4
4
"os"
5
5
"time"
6
6
7
+ configv1 "github.com/openshift/api/config/v1"
7
8
"github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy"
8
9
"github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/imagereferencemutators"
9
10
"github.com/openshift/apiserver-library-go/pkg/admission/quota/clusterresourcequota"
@@ -21,13 +22,15 @@ import (
21
22
"github.com/openshift/library-go/pkg/apiserver/admission/admissionrestconfig"
22
23
"github.com/openshift/library-go/pkg/apiserver/apiserverconfig"
23
24
"github.com/openshift/library-go/pkg/quota/clusterquotamapping"
25
+ "k8s.io/apimachinery/pkg/util/wait"
24
26
"k8s.io/apiserver/pkg/admission"
25
27
"k8s.io/apiserver/pkg/quota/v1/generic"
26
28
genericapiserver "k8s.io/apiserver/pkg/server"
27
29
clientgoinformers "k8s.io/client-go/informers"
28
30
corev1informers "k8s.io/client-go/informers/core/v1"
29
31
"k8s.io/client-go/rest"
30
32
"k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers"
33
+ "k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers/authncache"
31
34
"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managednode"
32
35
"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managementcpusoverride"
33
36
"k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeenv"
@@ -118,11 +121,22 @@ func OpenShiftKubeAPIServerConfigPatch(genericConfig *genericapiserver.Config, k
118
121
go openshiftAPIServiceReachabilityCheck .checkForConnection (context )
119
122
return nil
120
123
})
121
- // TODO: Should we skip this post start hook when external OIDC is enabled?
122
- // it seems like the worst case scenario is that this logs an error if a connection
123
- // is not able to happen and returns true. In theory could wrap the connection check with a pre-check
124
- // that just returns true if authentication type is OIDC.
125
124
genericConfig .AddPostStartHookOrDie ("openshift.io-oauth-apiserver-reachable" , func (context genericapiserver.PostStartHookContext ) error {
125
+ authnCache := authncache .NewAuthnCache (openshiftInformers .OpenshiftConfigInformers .Config ().V1 ().Authentications ())
126
+ err := wait .PollImmediate (1 * time .Second , 10 * time .Second , func () (bool , error ) {
127
+ return authnCache .HasSynced (), nil
128
+ })
129
+ if err == nil {
130
+ auth , err := authnCache .Authn ()
131
+ if err == nil && auth != nil {
132
+ if auth .Spec .Type == configv1 .AuthenticationTypeOIDC {
133
+ // skip the oauthAPIServiceReachabilityCheck if OIDC
134
+ // has been configured since the oauth apiserver will be down.
135
+ return nil
136
+ }
137
+ }
138
+ }
139
+
126
140
go oauthAPIServiceReachabilityCheck .checkForConnection (context )
127
141
return nil
128
142
})
0 commit comments