-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: reregister auth providers #60334
Conversation
/retest |
@@ -37,6 +37,9 @@ import ( | |||
schedulinginternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/scheduling/internalversion" | |||
settingsinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/settings/internalversion" | |||
storageinternalversion "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/storage/internalversion" | |||
|
|||
// Import solely to initialize client auth plugins. | |||
_ "k8s.io/client-go/plugin/pkg/client/auth" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Import where it's needed, not here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, yeah, in the mains of the components that need it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or from the code that constructs auth providers. Not sure we want non-uniform handling of auth providers from loaded kubeconfig files using client-go
Our options are in the mains like we have here or in "k8s.io/client-go/rest" which actually retrieves the transport. |
Where we build the auth providers from the config would make the most sense to me. |
@liggitt in "k8s.io/client-go/tools/clientcmd"? |
@liggitt wants consistent handling of kubeconfig so he's recommending registering auth providers in clientcmd. Binaries can still construct raw rest.Configs and not import the auth providers. |
/test pull-kubernetes-e2e-gke |
@liggitt moving this to clientcmd adds a ton of dependencies to staging repos. Is this better than registering auth providers in mains? |
All of those dependencies already exist in client-go, and were pulled down on clone, right? The listing in godep files is annoying, but I don't actually think it bothers me that much. @lavalamp and @deads2k can weigh in. I keep coming back to when I would want kubeconfig loading via clientcmd to behave inconsistently, and I can't think of a time I'd want that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
That depends on how your vendoring tool worked. Ones like glide walk packages back to find repo dependencies. As an example, before this pull, depending on clientcmd would not pull in azure. Now it would. Pulling in azure brings with it the risk of conflicting levels of dependencies. Because we (and many other libraries) leak dependent packages through their interfaces, you have to vendor with "strip-vendor". Doing that with conflicting levels of Azure (or its transitives) produces a vendoring mess that can make it impossible to use the library. The short version is that golang dependency management is a mess and this makes it noticeably worse. I don't like any of the options. Does anyone want to make a case for why someone who didn't care about the plugin should be forced to resolve conflicting level problems? |
Ok. We can just register in kubectl for now. Long-term, the externalized exec auth provider will be recommended, and could conceivably be added by default, since it likely has a much smaller dependency impact.
only kubectl packages imported that client, so I'd only expect that command to have been affected |
Fixes: 5d721bf That PR unregistered auth providers for kubectl and probably elsewhere.
/lgtm Unhold at will |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, mikedanese, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-e2e-gke |
/retest Review the full test history for this PR. Silence the bot with an |
/retest |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Alternatively we can register this in the mains of most (or all) components.
Fixes GKE e2es
Fixes: 5d721bf
That PR unregistered auth providers for kubectl and probably elsewhere.