||||
return h.tryToWriteClientCAs(client)
|
||||
})
|
||||
|
||||
// if we're never able to make it through initialization, kill the API server
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to initialize client CA configmap: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// tryToWriteClientCAs is here for unit testing with a fake client. This is a wait.ConditionFunc so the bool
|
||||
// indicates if the condition was met. True when its finished, false when it should retry.
|
||||
func (h ClientCARegistrationHook) tryToWriteClientCAs(client corev1client.CoreV1Interface) (bool, error) {
|
||||
if err := createNamespaceIfNeeded(client, metav1.NamespaceSystem); err != nil {
|
||||
utilruntime.HandleError(err)
|
||||
return false, nil
|
||||
}
|
||||
|
||||
data := map[string]string{}
|
||||
if len(h.ClientCA) > 0 {
|
||||
data["client-ca-file"] = string(h.ClientCA)
|
||||
}
|
||||
|
||||
if len(h.RequestHeaderCA) > 0 {
|
||||
var err error
|
||||
|
||||
// encoding errors aren't going to get better, so just fail on them.
|
||||
data["requestheader-username-headers"], err = jsonSerializeStringSlice(h.RequestHeaderUsernameHeaders)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
data["requestheader-group-headers"], err = jsonSerializeStringSlice(h.RequestHeaderGroupHeaders)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
data["requestheader-extra-headers-prefix"], err = jsonSerializeStringSlice(h.RequestHeaderExtraHeaderPrefixes)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
data["requestheader-client-ca-file"] = string(h.RequestHeaderCA)
|
||||
data["requestheader-allowed-names"], err = jsonSerializeStringSlice(h.RequestHeaderAllowedNames)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
}
|
||||
|
||||
// write errors may work next time if we retry, so queue for retry
|
||||
if err := writeConfigMap(client, "extension-apiserver-authentication", data); err != nil {
|
||||
utilruntime.HandleError(err)
|
||||
return false, nil
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
||||
|
||||
func jsonSerializeStringSlice(in []string) (string, error) {
|
||||
out, err := json.Marshal(in)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return string(out), err
|
||||
}
|
||||
|
||||
func writeConfigMap(client corev1client.ConfigMapsGetter, name string, data map[string]string) error {
|
||||
existing, err := client.ConfigMaps(metav1.NamespaceSystem).Get(name, metav1.GetOptions{})
|
||||
if apierrors.IsNotFound(err) {
|
||||
_, err := client.ConfigMaps(metav1.NamespaceSystem).Create(&corev1.ConfigMap{
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: name},
|
||||
Data: data,
|
||||
})
|
||||
return err
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if !apiequality.Semantic.DeepEqual(existing.Data, data) {
|
||||
existing.Data = data
|
||||
_, err = client.ConfigMaps(metav1.NamespaceSystem).Update(existing)
|
||||
}
|
||||
return err
|
||||
}
|
||||
@ -1,247 +0,0 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package master
|
||||
|
||||
import (
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/diff"
|
||||
"k8s.io/client-go/kubernetes/fake"
|
||||
clienttesting "k8s.io/client-go/testing"
|
||||
)
|
||||
|
||||
func TestWriteClientCAs(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
hook ClientCARegistrationHook
|
||||
preexistingObjs []runtime.Object
|
||||
expectedConfigMaps map[string]*corev1.ConfigMap
|
||||
expectUpdate bool
|
||||
}{
|
||||
{
|
||||
name: "basic",
|
||||
hook: ClientCARegistrationHook{
|
||||
ClientCA: []byte("foo"),
|
||||
RequestHeaderUsernameHeaders: []string{"alfa", "bravo", "charlie"},
|
||||
RequestHeaderGroupHeaders: []string{"delta"},
|
||||
RequestHeaderExtraHeaderPrefixes: []string{"echo", "foxtrot"},
|
||||
RequestHeaderCA: []byte("bar"),
|
||||
RequestHeaderAllowedNames: []string{"first", "second"},
|
||||
},
|
||||
expectedConfigMaps: map[string]*corev1.ConfigMap{
|
||||
"extension-apiserver-authentication": {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"client-ca-file": "foo",
|
||||
"requestheader-username-headers": `["alfa","bravo","charlie"]`,
|
||||
"requestheader-group-headers": `["delta"]`,
|
||||
"requestheader-extra-headers-prefix": `["echo","foxtrot"]`,
|
||||
"requestheader-client-ca-file": "bar",
|
||||
"requestheader-allowed-names": `["first","second"]`,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "skip extension-apiserver-authentication",
|
||||
hook: ClientCARegistrationHook{
|
||||
RequestHeaderCA: []byte("bar"),
|
||||
RequestHeaderAllowedNames: []string{"first", "second"},
|
||||
},
|
||||
expectedConfigMaps: map[string]*corev1.ConfigMap{
|
||||
"extension-apiserver-authentication": {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"requestheader-username-headers": `null`,
|
||||
"requestheader-group-headers": `null`,
|
||||
"requestheader-extra-headers-prefix": `null`,
|
||||
"requestheader-client-ca-file": "bar",
|
||||
"requestheader-allowed-names": `["first","second"]`,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "skip extension-apiserver-authentication",
|
||||
hook: ClientCARegistrationHook{
|
||||
ClientCA: []byte("foo"),
|
||||
},
|
||||
expectedConfigMaps: map[string]*corev1.ConfigMap{
|
||||
"extension-apiserver-authentication": {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"client-ca-file": "foo",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "empty allowed names",
|
||||
hook: ClientCARegistrationHook{
|
||||
RequestHeaderCA: []byte("bar"),
|
||||
},
|
||||
expectedConfigMaps: map[string]*corev1.ConfigMap{
|
||||
"extension-apiserver-authentication": {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"requestheader-username-headers": `null`,
|
||||
"requestheader-group-headers": `null`,
|
||||
"requestheader-extra-headers-prefix": `null`,
|
||||
"requestheader-client-ca-file": "bar",
|
||||
"requestheader-allowed-names": `null`,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "overwrite extension-apiserver-authentication",
|
||||
hook: ClientCARegistrationHook{
|
||||
ClientCA: []byte("foo"),
|
||||
},
|
||||
preexistingObjs: []runtime.Object{
|
||||
&corev1.ConfigMap{
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"client-ca-file": "other",
|
||||
},
|
||||
},
|
||||
},
|
||||
expectedConfigMaps: map[string]*corev1.ConfigMap{
|
||||
"extension-apiserver-authentication": {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"client-ca-file": "foo",
|
||||
},
|
||||
},
|
||||
},
|
||||
expectUpdate: true,
|
||||
},
|
||||
{
|
||||
name: "overwrite extension-apiserver-authentication requestheader",
|
||||
hook: ClientCARegistrationHook{
|
||||
RequestHeaderUsernameHeaders: []string{},
|
||||
RequestHeaderGroupHeaders: []string{},
|
||||
RequestHeaderExtraHeaderPrefixes: []string{},
|
||||
RequestHeaderCA: []byte("bar"),
|
||||
RequestHeaderAllowedNames: []string{},
|
||||
},
|
||||
preexistingObjs: []runtime.Object{
|
||||
&corev1.ConfigMap{
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"requestheader-username-headers": `null`,
|
||||
"requestheader-group-headers": `null`,
|
||||
"requestheader-extra-headers-prefix": `null`,
|
||||
"requestheader-client-ca-file": "something",
|
||||
"requestheader-allowed-names": `null`,
|
||||
},
|
||||
},
|
||||
},
|
||||
expectedConfigMaps: map[string]*corev1.ConfigMap{
|
||||
"extension-apiserver-authentication": {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"requestheader-username-headers": `[]`,
|
||||
"requestheader-group-headers": `[]`,
|
||||
"requestheader-extra-headers-prefix": `[]`,
|
||||
"requestheader-client-ca-file": "bar",
|
||||
"requestheader-allowed-names": `[]`,
|
||||
},
|
||||
},
|
||||
},
|
||||
expectUpdate: true,
|
||||
},
|
||||
{
|
||||
name: "namespace exists",
|
||||
hook: ClientCARegistrationHook{
|
||||
ClientCA: []byte("foo"),
|
||||
},
|
||||
preexistingObjs: []runtime.Object{
|
||||
&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: metav1.NamespaceSystem}},
|
||||
},
|
||||
expectedConfigMaps: map[string]*corev1.ConfigMap{
|
||||
"extension-apiserver-authentication": {
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"client-ca-file": "foo",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "skip on no change",
|
||||
hook: ClientCARegistrationHook{
|
||||
RequestHeaderUsernameHeaders: []string{},
|
||||
RequestHeaderGroupHeaders: []string{},
|
||||
RequestHeaderExtraHeaderPrefixes: []string{},
|
||||
RequestHeaderCA: []byte("bar"),
|
||||
RequestHeaderAllowedNames: []string{},
|
||||
},
|
||||
preexistingObjs: []runtime.Object{
|
||||
&corev1.ConfigMap{
|
||||
ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
|
||||
Data: map[string]string{
|
||||
"requestheader-username-headers": `[]`,
|
||||
"requestheader-group-headers": `[]`,
|
||||
"requestheader-extra-headers-prefix": `[]`,
|
||||
"requestheader-client-ca-file": "bar",
|
||||
"requestheader-allowed-names": `[]`,
|
||||
},
|
||||
},
|
||||
},
|
||||
expectedConfigMaps: map[string]*corev1.ConfigMap{},
|
||||
expectUpdate: false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
client := fake.NewSimpleClientset(test.preexistingObjs...)
|
||||
test.hook.tryToWriteClientCAs(client.CoreV1())
|
||||
|
||||
actualConfigMaps, updated := getFinalConfigMaps(client)
|
||||
if !reflect.DeepEqual(test.expectedConfigMaps, actualConfigMaps) {
|
||||
t.Fatalf("%s: %v", test.name, diff.ObjectReflectDiff(test.expectedConfigMaps, actualConfigMaps))
|
||||
}
|
||||
if test.expectUpdate != updated {
|
||||
t.Fatalf("%s: expected %v, got %v", test.name, test.expectUpdate, updated)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func getFinalConfigMaps(client *fake.Clientset) (map[string]*corev1.ConfigMap, bool) {
|
||||
ret := map[string]*corev1.ConfigMap{}
|
||||
updated := false
|
||||
|
||||
for _, action := range client.Actions() {
|
||||
if action.Matches("create", "configmaps") {
|
||||
obj := action.(clienttesting.CreateAction).GetObject().(*corev1.ConfigMap)
|
||||
ret[obj.Name] = obj
|
||||
}
|
||||
if action.Matches("update", "configmaps") {
|
||||
updated = true
|
||||
obj := action.(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap)
|
||||
ret[obj.Name] = obj
|
||||
}
|
||||
}
|
||||
return ret, updated
|
||||
}
|
||||
@ -125,7 +125,6 @@ const (
|
||||
// ExtraConfig defines extra configuration for the master
|
||||
type ExtraConfig struct {
|
||||
ClusterAuthenticationInfo clusterauthenticationtrust.ClusterAuthenticationInfo
|
||||
ClientCARegistrationHook ClientCARegistrationHook
|
||||
|
||||
APIResourceConfigSource serverstorage.APIResourceConfigSource
|
||||
StorageFactory serverstorage.StorageFactory
|
||||
|
||||
Loading…
Reference in New Issue
Block a user