[main] block UI until we receive requests from kube-apiserver (#668)

* block UI until we receive requests from kube-apiserver * satisfy CI * undo test code --------- Co-authored-by: joshmeranda <joshua.meranda@gmail.com>
2025-09-06 01:41:00 +00:00 · 2025-06-11 14:58:36 -04:00
parent 1157865ea3
commit c67ddf2de4
2 changed files with 43 additions and 2 deletions
--- a/pkg/ext/apiserver.go
+++ b/pkg/ext/apiserver.go
@@ -108,6 +108,8 @@ type ExtensionAPIServer struct {

 	handlerMu sync.RWMutex
 	handler   http.Handler
+
+	registeredChan <-chan struct{}
 }

 type emptyAddresses struct{}
@@ -129,15 +131,38 @@ func NewExtensionAPIServer(scheme *runtime.Scheme, codecs serializer.CodecFactor
 		return nil, fmt.Errorf("listener must be provided")
 	}

+	if opts.GetOpenAPIDefinitions == nil {
+		return nil, fmt.Errorf("GetOpenAPIDefinitions must be provided")
+	}
+
+	if opts.Authorizer == nil {
+		// We need an authorizer to allow us to wrap it with a check for kube-apisevrer registration requests.
+		return nil, fmt.Errorf("authorizer must be provided")
+	}
+
 	recommendedOpts := genericoptions.NewRecommendedOptions("", codecs.LegacyCodec())
 	recommendedOpts.SecureServing.Listener = opts.Listener

+	registered := make(chan struct{})
+
+	var once sync.Once
+
 	resolver := &request.RequestInfoFactory{APIPrefixes: sets.NewString("apis", "api"), GrouplessAPIPrefixes: sets.NewString("api")}
 	config := genericapiserver.NewRecommendedConfig(codecs)
 	config.RequestInfoResolver = resolver
 	config.Authorization = genericapiserver.AuthorizationInfo{
-		Authorizer: opts.Authorizer,
+		Authorizer: authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
+			switch a.GetUser().GetName() {
+			case "system:aggregator", "system:kube-aggregator":
+				once.Do(func() {
+					close(registered)
+				})
+			}
+
+			return opts.Authorizer.Authorize(ctx, a)
+		}),
 	}
+
 	// The default kube effective version ends up being the version of the
 	// library. (The value is hardcoded but it is kept up-to-date via some
 	// automation)
@@ -189,6 +214,7 @@ func NewExtensionAPIServer(scheme *runtime.Scheme, codecs serializer.CodecFactor
 		genericAPIServer: genericServer,
 		apiGroups:        make(map[string]genericapiserver.APIGroupInfo),
 		authorizer:       opts.Authorizer,
+		registeredChan:   registered,
 	}

 	return extensionAPIServer, nil
@@ -301,3 +327,7 @@ func getDefinitionName(scheme *runtime.Scheme, replacements map[string]string) f
 		return definitionName, defGVK
 	}
 }
+
+func (s *ExtensionAPIServer) Registered() <-chan struct{} {
+	return s.registeredChan
+}