Skip to content

Commit 2ed95e1

Browse files
everettraveneverettraven
committed
skip oauth-apiserver conection check if authentication mode is OIDC
Signed-off-by: everettraven <[email protected]>
1 parent 9a06f9d commit 2ed95e1

File tree

1 file changed

+18
-4
lines changed
  • openshift-kube-apiserver/openshiftkubeapiserver

1 file changed

+18
-4
lines changed

openshift-kube-apiserver/openshiftkubeapiserver/patch.go

+18-4
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
"os"
55
"time"
66

7+
configv1 "github.com/openshift/api/config/v1"
78
"github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy"
89
"github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/imagereferencemutators"
910
"github.com/openshift/apiserver-library-go/pkg/admission/quota/clusterresourcequota"
@@ -21,13 +22,15 @@ import (
2122
"github.com/openshift/library-go/pkg/apiserver/admission/admissionrestconfig"
2223
"github.com/openshift/library-go/pkg/apiserver/apiserverconfig"
2324
"github.com/openshift/library-go/pkg/quota/clusterquotamapping"
25+
"k8s.io/apimachinery/pkg/util/wait"
2426
"k8s.io/apiserver/pkg/admission"
2527
"k8s.io/apiserver/pkg/quota/v1/generic"
2628
genericapiserver "k8s.io/apiserver/pkg/server"
2729
clientgoinformers "k8s.io/client-go/informers"
2830
corev1informers "k8s.io/client-go/informers/core/v1"
2931
"k8s.io/client-go/rest"
3032
"k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers"
33+
"k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers/authncache"
3134
"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managednode"
3235
"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managementcpusoverride"
3336
"k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeenv"
@@ -118,11 +121,22 @@ func OpenShiftKubeAPIServerConfigPatch(genericConfig *genericapiserver.Config, k
118121
go openshiftAPIServiceReachabilityCheck.checkForConnection(context)
119122
return nil
120123
})
121-
// TODO: Should we skip this post start hook when external OIDC is enabled?
122-
// it seems like the worst case scenario is that this logs an error if a connection
123-
// is not able to happen and returns true. In theory could wrap the connection check with a pre-check
124-
// that just returns true if authentication type is OIDC.
125124
genericConfig.AddPostStartHookOrDie("openshift.io-oauth-apiserver-reachable", func(context genericapiserver.PostStartHookContext) error {
125+
authnCache := authncache.NewAuthnCache(openshiftInformers.OpenshiftConfigInformers.Config().V1().Authentications())
126+
err := wait.PollImmediate(1*time.Second, 10*time.Second, func() (bool, error) {
127+
return authnCache.HasSynced(), nil
128+
})
129+
if err == nil {
130+
auth, err := authnCache.Authn()
131+
if err == nil && auth != nil {
132+
if auth.Spec.Type == configv1.AuthenticationTypeOIDC {
133+
// skip the oauthAPIServiceReachabilityCheck if OIDC
134+
// has been configured since the oauth apiserver will be down.
135+
return nil
136+
}
137+
}
138+
}
139+
126140
go oauthAPIServiceReachabilityCheck.checkForConnection(context)
127141
return nil
128142
})

0 commit comments

Comments
 (0)