Merge pull request #3418 from ntnn/fix-bind-address

Fix `--bind-address`

Author: kcp-ci-bot

cmd/sharded-test-server/cache.go

@@ -39,7 +39,7 @@ import (
 	kcptestingserver "github.com/kcp-dev/kcp/sdk/testing/server"
 )
 
-func startCacheServer(ctx context.Context, logDirPath, workingDir string, syntheticDelay time.Duration) (<-chan error, string, error) {
+func startCacheServer(ctx context.Context, logDirPath, workingDir, hostIP string, syntheticDelay time.Duration) (<-chan error, string, error) {
 	cyan := color.New(color.BgHiCyan, color.FgHiWhite).SprintFunc()
 	inverse := color.New(color.BgHiWhite, color.FgHiCyan).SprintFunc()
 	out := lineprefix.New(
@@ -56,6 +56,7 @@ func startCacheServer(ctx context.Context, logDirPath, workingDir string, synthe
 	commandLine = append(
 		commandLine,
 		fmt.Sprintf("--root-directory=%s", cacheWorkingDir),
+		"--bind-address="+hostIP,
 		"--embedded-etcd-client-port=8010",
 		"--embedded-etcd-peer-port=8011",
 		fmt.Sprintf("--secure-port=%d", cachePort),

cmd/sharded-test-server/frontproxy.go

@@ -132,6 +132,7 @@ func startFrontProxy(
 
 	// run front-proxy command
 	commandLine := append(kcptestingserver.Command("kcp-front-proxy", "front-proxy"),
+		"--bind-address="+hostIP,
 		fmt.Sprintf("--mapping-file=%s", filepath.Join(workDirPath, ".kcp-front-proxy/mapping.yaml")),
 		fmt.Sprintf("--root-directory=%s", filepath.Join(workDirPath, ".kcp-front-proxy")),
 		fmt.Sprintf("--root-kubeconfig=%s", filepath.Join(workDirPath, ".kcp/root.kubeconfig")),

cmd/sharded-test-server/main.go

@@ -28,7 +28,6 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	machineryutilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	kuser "k8s.io/apiserver/pkg/authentication/user"
@@ -192,17 +191,13 @@ func start(proxyFlags, shardFlags []string, logDirPath, workDirPath string, numb
 		return fmt.Errorf("failed to create service-account-signing-ca: %w", err)
 	}
 
-	// find external IP to put into certs as valid IPs
-	hostIP, err := machineryutilnet.ResolveBindAddress(net.IPv4(0, 0, 0, 0))
-	if err != nil {
-		return err
-	}
+	hostIP := net.IPv4(127, 0, 0, 1)
 
 	standaloneVW := sets.New[string](shardFlags...).Has("--run-virtual-workspaces=false")
 
 	cacheServerErrCh := make(chan indexErrTuple)
 	cacheServerConfigPath := ""
-	cacheServerCh, configPath, err := startCacheServer(ctx, logDirPath, workDirPath, cacheSyntheticDelay)
+	cacheServerCh, configPath, err := startCacheServer(ctx, logDirPath, workDirPath, hostIP.String(), cacheSyntheticDelay)
 	if err != nil {
 		return fmt.Errorf("error starting the cache server: %w", err)
 	}

cmd/sharded-test-server/virtual.go

@@ -142,15 +142,15 @@ func newVirtualWorkspace(ctx context.Context, index int, servingCA *crypto.CA, h
 		return nil, err
 	}
 
-	var args []string
-	args = append(args,
+	args := []string{
 		fmt.Sprintf("--kubeconfig=%s", kubeconfigPath),
 		fmt.Sprintf("--shard-external-url=https://%s:%d", hostIP, 6443),
 		fmt.Sprintf("--cache-kubeconfig=%s", cacheServerConfigPath),
 		fmt.Sprintf("--authentication-kubeconfig=%s", authenticationKubeconfigPath),
 		fmt.Sprintf("--client-ca-file=%s", clientCAFilePath),
 		fmt.Sprintf("--tls-private-key-file=%s", servingKeyFile),
 		fmt.Sprintf("--tls-cert-file=%s", servingCertFile),
+		fmt.Sprintf("--bind-address=%s", hostIP),
 		fmt.Sprintf("--secure-port=%s", virtualWorkspacePort(index)),
 		"--audit-log-maxsize=1024",
 		"--audit-log-mode=batch",
@@ -161,7 +161,7 @@ func newVirtualWorkspace(ctx context.Context, index int, servingCA *crypto.CA, h
 		"--audit-log-batch-throttle-enable=true",
 		"--audit-log-batch-throttle-qps=10",
 		fmt.Sprintf("--audit-policy-file=%s", auditPolicyFile),
-	)
+	}
 
 	return &VirtualWorkspace{
 		index:       index,

cmd/test-server/kcp/shard.go

@@ -99,6 +99,7 @@ func (s *Shard) Start(ctx context.Context, quiet bool) error {
 	commandLine = append(commandLine, s.args...)
 	commandLine = append(commandLine,
 		"--root-directory", s.runtimeDir,
+		"--bind-address=127.0.0.1",
 		"--token-auth-file", framework.DefaultTokenAuthFile,
 		"--audit-log-maxsize", "1024",
 		"--audit-log-mode=batch",

pkg/server/config.go

@@ -155,6 +155,7 @@ type CompletedConfig struct {
 // Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
 func (c *Config) Complete() (CompletedConfig, error) {
 	miniAggregator := c.MiniAggregator.Complete()
+
 	return CompletedConfig{&completedConfig{
 		Options: c.Options,
 

pkg/server/options/options.go

@@ -287,6 +287,22 @@ func (o *Options) Complete(ctx context.Context, rootDir string) (*CompletedOptio
 		}
 	}
 
+	// ExternalAddress is the address used e.g. when generating
+	// kubeconfigs. It defaults to the default interface, usually the
+	// first non-loopback interface, e.g. 192.168.0.1.
+	// BindAddress is the address the server binds to, it defaults to
+	// 0.0.0.0 or ::.
+	//
+	// If BindAddress is set to a specific address, e.g. the loopback
+	// 127.0.0.1 the ExternalAddress is invalid and all URLs generated
+	// from it will not work.
+	//
+	// To prevent this ExternalAddress is set to the value of
+	// BindAddress if it wasn't set to a specific address.
+	if o.GenericControlPlane.GenericServerRunOptions.ExternalHost == "" && !o.GenericControlPlane.SecureServing.BindAddress.IsUnspecified() {
+		o.GenericControlPlane.GenericServerRunOptions.ExternalHost = o.GenericControlPlane.SecureServing.BindAddress.String()
+	}
+
 	if o.Extra.ExperimentalBindFreePort {
 		listener, _, err := genericapiserveroptions.CreateListener("tcp", fmt.Sprintf("%s:0", o.GenericControlPlane.SecureServing.BindAddress), net.ListenConfig{})
 		if err != nil {
@@ -311,7 +327,34 @@ func (o *Options) Complete(ctx context.Context, rootDir string) (*CompletedOptio
 		o.GenericControlPlane.ServiceAccountSigningKeyFile = o.Controllers.SAController.ServiceAccountKeyFile
 	}
 
-	completedGenericOptions, err := o.GenericControlPlane.Complete(ctx, nil, nil)
+	// o.GenericControlPlane.Complete creates self-signed certificates
+	// with the advertise address by default. This can cause spurious
+	// errors if the server binds on multiple interfaces.
+	possibleIPs := []net.IP{
+		o.GenericControlPlane.GenericServerRunOptions.AdvertiseAddress,
+		o.GenericControlPlane.SecureServing.BindAddress,
+		o.GenericControlPlane.SecureServing.ExternalAddress,
+	}
+	if o.GenericControlPlane.SecureServing.Listener != nil {
+		host, _, err := net.SplitHostPort(o.GenericControlPlane.SecureServing.Listener.Addr().String())
+		if err != nil {
+			return nil, err
+		}
+		possibleIPs = append(possibleIPs, net.ParseIP(host))
+	}
+
+	alternateIPs := []net.IP{}
+	alternateDNS := []string{}
+
+	for _, ip := range possibleIPs {
+		if ip == nil || ip.IsUnspecified() {
+			continue
+		}
+		alternateIPs = append(alternateIPs, ip)
+		alternateDNS = append(alternateDNS, ip.String())
+	}
+
+	completedGenericOptions, err := o.GenericControlPlane.Complete(ctx, alternateDNS, alternateIPs)
 	if err != nil {
 		return nil, err
 	}

sdk/testing/config.go

@@ -28,7 +28,8 @@ type SharedKcpOption func()
 
 var (
 	sharedConfig = kcptestingserver.Config{
-		Name: "shared",
+		Name:        "shared",
+		BindAddress: "127.0.0.1",
 	}
 	externalConfig = struct {
 		kubeconfigPath       string

sdk/testing/kcp.go

@@ -35,7 +35,10 @@ var fs embed.FS
 func PrivateKcpServer(t TestingT, options ...kcptestingserver.Option) kcptestingserver.RunningServer {
 	t.Helper()
 
-	cfg := &kcptestingserver.Config{Name: "main"}
+	cfg := &kcptestingserver.Config{
+		Name:        "main",
+		BindAddress: "127.0.0.1",
+	}
 	for _, opt := range options {
 		opt(cfg)
 	}

sdk/testing/server/config.go

@@ -27,6 +27,7 @@ type Config struct {
 	ArtifactDir string
 	DataDir     string
 	ClientCADir string
+	BindAddress string
 
 	LogToConsole bool
 	RunInProcess bool
@@ -84,3 +85,10 @@ func WithLogToConsole() Option {
 		cfg.LogToConsole = true
 	}
 }
+
+// WithBindAddress sets the kcp server to log to console.
+func WithBindAddress(addr string) Option {
+	return func(cfg *Config) {
+		cfg.BindAddress = addr
+	}
+}