Merge pull request #66395 from awly/fix-kubelet-exec-plugin-startup

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Update http.Transport if it already exists in ExecProvider **What this PR does / why we need it**: This unbreaks ExecPlugin. Without the change, we hit this error https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/transport/transport.go#L32 **Release note**: ```release-note Fix kubelet startup failure when using ExecPlugin in kubeconfig ```
2025-07-24 20:24:09 +00:00 · 2018-07-26 10:47:05 -07:00 · 2018-07-26 10:47:05 -07:00 · cef2d325ee
commit cef2d325ee
parent 2486d51eb9 3357b5ecf4
2 changed files with 66 additions and 66 deletions
--- a/pkg/kubelet/certificate/transport.go
+++ b/pkg/kubelet/certificate/transport.go
@ -65,15 +65,26 @@ func updateTransport(stopCh <-chan struct{}, period time.Duration, clientConfig

 	d := connrotation.NewDialer((&net.Dialer{Timeout: 30 * time.Second, KeepAlive: 30 * time.Second}).DialContext)

+	if clientCertificateManager != nil {
+		if err := addCertRotation(stopCh, period, clientConfig, clientCertificateManager, exitAfter, d); err != nil {
+			return nil, err
+		}
+	} else {
+		clientConfig.Dial = d.DialContext
+	}
+
+	return d.CloseAll, nil
+}
+
+func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig *restclient.Config, clientCertificateManager certificate.Manager, exitAfter time.Duration, d *connrotation.Dialer) error {
 	tlsConfig, err := restclient.TLSConfigFor(clientConfig)
 	if err != nil {
-		return nil, fmt.Errorf("unable to configure TLS for the rest client: %v", err)
+		return fmt.Errorf("unable to configure TLS for the rest client: %v", err)
 	}
 	if tlsConfig == nil {
 		tlsConfig = &tls.Config{}
 	}

-	if clientCertificateManager != nil {
 	tlsConfig.Certificates = nil
 	tlsConfig.GetClientCertificate = func(requestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
 		cert := clientCertificateManager.Current()
@ -125,14 +136,13 @@ func updateTransport(stopCh <-chan struct{}, period time.Duration, clientConfig
 		// See: https://github.com/kubernetes-incubator/bootkube/pull/663#issuecomment-318506493
 		d.CloseAll()
 	}, period, stopCh)
-	}

 	clientConfig.Transport = utilnet.SetTransportDefaults(&http.Transport{
 		Proxy:               http.ProxyFromEnvironment,
 		TLSHandshakeTimeout: 10 * time.Second,
 		TLSClientConfig:     tlsConfig,
 		MaxIdleConnsPerHost: 25,
-		DialContext:         d.DialContext, // Use custom dialer.
+		DialContext:         d.DialContext,
 	})

 	// Zero out all existing TLS options since our new transport enforces them.
@ -144,5 +154,5 @@ func updateTransport(stopCh <-chan struct{}, period time.Duration, clientConfig
 	clientConfig.CAFile = ""
 	clientConfig.Insecure = false

-	return d.CloseAll, nil
+	return nil
 }
--- a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
+++ b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@ -179,21 +180,10 @@ func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
 		return &roundTripper{a, rt}
 	}

-	getCert := c.TLS.GetCert
-	c.TLS.GetCert = func() (*tls.Certificate, error) {
-		// If previous GetCert is present and returns a valid non-nil
-		// certificate, use that. Otherwise use cert from exec plugin.
-		if getCert != nil {
-			cert, err := getCert()
-			if err != nil {
-				return nil, err
-			}
-			if cert != nil {
-				return cert, nil
-			}
-		}
-		return a.cert()
+	if c.TLS.GetCert != nil {
+		return errors.New("can't add TLS certificate callback: transport.Config.TLS.GetCert already set")
 	}
+	c.TLS.GetCert = a.cert

 	var dial func(ctx context.Context, network, addr string) (net.Conn, error)
 	if c.Dial != nil {