From 0bc4602294edd361cfdffb7b92d9e18bb0c13d95 Mon Sep 17 00:00:00 2001 From: Imran Pochi Date: Tue, 15 Apr 2025 00:52:31 +0000 Subject: [PATCH] fix: k8s client setup Currently the setting up of k8s client is broken if service account authentication is not used between server and agent. This condition `if o.AgentNamespace != "" {` acts as a gatekeeper for setting the k8s client which worked fine previously as server never needed to talk to apiserver apart from authenticating agents using service account token. However when lease controller logic was added, it meant that setting up k8s client was required if lease controller was enabled but authentication was done using mTLS instead of service account authentication. This fixes that. Closing #728 in favour of this. Signed-off-by: Imran Pochi --- cmd/server/app/options/options.go | 28 +++++++++++++++------------- cmd/server/app/server.go | 2 +- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/cmd/server/app/options/options.go b/cmd/server/app/options/options.go index f5a26621c..a5dbce407 100644 --- a/cmd/server/app/options/options.go +++ b/cmd/server/app/options/options.go @@ -112,6 +112,8 @@ type ProxyRunOptions struct { LeaseNamespace string // Lease Labels LeaseLabel string + // Needs kubernetes client + NeedsKubernetesClient bool } func (o *ProxyRunOptions) Flags() *pflag.FlagSet { @@ -287,29 +289,27 @@ func (o *ProxyRunOptions) Validate() error { if o.EnableContentionProfiling && !o.EnableProfiling { return fmt.Errorf("if --enable-contention-profiling is set, --enable-profiling must also be set") } - - // validate agent authentication params - // all 4 parameters must be empty or must have value (except KubeconfigPath that might be empty) - if o.AgentNamespace != "" || o.AgentServiceAccount != "" || o.AuthenticationAudience != "" || o.KubeconfigPath != "" { + usingServiceAccountAuth := o.AgentNamespace != "" || o.AgentServiceAccount != "" || o.AuthenticationAudience != "" + if usingServiceAccountAuth { if o.ClusterCaCert != "" { - return fmt.Errorf("ClusterCaCert can not be used when service account authentication is enabled") + return fmt.Errorf("--cluster-ca-cert can not be used when agent authentication is enabled") } if o.AgentNamespace == "" { - return fmt.Errorf("AgentNamespace cannot be empty when agent authentication is enabled") + return fmt.Errorf("--agent-namespace cannot be empty when agent authentication is enabled") } if o.AgentServiceAccount == "" { - return fmt.Errorf("AgentServiceAccount cannot be empty when agent authentication is enabled") + return fmt.Errorf("--agent-service-account cannot be empty when agent authentication is enabled") } if o.AuthenticationAudience == "" { - return fmt.Errorf("AuthenticationAudience cannot be empty when agent authentication is enabled") + return fmt.Errorf("--authentication-audience cannot be empty when agent authentication is enabled") } - if o.KubeconfigPath != "" { - if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) { - return fmt.Errorf("error checking KubeconfigPath %q, got %v", o.KubeconfigPath, err) - } + } + // Validate kubeconfig path if provided + if o.KubeconfigPath != "" { + if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) { + return fmt.Errorf("checking KubeconfigPath %q, got %v", o.KubeconfigPath, err) } } - // validate the proxy strategies if len(o.ProxyStrategies) == 0 { return fmt.Errorf("ProxyStrategies cannot be empty") @@ -338,6 +338,8 @@ func (o *ProxyRunOptions) Validate() error { } } + o.NeedsKubernetesClient = usingServiceAccountAuth || o.EnableLeaseController + return nil } diff --git a/cmd/server/app/server.go b/cmd/server/app/server.go index a9c265f9d..990549576 100644 --- a/cmd/server/app/server.go +++ b/cmd/server/app/server.go @@ -105,7 +105,7 @@ func (p *Proxy) Run(o *options.ProxyRunOptions, stopCh <-chan struct{}) error { defer cancel() var k8sClient *kubernetes.Clientset - if o.AgentNamespace != "" { + if o.NeedsKubernetesClient { config, err := clientcmd.BuildConfigFromFlags("", o.KubeconfigPath) if err != nil { return fmt.Errorf("failed to load kubernetes client config: %v", err)