-
Notifications
You must be signed in to change notification settings - Fork 459
/
apiserver.go
462 lines (409 loc) · 14.9 KB
/
apiserver.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
//
// SPDX-License-Identifier: Apache-2.0
package envtest
import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"flag"
"fmt"
"io"
"net"
"net/http"
"net/url"
"os"
"os/exec"
"path/filepath"
"strconv"
"time"
"github.com/onsi/gomega/gexec"
"github.com/spf13/pflag"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/client-go/discovery"
"k8s.io/client-go/restmapper"
"k8s.io/klog/v2"
apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/envtest"
apiserverapp "github.com/gardener/gardener/cmd/gardener-apiserver/app"
gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
operationsv1alpha1 "github.com/gardener/gardener/pkg/apis/operations/v1alpha1"
seedmanagementv1alpha1 "github.com/gardener/gardener/pkg/apis/seedmanagement/v1alpha1"
settingsv1alpha1 "github.com/gardener/gardener/pkg/apis/settings/v1alpha1"
"github.com/gardener/gardener/pkg/apiserver"
"github.com/gardener/gardener/pkg/apiserver/features"
"github.com/gardener/gardener/pkg/client/kubernetes"
"github.com/gardener/gardener/pkg/utils/kubernetes/health"
"github.com/gardener/gardener/pkg/utils/retry"
"github.com/gardener/gardener/pkg/utils/secrets"
)
const (
envGardenerAPIServerBin = "TEST_ASSET_GARDENER_APISERVER"
waitPollInterval = 100 * time.Millisecond
)
// GardenerAPIServer knows how to start, register and stop a temporary gardener-apiserver instance.
type GardenerAPIServer struct {
// EtcdURL is the etcd URL that the APIServer should connect to (defaults to the URL of the envtest etcd).
EtcdURL *url.URL
// CertDir is a path to a directory containing whatever certificates the APIServer needs.
// If left unspecified, then Start will create a temporary directory and generate the needed
// certs and Stop will clean it up.
CertDir string
// Path is the path to the gardener-apiserver binary, can be set via TEST_ASSET_GARDENER_APISERVER.
// If Path is unset, gardener-apiserver will be started in-process.
Path string
// SecurePort is the secure port that the APIServer should listen on.
// If this is not specified, we default to a random free port on localhost.
SecurePort int
// Args is a list of arguments which will passed to the APIServer binary.
// If not specified, the minimal set of arguments to run the APIServer will
// be used.
Args []string
// StartTimeout, StopTimeout specify the time the APIServer is allowed to
// take when starting and stoppping before an error is emitted.
// If not specified, these default to 20 seconds.
StartTimeout time.Duration
StopTimeout time.Duration
// Out, Err specify where APIServer should write its StdOut, StdErr to.
// If not specified, the output will be discarded.
Out io.Writer
Err io.Writer
// HealthCheckEndpoint is the path of the healthcheck endpoint (defaults to "/healthz").
// It will be polled until receiving http.StatusOK (or StartTimeout occurs), before
// returning from Start.
HealthCheckEndpoint string
// caCert is the certificate of the CA that signed the GardenerAPIServer's serving cert.
caCert *secrets.Certificate
// user is used to setup and register the GardenerAPIServer with the envtest kube-apiserver.
user *envtest.AuthenticatedUser
// listenURL is the URL we end up listening on.
listenURL *url.URL
// terminateFunc holds a func that will terminate this GardenerAPIServer.
terminateFunc func()
// exited is a channel that will be closed, when this GardenerAPIServer exits.
exited chan struct{}
}
// Start brings up the GardenerAPIServer, waits for it to be healthy and registers Gardener's APIs.
func (g *GardenerAPIServer) Start() error {
features.RegisterFeatureGates()
if err := g.defaultSettings(); err != nil {
return err
}
g.exited = make(chan struct{})
if g.Path != "" {
if err := g.runAPIServerBinary(); err != nil {
return err
}
} else {
if err := g.runAPIServerInProcess(); err != nil {
return err
}
}
startCtx, cancel := context.WithTimeout(context.Background(), g.StartTimeout)
defer cancel()
// TODO: retry starting GardenerAPIServer on failure
if err := g.waitUntilHealthy(startCtx); err != nil {
return fmt.Errorf("gardener-apiserver didn't get healthy: %w", err)
}
log.V(1).Info("Registering Gardener APIs")
if err := g.registerGardenerAPIs(startCtx); err != nil {
return fmt.Errorf("failed registering Gardener APIs: %w", err)
}
return nil
}
func (g *GardenerAPIServer) runAPIServerBinary() error {
log.V(1).Info("Starting gardener-apiserver", "path", g.Path, "args", g.Args)
command := exec.Command(g.Path, g.Args...)
session, err := gexec.Start(command, g.Out, g.Err)
if err != nil {
return err
}
g.terminateFunc = func() {
session.Terminate()
}
go func() {
<-session.Exited
close(g.exited)
}()
return nil
}
func (g *GardenerAPIServer) runAPIServerInProcess() error {
ctx, cancel := context.WithCancel(context.Background())
g.terminateFunc = cancel
opts := apiserverapp.NewOptions()
// arrange all the flags
flagSet := flag.NewFlagSet("gardener-apiserver", flag.ExitOnError)
klog.InitFlags(flagSet)
pflagSet := pflag.NewFlagSet("gardener-apiserver", pflag.ExitOnError)
opts.AddFlags(pflagSet)
pflagSet.AddGoFlagSet(flagSet)
// redirect all klog output to the given writer
// this will thereby also redirect output of client-go and other libs used by the tested code,
// meaning such logs will only be shown when tests are run with KUBEBUILDER_ATTACH_CONTROL_PLANE_OUTPUT=true or
// Err is explicitly set.
if g.Err == nil {
// a nil writer causes klog to panic
g.Err = io.Discard
}
// --logtostderr defaults to true, which will cause klog to log to stderr even if we set a different output writer
g.Args = append(g.Args, "--logtostderr=false")
klog.SetOutput(g.Err)
log.V(1).Info("Starting gardener-apiserver", "args", g.Args)
if err := pflagSet.Parse(g.Args); err != nil {
return err
}
if err := opts.Validate(); err != nil {
return err
}
go func() {
if err := opts.Run(ctx); err != nil {
log.Error(err, "gardener-apiserver exited with error")
}
close(g.exited)
}()
return nil
}
// defaultSettings applies defaults to this GardenerAPIServer's settings.
func (g *GardenerAPIServer) defaultSettings() error {
var err error
if g.EtcdURL == nil {
return errors.New("expected EtcdURL to be configured")
}
if g.CertDir == "" {
_, ca, dir, err := secrets.SelfGenerateTLSServerCertificate("gardener-apiserver",
[]string{"localhost", "gardener-apiserver.kube-system.svc"}, []net.IP{net.ParseIP("127.0.0.1")})
if err != nil {
return err
}
g.CertDir = dir
g.caCert = ca
}
if binPath := os.Getenv(envGardenerAPIServerBin); binPath != "" {
g.Path = binPath
}
if g.Path != "" {
_, err := os.Stat(g.Path)
if err != nil {
return fmt.Errorf("failed checking for gardener-apiserver binary under %q: %w", g.Path, err)
}
log.V(1).Info("Using pre-built gardener-apiserver test binary", "path", g.Path)
}
if g.SecurePort == 0 {
g.SecurePort, _, err = suggestPort("")
if err != nil {
return err
}
}
// resolve localhost IP (pin to IPv4)
addr, err := net.ResolveTCPAddr("tcp", net.JoinHostPort("localhost", "0"))
if err != nil {
return err
}
g.listenURL = &url.URL{
Scheme: "https",
Host: net.JoinHostPort(addr.IP.String(), strconv.Itoa(g.SecurePort)),
}
if g.HealthCheckEndpoint == "" {
g.HealthCheckEndpoint = "/healthz"
}
kubeconfigFile, err := g.prepareKubeconfigFile()
if err != nil {
return err
}
g.Args = append([]string{
"--bind-address=" + addr.IP.String(),
"--etcd-servers=" + g.EtcdURL.String(),
"--tls-cert-file=" + filepath.Join(g.CertDir, "tls.crt"),
"--tls-private-key-file=" + filepath.Join(g.CertDir, "tls.key"),
"--secure-port=" + strconv.Itoa(g.SecurePort),
"--cluster-identity=envtest",
"--authorization-always-allow-paths=" + g.HealthCheckEndpoint,
"--authentication-kubeconfig=" + kubeconfigFile,
"--authorization-kubeconfig=" + kubeconfigFile,
"--kubeconfig=" + kubeconfigFile,
}, g.Args...)
return nil
}
// prepareKubeconfigFile marshals the test environments rest config to a kubeconfig file in the CertDir.
func (g *GardenerAPIServer) prepareKubeconfigFile() (string, error) {
kubeconfigBytes, err := g.user.KubeConfig()
if err != nil {
return "", err
}
kubeconfigFile := filepath.Join(g.CertDir, "kubeconfig.yaml")
return kubeconfigFile, os.WriteFile(kubeconfigFile, kubeconfigBytes, 0600)
}
// waitUntilHealthy waits for the HealthCheckEndpoint to return 200.
func (g *GardenerAPIServer) waitUntilHealthy(ctx context.Context) error {
// setup secure http client
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(g.caCert.CertificatePEM)
httpClient := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{RootCAs: certPool}}}
healthCheckURL := g.listenURL
healthCheckURL.Path = g.HealthCheckEndpoint
err := retry.Until(ctx, waitPollInterval, func(context.Context) (bool, error) {
res, err := httpClient.Get(healthCheckURL.String())
if err == nil {
_ = res.Body.Close()
if res.StatusCode == http.StatusOK {
log.V(1).Info("gardener-apiserver got healthy")
return retry.Ok()
}
}
return retry.MinorError(err)
})
if err != nil {
if stopErr := g.Stop(); stopErr != nil {
log.Error(stopErr, "Failed stopping gardener-apiserver")
}
}
return err
}
// registerGardenerAPIs registers GardenerAPIServer's APIs in the test environment and waits for them to be discoverable.
func (g *GardenerAPIServer) registerGardenerAPIs(ctx context.Context) error {
c, err := client.New(g.user.Config(), client.Options{Scheme: kubernetes.GardenScheme})
if err != nil {
return err
}
// create ExternalName service pointing to localhost
service := &corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Name: "gardener-apiserver",
Namespace: metav1.NamespaceSystem,
},
Spec: corev1.ServiceSpec{
Type: corev1.ServiceTypeExternalName,
ExternalName: "localhost",
},
}
if err := c.Create(ctx, service); err != nil {
return err
}
// create APIServices for all API GroupVersions served by GardenerAPIServer
var allAPIServices []*apiregistrationv1.APIService
for _, gv := range apiserver.AllGardenerAPIGroupVersions {
apiService := g.apiServiceForSchemeGroupVersion(service, gv)
allAPIServices = append(allAPIServices, apiService)
if err := c.Create(ctx, apiService); err != nil {
return err
}
}
// wait for all the APIServices to be available
if err := retry.Until(ctx, waitPollInterval, func(ctx context.Context) (bool, error) {
for _, apiService := range allAPIServices {
if err := c.Get(ctx, client.ObjectKeyFromObject(apiService), apiService); err != nil {
return retry.MinorError(err)
}
if err := health.CheckAPIService(apiService); err != nil {
return retry.MinorError(err)
}
}
log.V(1).Info("All Gardener APIServices available")
return retry.Ok()
}); err != nil {
return err
}
// wait for all APIGroupVersions to be discoverable
discoveryClient, err := discovery.NewDiscoveryClientForConfig(g.user.Config())
if err != nil {
return err
}
undiscoverableGardenerAPIGroups := make(sets.Set[string], len(apiserver.AllGardenerAPIGroupVersions))
for _, gv := range apiserver.AllGardenerAPIGroupVersions {
undiscoverableGardenerAPIGroups.Insert(gv.String())
}
if err := retry.Until(ctx, waitPollInterval, func(_ context.Context) (bool, error) {
apiGroupResources, err := restmapper.GetAPIGroupResources(discoveryClient)
if err != nil {
return retry.MinorError(err)
}
for _, apiGroup := range apiGroupResources {
for apiVersion, resources := range apiGroup.VersionedResources {
// wait for all APIGroupVersions discovery endpoints to be available and list at least one resource
// otherwise the rest mapper will return no match errors shortly after registering gardener-apiserver
if len(resources) > 0 {
undiscoverableGardenerAPIGroups.Delete(apiGroup.Group.Name + "/" + apiVersion)
}
}
}
if undiscoverableGardenerAPIGroups.Len() > 0 {
return retry.MinorError(fmt.Errorf("the following Gardener API GroupVersions are not discoverable: %v", sets.List(undiscoverableGardenerAPIGroups)))
}
log.V(1).Info("All Gardener APIs discoverable")
return retry.Ok()
}); err != nil {
return err
}
// ensure that we can really list objects in the Gardener API
// after https://github.com/kubernetes/kubernetes/pull/119824 (first available in v0.28.3), we have seen that GAPI
// sometimes fails to communicate with etcd even if we have passed all prior checks here, see
// https://github.com/gardener/gardener/pull/8666
// TODO: Revisit this once sigs.k8s.io/controller-runtime has upgraded their envtest version to v1.28.3+ (currently,
// only v1.28.0 is used, hence the kube-apiserver does not yet suffer from the same issue).
return retry.Until(ctx, waitPollInterval, func(ctx context.Context) (bool, error) {
for _, gvk := range []schema.GroupVersionKind{
gardencorev1beta1.SchemeGroupVersion.WithKind("ShootList"),
operationsv1alpha1.SchemeGroupVersion.WithKind("BastionList"),
seedmanagementv1alpha1.SchemeGroupVersion.WithKind("ManagedSeedList"),
settingsv1alpha1.SchemeGroupVersion.WithKind("OpenIDConnectPresetList"),
} {
objList := &metav1.PartialObjectMetadataList{}
objList.SetGroupVersionKind(gvk)
if err := c.List(ctx, objList, client.Limit(1)); err != nil {
return retry.MinorError(err)
}
log.V(1).Info("Listing resources is possible", "gvk", gvk)
}
return retry.Ok()
})
}
func (g *GardenerAPIServer) apiServiceForSchemeGroupVersion(svc *corev1.Service, gv schema.GroupVersion) *apiregistrationv1.APIService {
port := int32(g.SecurePort)
return &apiregistrationv1.APIService{
ObjectMeta: metav1.ObjectMeta{
Name: apiServiceNameForSchemeGroupVersion(gv),
},
Spec: apiregistrationv1.APIServiceSpec{
Service: &apiregistrationv1.ServiceReference{
Name: svc.Name,
Namespace: svc.Namespace,
Port: &port,
},
Group: gv.Group,
Version: gv.Version,
GroupPriorityMinimum: 100,
VersionPriority: 100,
CABundle: g.caCert.CertificatePEM,
},
}
}
func apiServiceNameForSchemeGroupVersion(gv schema.GroupVersion) string {
return gv.Version + "." + gv.Group
}
// Stop stops this GardenerAPIServer and cleans its temporary resources.
func (g *GardenerAPIServer) Stop() error {
var errList []error
// trigger stop procedure
if g.terminateFunc != nil {
g.terminateFunc()
select {
case <-g.exited:
break
case <-time.After(g.StopTimeout):
errList = append(errList, errors.New("timeout waiting for gardener-apiserver to stop"))
}
}
// cleanup temp dirs
if g.CertDir != "" {
if err := os.RemoveAll(g.CertDir); err != nil {
errList = append(errList, err)
}
}
return utilerrors.NewAggregate(errList)
}