Allow authenticator to return post start hooks

enj · enj · commit f27d9470a766 · 2017-12-05T17:15:18.000-05:00
This change allows the authenticator to return post start hooks that
can be used to set up any infrastructure the authenticator needs.
It also makes sure that these resources are properly cleaned up when
the post start hooks are stopped.

Signed-off-by: Monis Khan &lt;mkhan@redhat.com&gt;
diff --git a/pkg/cmd/server/origin/authenticator.go b/pkg/cmd/server/origin/authenticator.go
@@ -15,6 +15,7 @@ import (
 	x509request "k8s.io/apiserver/pkg/authentication/request/x509"
 	tokencache "k8s.io/apiserver/pkg/authentication/token/cache"
 	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
+	genericapiserver "k8s.io/apiserver/pkg/server"
 	kclientsetexternal "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/cert"
 	sacontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
@@ -37,26 +38,26 @@ func NewAuthenticator(
 	options configapi.MasterConfig,
 	privilegedLoopbackConfig *rest.Config,
 	informers InformerAccess,
-) (authenticator.Request, error) {
+) (authenticator.Request, map[string]genericapiserver.PostStartHookFunc, error) {
 	kubeExternalClient, err := kclientsetexternal.NewForConfig(privilegedLoopbackConfig)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	oauthClient, err := oauthclient.NewForConfig(privilegedLoopbackConfig)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	userClient, err := userclient.NewForConfig(privilegedLoopbackConfig)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	// this is safe because the server does a quorum read and we're hitting a "magic" authorizer to get permissions based on system:masters
 	// once the cache is added, we won't be paying a double hop cost to etcd on each request, so the simplification will help.
 	serviceAccountTokenGetter := sacontroller.NewGetterFromClient(kubeExternalClient)
 	apiClientCAs, err := configapi.GetAPIClientCertCAPool(options)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	return newAuthenticator(
@@ -69,7 +70,8 @@ func NewAuthenticator(
 	)
 }
 
-func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclient.OAuthAccessTokenInterface, tokenGetter serviceaccount.ServiceAccountTokenGetter, userGetter usertypedclient.UserResourceInterface, apiClientCAs *x509.CertPool, groupMapper identitymapper.UserToGroupMapper) (authenticator.Request, error) {
+func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclient.OAuthAccessTokenInterface, tokenGetter serviceaccount.ServiceAccountTokenGetter, userGetter usertypedclient.UserResourceInterface, apiClientCAs *x509.CertPool, groupMapper identitymapper.UserToGroupMapper) (authenticator.Request, map[string]genericapiserver.PostStartHookFunc, error) {
+	postStartHooks := map[string]genericapiserver.PostStartHookFunc{}
 	authenticators := []authenticator.Request{}
 	tokenAuthenticators := []authenticator.Token{}
 
@@ -79,7 +81,7 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 		for _, keyFile := range config.ServiceAccountConfig.PublicKeyFiles {
 			readPublicKeys, err := cert.PublicKeysFromFile(keyFile)
 			if err != nil {
-				return nil, fmt.Errorf("Error reading service account key file %s: %v", keyFile, err)
+				return nil, nil, fmt.Errorf("Error reading service account key file %s: %v", keyFile, err)
 			}
 			publicKeys = append(publicKeys, readPublicKeys...)
 		}
@@ -134,7 +136,7 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 			config.AuthConfig.RequestHeader.ExtraHeaderPrefixes,
 		)
 		if err != nil {
-			return nil, fmt.Errorf("Error building front proxy auth config: %v", err)
+			return nil, nil, fmt.Errorf("Error building front proxy auth config: %v", err)
 		}
 		topLevelAuthenticators = append(topLevelAuthenticators, union.New(requestHeaderAuthenticator, resultingAuthenticator))
 
@@ -144,5 +146,5 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 	}
 	topLevelAuthenticators = append(topLevelAuthenticators, anonymous.NewAuthenticator())
 
-	return group.NewAuthenticatedGroupAdder(union.NewFailOnError(topLevelAuthenticators...)), nil
+	return group.NewAuthenticatedGroupAdder(union.NewFailOnError(topLevelAuthenticators...)), postStartHooks, nil
 }
diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -136,7 +136,7 @@ func BuildMasterConfig(
 
 	kubeletClientConfig := configapi.GetKubeletClientConfig(options)
 
-	authenticator, err := NewAuthenticator(options, privilegedLoopbackConfig, informers)
+	authenticator, authenticatorPostStartHooks, err := NewAuthenticator(options, privilegedLoopbackConfig, informers)
 	if err != nil {
 		return nil, err
 	}
@@ -206,6 +206,10 @@ func BuildMasterConfig(
 		SecurityInformers:      informers.GetSecurityInformers(),
 	}
 
+	for name, hook := range authenticatorPostStartHooks {
+		config.additionalPostStartHooks[name] = hook
+	}
+
 	// ensure that the limit range informer will be started
 	informer := config.InternalKubeInformers.Core().InternalVersion().LimitRanges().Informer()
 	config.LimitVerifier = imageadmission.NewLimitVerifier(imageadmission.LimitRangesForNamespaceFunc(func(ns string) ([]*kapi.LimitRange, error) {

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ import (`
`15`	`15`	`x509request "k8s.io/apiserver/pkg/authentication/request/x509"`
`16`	`16`	`tokencache "k8s.io/apiserver/pkg/authentication/token/cache"`
`17`	`17`	`tokenunion "k8s.io/apiserver/pkg/authentication/token/union"`
	`18`	`+ genericapiserver "k8s.io/apiserver/pkg/server"`
`18`	`19`	`kclientsetexternal "k8s.io/client-go/kubernetes"`
`19`	`20`	`"k8s.io/client-go/util/cert"`
`20`	`21`	`sacontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"`
`@@ -37,26 +38,26 @@ func NewAuthenticator(`
`37`	`38`	`options configapi.MasterConfig,`
`38`	`39`	`privilegedLoopbackConfig *rest.Config,`
`39`	`40`	`informers InformerAccess,`
`40`		`-) (authenticator.Request, error) {`
	`41`	`+) (authenticator.Request, map[string]genericapiserver.PostStartHookFunc, error) {`
`41`	`42`	`kubeExternalClient, err := kclientsetexternal.NewForConfig(privilegedLoopbackConfig)`
`42`	`43`	`if err != nil {`
`43`		`- return nil, err`
	`44`	`+ return nil, nil, err`
`44`	`45`	`}`
`45`	`46`	`oauthClient, err := oauthclient.NewForConfig(privilegedLoopbackConfig)`
`46`	`47`	`if err != nil {`
`47`		`- return nil, err`
	`48`	`+ return nil, nil, err`
`48`	`49`	`}`
`49`	`50`	`userClient, err := userclient.NewForConfig(privilegedLoopbackConfig)`
`50`	`51`	`if err != nil {`
`51`		`- return nil, err`
	`52`	`+ return nil, nil, err`
`52`	`53`	`}`
`53`	`54`
`54`	`55`	`// this is safe because the server does a quorum read and we're hitting a "magic" authorizer to get permissions based on system:masters`
`55`	`56`	`// once the cache is added, we won't be paying a double hop cost to etcd on each request, so the simplification will help.`
`56`	`57`	`serviceAccountTokenGetter := sacontroller.NewGetterFromClient(kubeExternalClient)`
`57`	`58`	`apiClientCAs, err := configapi.GetAPIClientCertCAPool(options)`
`58`	`59`	`if err != nil {`
`59`		`- return nil, err`
	`60`	`+ return nil, nil, err`
`60`	`61`	`}`
`61`	`62`
`62`	`63`	`return newAuthenticator(`
`@@ -69,7 +70,8 @@ func NewAuthenticator(`
`69`	`70`	`)`
`70`	`71`	`}`
`71`	`72`
`72`		`-func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclient.OAuthAccessTokenInterface, tokenGetter serviceaccount.ServiceAccountTokenGetter, userGetter usertypedclient.UserResourceInterface, apiClientCAs *x509.CertPool, groupMapper identitymapper.UserToGroupMapper) (authenticator.Request, error) {`
	`73`	`+func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclient.OAuthAccessTokenInterface, tokenGetter serviceaccount.ServiceAccountTokenGetter, userGetter usertypedclient.UserResourceInterface, apiClientCAs *x509.CertPool, groupMapper identitymapper.UserToGroupMapper) (authenticator.Request, map[string]genericapiserver.PostStartHookFunc, error) {`
	`74`	`+ postStartHooks := map[string]genericapiserver.PostStartHookFunc{}`
`73`	`75`	`authenticators := []authenticator.Request{}`
`74`	`76`	`tokenAuthenticators := []authenticator.Token{}`
`75`	`77`
`@@ -79,7 +81,7 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie`
`79`	`81`	`for _, keyFile := range config.ServiceAccountConfig.PublicKeyFiles {`
`80`	`82`	`readPublicKeys, err := cert.PublicKeysFromFile(keyFile)`
`81`	`83`	`if err != nil {`
`82`		`- return nil, fmt.Errorf("Error reading service account key file %s: %v", keyFile, err)`
	`84`	`+ return nil, nil, fmt.Errorf("Error reading service account key file %s: %v", keyFile, err)`
`83`	`85`	`}`
`84`	`86`	`publicKeys = append(publicKeys, readPublicKeys...)`
`85`	`87`	`}`
`@@ -134,7 +136,7 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie`
`134`	`136`	`config.AuthConfig.RequestHeader.ExtraHeaderPrefixes,`
`135`	`137`	`)`
`136`	`138`	`if err != nil {`
`137`		`- return nil, fmt.Errorf("Error building front proxy auth config: %v", err)`
	`139`	`+ return nil, nil, fmt.Errorf("Error building front proxy auth config: %v", err)`
`138`	`140`	`}`
`139`	`141`	`topLevelAuthenticators = append(topLevelAuthenticators, union.New(requestHeaderAuthenticator, resultingAuthenticator))`
`140`	`142`
`@@ -144,5 +146,5 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie`
`144`	`146`	`}`
`145`	`147`	`topLevelAuthenticators = append(topLevelAuthenticators, anonymous.NewAuthenticator())`
`146`	`148`
`147`		`- return group.NewAuthenticatedGroupAdder(union.NewFailOnError(topLevelAuthenticators...)), nil`
	`149`	`+ return group.NewAuthenticatedGroupAdder(union.NewFailOnError(topLevelAuthenticators...)), postStartHooks, nil`
`148`	`150`	`}`