Skip to content

Commit 0b9115e

Browse files
ipochiipochi
committed
fix: k8s client setup if mtls used
currently the setting up of k8s client is broken if mTLS authentication is used between server and agent. This fixes that. Signed-off-by: Imran Pochi <imranpochi@microsoft.com>
1 parent 83b5fd9 commit 0b9115e

File tree

2 files changed

+16
-14
lines changed

2 files changed

+16
-14
lines changed

cmd/server/app/options/options.go

+15-13
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,8 @@ type ProxyRunOptions struct {
112112
LeaseNamespace string
113113
// Lease Labels
114114
LeaseLabel string
115+
// Needs kubernetes client
116+
NeedsKubernetesClient bool
115117
}
116118

117119
func (o *ProxyRunOptions) Flags() *pflag.FlagSet {
@@ -287,29 +289,27 @@ func (o *ProxyRunOptions) Validate() error {
287289
if o.EnableContentionProfiling && !o.EnableProfiling {
288290
return fmt.Errorf("if --enable-contention-profiling is set, --enable-profiling must also be set")
289291
}
290-
291-
// validate agent authentication params
292-
// all 4 parameters must be empty or must have value (except KubeconfigPath that might be empty)
293-
if o.AgentNamespace != "" || o.AgentServiceAccount != "" || o.AuthenticationAudience != "" || o.KubeconfigPath != "" {
292+
usingServiceAccountAuth := o.AgentNamespace != "" || o.AgentServiceAccount != "" || o.AuthenticationAudience != ""
293+
if usingServiceAccountAuth {
294294
if o.ClusterCaCert != "" {
295-
return fmt.Errorf("ClusterCaCert can not be used when service account authentication is enabled")
295+
return fmt.Errorf("--cluster-ca-cert can not be used when agent authentication is enabled")
296296
}
297297
if o.AgentNamespace == "" {
298-
return fmt.Errorf("AgentNamespace cannot be empty when agent authentication is enabled")
298+
return fmt.Errorf("--agent-namespace cannot be empty when agent authentication is enabled")
299299
}
300300
if o.AgentServiceAccount == "" {
301-
return fmt.Errorf("AgentServiceAccount cannot be empty when agent authentication is enabled")
301+
return fmt.Errorf("--agent-service-account cannot be empty when agent authentication is enabled")
302302
}
303303
if o.AuthenticationAudience == "" {
304-
return fmt.Errorf("AuthenticationAudience cannot be empty when agent authentication is enabled")
304+
return fmt.Errorf("--authentication-audience cannot be empty when agent authentication is enabled")
305305
}
306-
if o.KubeconfigPath != "" {
307-
if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) {
308-
return fmt.Errorf("error checking KubeconfigPath %q, got %v", o.KubeconfigPath, err)
309-
}
306+
}
307+
// Validate kubeconfig path if provided
308+
if o.KubeconfigPath != "" {
309+
if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) {
310+
return fmt.Errorf("checking KubeconfigPath %q, got %v", o.KubeconfigPath, err)
310311
}
311312
}
312-
313313
// validate the proxy strategies
314314
if len(o.ProxyStrategies) == 0 {
315315
return fmt.Errorf("ProxyStrategies cannot be empty")
@@ -338,6 +338,8 @@ func (o *ProxyRunOptions) Validate() error {
338338
}
339339
}
340340

341+
o.NeedsKubernetesClient = usingServiceAccountAuth || o.EnableLeaseController
342+
341343
return nil
342344
}
343345

cmd/server/app/server.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@ func (p *Proxy) Run(o *options.ProxyRunOptions, stopCh <-chan struct{}) error {
105105
defer cancel()
106106

107107
var k8sClient *kubernetes.Clientset
108-
if o.AgentNamespace != "" {
108+
if o.NeedsKubernetesClient {
109109
config, err := clientcmd.BuildConfigFromFlags("", o.KubeconfigPath)
110110
if err != nil {
111111
return fmt.Errorf("failed to load kubernetes client config: %v", err)

0 commit comments

Comments
 (0)