Work around conflicts with existing kubeconfig file (#133)

scholzj · web-flow · commit 8e5f87ff3fe7 · 2023-11-22T16:19:43.000+01:00
In some environments, where the user has an existing `kubeconfig` file with an active context using the `client-key-data` or `client-certificate-data` fields, the `kubectl` client used in the Kube API server readiness check does not know what certificates to use and the API Server startup fails with the exception `JenvtestException: Kube API Server did not start properly`. This PR works around it by specifying the `KUBECONFIG` environment variable to an non-existent config file when calling `kubectl` in the readiness check. That makes the `kubectl` process not use the pre-existing `kubeconfig` with its certificates and makes everything work. This is not needed is the user asks for updating the `kubeconfig` file as in such case, the `kubeconfig` already contains the correct configuration and no special handling is needed. This should resolve #116 Signed-off-by: Jakub Scholz <www@scholzj.com>
diff --git a/core/src/main/java/io/javaoperatorsdk/jenvtest/process/KubeAPIServerProcess.java b/core/src/main/java/io/javaoperatorsdk/jenvtest/process/KubeAPIServerProcess.java
@@ -92,7 +92,7 @@ public void waitUntilReady() {
     readinessChecker.waitUntilReady(apiServerPort, "readyz", KUBE_API_SERVER, true, timeout);
     int newTimout = (int) (timeout - (System.currentTimeMillis() - startTime));
     readinessChecker.waitUntilDefaultNamespaceAvailable(apiServerPort, binaryManager, certManager,
-        newTimout);
+        config, newTimout);
   }
 
   public void stopApiServer() {
diff --git a/core/src/main/java/io/javaoperatorsdk/jenvtest/process/ProcessReadinessChecker.java b/core/src/main/java/io/javaoperatorsdk/jenvtest/process/ProcessReadinessChecker.java
@@ -14,6 +14,7 @@
 import java.security.cert.X509Certificate;
 import java.time.LocalTime;
 import java.time.temporal.ChronoUnit;
+import java.util.Map;
 import java.util.function.BooleanSupplier;
 
 import javax.net.ssl.SSLContext;
@@ -25,6 +26,7 @@
 import org.slf4j.LoggerFactory;
 
 import io.javaoperatorsdk.jenvtest.JenvtestException;
+import io.javaoperatorsdk.jenvtest.KubeAPIServerConfig;
 import io.javaoperatorsdk.jenvtest.binary.BinaryManager;
 import io.javaoperatorsdk.jenvtest.cert.CertManager;
 
@@ -36,23 +38,36 @@ public class ProcessReadinessChecker {
 
   public static final int POLLING_INTERVAL = 200;
 
-  public void waitUntilDefaultNamespaceAvailable(int apiServerPort,
-      BinaryManager binaryManager,
-      CertManager certManager, int timeoutMillis) {
-    pollWithTimeout(() -> defaultNamespaceExists(apiServerPort, binaryManager, certManager),
+  public void waitUntilDefaultNamespaceAvailable(int apiServerPort, BinaryManager binaryManager,
+      CertManager certManager, KubeAPIServerConfig config, int timeoutMillis) {
+    pollWithTimeout(() -> defaultNamespaceExists(apiServerPort, binaryManager, certManager, config),
         KUBE_API_SERVER, timeoutMillis);
   }
 
   private boolean defaultNamespaceExists(int apiServerPort, BinaryManager binaryManager,
-      CertManager certManager) {
+      CertManager certManager, KubeAPIServerConfig config) {
     try {
-      Process process = new ProcessBuilder(binaryManager.binaries().getKubectl().getPath(),
-          "--client-certificate=" + certManager.getClientCertPath(),
-          "--client-key=" + certManager.getClientKeyPath(),
-          "--certificate-authority=" + certManager.getAPIServerCertPath(),
-          "--server=https://127.0.0.1:" + apiServerPort,
-          "--request-timeout=5s",
-          "get", "ns", "default").start();
+      ProcessBuilder processBuilder =
+          new ProcessBuilder(binaryManager.binaries().getKubectl().getPath(),
+              "--client-certificate=" + certManager.getClientCertPath(),
+              "--client-key=" + certManager.getClientKeyPath(),
+              "--certificate-authority=" + certManager.getAPIServerCertPath(),
+              "--server=https://127.0.0.1:" + apiServerPort,
+              "--request-timeout=5s",
+              "get", "ns", "default");
+
+      if (!config.isUpdateKubeConfig()) {
+        // When the default kubeconfig file contains default context using client-certificate-data
+        // or client-key-data, kubectl will fail because it will not know which one to use and the
+        // readiness check will never pass. To avoid that, we set the KUBECONFIG environment
+        // variable to an non-existent kubeconfig file. This cannot be done using the --kubeconfig
+        // option to kubectl, because kubectl will complain if such file does not exist, but when
+        // set through KUBECONFIG env. variable, it does not complain.
+        Map<String, String> env = processBuilder.environment();
+        env.put("KUBECONFIG", config.getJenvtestDir() + "/.kubeconfig");
+      }
+
+      Process process = processBuilder.start();
       return process.waitFor() == 0;
     } catch (IOException e) {
       throw new JenvtestException(e);

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ public void waitUntilReady() {`
`92`	`92`	`readinessChecker.waitUntilReady(apiServerPort, "readyz", KUBE_API_SERVER, true, timeout);`
`93`	`93`	`int newTimout = (int) (timeout - (System.currentTimeMillis() - startTime));`
`94`	`94`	`readinessChecker.waitUntilDefaultNamespaceAvailable(apiServerPort, binaryManager, certManager,`
`95`		`- newTimout);`
	`95`	`+ config, newTimout);`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`public void stopApiServer() {`