Merge pull request #737 from kinvolk/release-0.31-fix-mtls

release-0.31 branch update for v0.31.4 tag

Lint passes locally. Need to debug why the current github action goes away and never some back.
However to unblock required v0.31 release force merging.
Imran present and approving change.

Author: cheftako

cmd/server/app/options/options.go

@@ -112,6 +112,8 @@ type ProxyRunOptions struct {
 	LeaseNamespace string
 	// Lease Labels
 	LeaseLabel string
+	// Needs kubernetes client
+	NeedsKubernetesClient bool
 }
 
 func (o *ProxyRunOptions) Flags() *pflag.FlagSet {
@@ -287,29 +289,27 @@ func (o *ProxyRunOptions) Validate() error {
 	if o.EnableContentionProfiling && !o.EnableProfiling {
 		return fmt.Errorf("if --enable-contention-profiling is set, --enable-profiling must also be set")
 	}
-
-	// validate agent authentication params
-	// all 4 parameters must be empty or must have value (except KubeconfigPath that might be empty)
-	if o.AgentNamespace != "" || o.AgentServiceAccount != "" || o.AuthenticationAudience != "" || o.KubeconfigPath != "" {
+	usingServiceAccountAuth := o.AgentNamespace != "" || o.AgentServiceAccount != "" || o.AuthenticationAudience != ""
+	if usingServiceAccountAuth {
 		if o.ClusterCaCert != "" {
-			return fmt.Errorf("ClusterCaCert can not be used when service account authentication is enabled")
+			return fmt.Errorf("--cluster-ca-cert can not be used when agent authentication is enabled")
 		}
 		if o.AgentNamespace == "" {
-			return fmt.Errorf("AgentNamespace cannot be empty when agent authentication is enabled")
+			return fmt.Errorf("--agent-namespace cannot be empty when agent authentication is enabled")
 		}
 		if o.AgentServiceAccount == "" {
-			return fmt.Errorf("AgentServiceAccount cannot be empty when agent authentication is enabled")
+			return fmt.Errorf("--agent-service-account cannot be empty when agent authentication is enabled")
 		}
 		if o.AuthenticationAudience == "" {
-			return fmt.Errorf("AuthenticationAudience cannot be empty when agent authentication is enabled")
+			return fmt.Errorf("--authentication-audience cannot be empty when agent authentication is enabled")
 		}
-		if o.KubeconfigPath != "" {
-			if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) {
-				return fmt.Errorf("error checking KubeconfigPath %q, got %v", o.KubeconfigPath, err)
-			}
+	}
+	// Validate kubeconfig path if provided
+	if o.KubeconfigPath != "" {
+		if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) {
+			return fmt.Errorf("checking KubeconfigPath %q, got %v", o.KubeconfigPath, err)
 		}
 	}
-
 	// validate the proxy strategies
 	if len(o.ProxyStrategies) == 0 {
 		return fmt.Errorf("ProxyStrategies cannot be empty")
@@ -338,6 +338,8 @@ func (o *ProxyRunOptions) Validate() error {
 		}
 	}
 
+	o.NeedsKubernetesClient = usingServiceAccountAuth || o.EnableLeaseController
+
 	return nil
 }
 

cmd/server/app/server.go

@@ -105,7 +105,7 @@ func (p *Proxy) Run(o *options.ProxyRunOptions, stopCh <-chan struct{}) error {
 	defer cancel()
 
 	var k8sClient *kubernetes.Clientset
-	if o.AgentNamespace != "" {
+	if o.NeedsKubernetesClient {
 		config, err := clientcmd.BuildConfigFromFlags("", o.KubeconfigPath)
 		if err != nil {
 			return fmt.Errorf("failed to load kubernetes client config: %v", err)