aggregation: fix config.ini reading of the new bool (#101099)

5 months ago · 33eca9e6fb
parent 0209d71948
commit 33eca9e6fb
5 changed files with 22 additions and 6 deletions
--- a/pkg/services/apiserver/aggregator/aggregator.go
+++ b/pkg/services/apiserver/aggregator/aggregator.go
@ -144,6 +144,11 @@ func CreateAggregatorConfig(commandOptions *options.Options, sharedConfig generi
 		aggregatorConfig.ExtraConfig.ProxyClientKeyFile = commandOptions.KubeAggregatorOptions.ProxyClientKeyFile
 	}

+	customExtraConfig := &CustomExtraConfig{
+		DiscoveryOnlyProxyClientCertFile: commandOptions.KubeAggregatorOptions.ProxyClientCertFile,
+		DiscoveryOnlyProxyClientKeyFile:  commandOptions.KubeAggregatorOptions.ProxyClientKeyFile,
+	}
+
 	if err := commandOptions.KubeAggregatorOptions.ApplyTo(aggregatorConfig, commandOptions.RecommendedOptions.Etcd); err != nil {
 		return nil, err
 	}
@ -156,7 +161,7 @@ func CreateAggregatorConfig(commandOptions *options.Options, sharedConfig generi

 	// Exit early, if no remote services file is configured
 	if commandOptions.KubeAggregatorOptions.RemoteServicesFile == "" {
-		return NewConfig(aggregatorConfig, sharedInformerFactory, []builder.APIGroupBuilder{serviceAPIBuilder}, nil), nil
+		return NewConfig(aggregatorConfig, customExtraConfig, sharedInformerFactory, []builder.APIGroupBuilder{serviceAPIBuilder}, nil), nil
 	}

 	remoteServices, err := ReadRemoteServices(commandOptions.KubeAggregatorOptions.RemoteServicesFile)
@ -176,9 +181,11 @@ func CreateAggregatorConfig(commandOptions *options.Options, sharedConfig generi
 		serviceClientSet: serviceClient,
 	}

-	return NewConfig(aggregatorConfig, sharedInformerFactory, []builder.APIGroupBuilder{serviceAPIBuilder}, remoteServicesConfig), nil
+	return NewConfig(aggregatorConfig, customExtraConfig, sharedInformerFactory, []builder.APIGroupBuilder{serviceAPIBuilder}, remoteServicesConfig), nil
 }

+// CreateAggregatorServer creates an aggregated server to layer into the existing apiserver
+// TODO: passing options temporarily as that allows us to pass in cert/key for client into AvailableController but skip it in the aggregator lib
 func CreateAggregatorServer(config *Config, delegateAPIServer genericapiserver.DelegationTarget, reg prometheus.Registerer) (*aggregatorapiserver.APIAggregator, error) {
 	aggregatorConfig := config.KubeAggregatorConfig
 	sharedInformerFactory := config.Informers
@ -257,8 +264,8 @@ func CreateAggregatorServer(config *Config, delegateAPIServer genericapiserver.D
 	proxyCurrentCertKeyContentFunc := func() ([]byte, []byte) {
 		return nil, nil
 	}
-	if len(config.KubeAggregatorConfig.ExtraConfig.ProxyClientCertFile) > 0 && len(config.KubeAggregatorConfig.ExtraConfig.ProxyClientKeyFile) > 0 {
-		aggregatorProxyCerts, err := dynamiccertificates.NewDynamicServingContentFromFiles("aggregator-proxy-cert", config.KubeAggregatorConfig.ExtraConfig.ProxyClientCertFile, config.KubeAggregatorConfig.ExtraConfig.ProxyClientKeyFile)
+	if len(config.CustomExtraConfig.DiscoveryOnlyProxyClientCertFile) > 0 && len(config.CustomExtraConfig.DiscoveryOnlyProxyClientKeyFile) > 0 {
+		aggregatorProxyCerts, err := dynamiccertificates.NewDynamicServingContentFromFiles("aggregator-proxy-cert", config.CustomExtraConfig.DiscoveryOnlyProxyClientCertFile, config.CustomExtraConfig.DiscoveryOnlyProxyClientKeyFile)
 		if err != nil {
 			return nil, err
 		}
--- a/pkg/services/apiserver/aggregator/config.go
+++ b/pkg/services/apiserver/aggregator/config.go
@ -28,8 +28,14 @@ type RemoteServicesConfig struct {
 	serviceClientSet       *serviceclientset.Clientset
 }

+type CustomExtraConfig struct {
+	DiscoveryOnlyProxyClientCertFile string
+	DiscoveryOnlyProxyClientKeyFile  string
+}
+
 type Config struct {
 	KubeAggregatorConfig *aggregatorapiserver.Config
+	CustomExtraConfig    *CustomExtraConfig // this is temporary and will be removed once we have moved across newer auth rollout in cloud
 	Informers            informersv0alpha1.SharedInformerFactory
 	RemoteServicesConfig *RemoteServicesConfig
 	// Builders contain prerequisite api groups for aggregator to function correctly e.g. ExternalName
@ -40,7 +46,7 @@ type Config struct {
 }

 // remoteServices may be nil when not using aggregation
-func NewConfig(aggregator *aggregatorapiserver.Config, informers informersv0alpha1.SharedInformerFactory, builders []builder.APIGroupBuilder, remoteServices *RemoteServicesConfig) *Config {
+func NewConfig(aggregator *aggregatorapiserver.Config, customExtraConfig *CustomExtraConfig, informers informersv0alpha1.SharedInformerFactory, builders []builder.APIGroupBuilder, remoteServices *RemoteServicesConfig) *Config {
 	getMergedOpenAPIDefinitions := func(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 		aggregatorAPIs := aggregatoropenapi.GetOpenAPIDefinitions(ref)
 		builderAPIs := builder.GetOpenAPIDefinitions(builders)(ref)
@ -61,6 +67,7 @@ func NewConfig(aggregator *aggregatorapiserver.Config, informers informersv0alph

 	return &Config{
 		aggregator,
+		customExtraConfig,
 		informers,
 		remoteServices,
 		builders,
--- a/pkg/services/apiserver/config.go
+++ b/pkg/services/apiserver/config.go
@ -43,6 +43,7 @@ func applyGrafanaConfig(cfg *setting.Cfg, features featuremgmt.FeatureToggles, o

 	o.KubeAggregatorOptions.ProxyClientCertFile = apiserverCfg.Key("proxy_client_cert_file").MustString("")
 	o.KubeAggregatorOptions.ProxyClientKeyFile = apiserverCfg.Key("proxy_client_key_file").MustString("")
+	o.KubeAggregatorOptions.LegacyClientCertAuth = apiserverCfg.Key("legacy_client_cert_auth").MustBool(true)

 	o.KubeAggregatorOptions.APIServiceCABundleFile = apiserverCfg.Key("apiservice_ca_bundle_file").MustString("")
 	o.KubeAggregatorOptions.RemoteServicesFile = apiserverCfg.Key("remote_services_file").MustString("")
--- a/pkg/services/apiserver/options/extra.go
+++ b/pkg/services/apiserver/options/extra.go
@ -48,6 +48,7 @@ func (o *ExtraOptions) ApplyTo(c *genericapiserver.RecommendedConfig) error {
 	}); err != nil {
 		return err
 	}
+	// TODO: klog isn't working as expected, investigate - it logs some of the time
 	klog.SetSlogLogger(logger)
 	if _, err := logs.GlogSetter(strconv.Itoa(o.Verbosity)); err != nil {
 		logger.Error("failed to set log level", "error", err)
--- a/pkg/services/apiserver/options/kube-aggregator.go
+++ b/pkg/services/apiserver/options/kube-aggregator.go
@ -48,7 +48,7 @@ func (o *KubeAggregatorOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.ProxyClientKeyFile, "proxy-client-key-file", o.ProxyClientKeyFile,
 		"path to proxy client key file")

-	fs.BoolVar(&o.LegacyClientCertAuth, "legacy_client_cert_auth", true,
+	fs.BoolVar(&o.LegacyClientCertAuth, "legacy-client-cert-auth", true,
 		"whether to use legacy client cert auth")
 }