properly handle external kube proxy case

openshift · Apr 30, 2015 · 35c92da · 35c92da
1 parent bf86143
commit 35c92da
Show file tree

Hide file tree

Showing 9 changed files with 45 additions and 55 deletions.
diff --git a/pkg/cmd/server/admin/default_certs.go b/pkg/cmd/server/admin/default_certs.go
@@ -79,7 +79,6 @@ func DefaultAPIClientCerts(certDir string) []ClientCertInfo {
 	return []ClientCertInfo{
 		DefaultDeployerClientCertInfo(certDir),
 		DefaultOpenshiftLoopbackClientCertInfo(certDir),
-		DefaultKubeClientClientCertInfo(certDir),
 		DefaultClusterAdminClientCertInfo(certDir),
 		DefaultRouterClientCertInfo(certDir),
 		DefaultRegistryClientCertInfo(certDir),
@@ -133,17 +132,6 @@ func DefaultOpenshiftLoopbackClientCertInfo(certDir string) ClientCertInfo {
 	}
 }
 
-func DefaultKubeClientClientCertInfo(certDir string) ClientCertInfo {
-	return ClientCertInfo{
-		CertLocation: configapi.CertInfo{
-			CertFile: DefaultCertFilename(certDir, "kube-client"),
-			KeyFile:  DefaultKeyFilename(certDir, "kube-client"),
-		},
-		UnqualifiedUser: "kube-client",
-		User:            "system:kube-client",
-	}
-}
-
 func DefaultClusterAdminClientCertInfo(certDir string) ClientCertInfo {
 	return ClientCertInfo{
 		CertLocation: configapi.CertInfo{

diff --git a/pkg/cmd/server/api/helpers.go b/pkg/cmd/server/api/helpers.go
@@ -85,7 +85,7 @@ func GetMasterFileReferences(config *MasterConfig) []*string {
 
 	refs = append(refs, &config.MasterClients.DeployerKubeConfig)
 	refs = append(refs, &config.MasterClients.OpenShiftLoopbackKubeConfig)
-	refs = append(refs, &config.MasterClients.KubernetesKubeConfig)
+	refs = append(refs, &config.MasterClients.ExternalKubernetesKubeConfig)
 
 	refs = append(refs, &config.PolicyConfig.BootstrapPolicyFile)
 

diff --git a/pkg/cmd/server/api/types.go b/pkg/cmd/server/api/types.go
@@ -163,8 +163,8 @@ type MasterClients struct {
 	DeployerKubeConfig string
 	// OpenShiftLoopbackKubeConfig is a .kubeconfig filename for system components to loopback to this master
 	OpenShiftLoopbackKubeConfig string
-	// KubernetesKubeConfig is a .kubeconfig filename for system components to communicate to kubernetes for building the proxy
-	KubernetesKubeConfig string
+	// ExternalKubernetesKubeConfig is a .kubeconfig filename for proxying to kubernetes
+	ExternalKubernetesKubeConfig string
 }
 
 type DNSConfig struct {

diff --git a/pkg/cmd/server/api/v1/types.go b/pkg/cmd/server/api/v1/types.go
@@ -161,8 +161,8 @@ type MasterClients struct {
 	DeployerKubeConfig string `json:"deployerKubeConfig"`
 	// OpenShiftLoopbackKubeConfig is a .kubeconfig filename for system components to loopback to this master
 	OpenShiftLoopbackKubeConfig string `json:"openshiftLoopbackKubeConfig"`
-	// KubernetesKubeConfig is a .kubeconfig filename for system components to communicate to kubernetes for building the proxy
-	KubernetesKubeConfig string `json:"kubernetesKubeConfig"`
+	// ExternalKubernetesKubeConfig is a .kubeconfig filename for proxying to kubernetes
+	ExternalKubernetesKubeConfig string `json:"externalKubernetesKubeConfig"`
 }
 
 type DNSConfig struct {

diff --git a/pkg/cmd/server/api/validation/master.go b/pkg/cmd/server/api/validation/master.go
@@ -69,10 +69,16 @@ func ValidateMasterConfig(config *api.MasterConfig) fielderrors.ValidationErrorL
 	if config.KubernetesMasterConfig != nil {
 		allErrs = append(allErrs, ValidateKubernetesMasterConfig(config.KubernetesMasterConfig).Prefix("kubernetesMasterConfig")...)
 	}
+	if (config.KubernetesMasterConfig == nil) && (len(config.MasterClients.ExternalKubernetesKubeConfig) == 0) {
+		allErrs = append(allErrs, fielderrors.NewFieldInvalid("kubernetesMasterConfig", config.KubernetesMasterConfig, "either kubernetesMasterConfig or masterClients.externalKubernetesKubeConfig must have a value"))
+	}
 
 	allErrs = append(allErrs, ValidateKubeConfig(config.MasterClients.DeployerKubeConfig, "deployerKubeConfig").Prefix("masterClients")...)
 	allErrs = append(allErrs, ValidateKubeConfig(config.MasterClients.OpenShiftLoopbackKubeConfig, "openShiftLoopbackKubeConfig").Prefix("masterClients")...)
-	allErrs = append(allErrs, ValidateKubeConfig(config.MasterClients.KubernetesKubeConfig, "kubernetesKubeConfig").Prefix("masterClients")...)
+
+	if len(config.MasterClients.ExternalKubernetesKubeConfig) > 0 {
+		allErrs = append(allErrs, ValidateKubeConfig(config.MasterClients.ExternalKubernetesKubeConfig, "externalKubernetesKubeConfig").Prefix("masterClients")...)
+	}
 
 	allErrs = append(allErrs, ValidatePolicyConfig(config.PolicyConfig).Prefix("policyConfig")...)
 	if config.OAuthConfig != nil {

diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go
@@ -841,7 +841,7 @@ func (c *MasterConfig) RunDeploymentImageChangeTriggerController() {
 // RouteAllocator returns a route allocation controller.
 func (c *MasterConfig) RouteAllocator() *routeallocationcontroller.RouteAllocationController {
 	factory := routeallocationcontroller.RouteAllocationControllerFactory{
-		OSClient:   c.OSClient,
+		OSClient:   c.PrivilegedLoopbackOpenShiftClient,
 		KubeClient: c.KubeClient(),
 	}
 

diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -76,23 +76,20 @@ type MasterConfig struct {
 	// APIClientCAs is used to verify client certificates presented for API auth
 	APIClientCAs *x509.CertPool
 
-	// KubeClientConfig is the client configuration used to call Kubernetes APIs from system components.
+	// PrivilegedLoopbackClientConfig is the client configuration used to call OpenShift APIs from system components
 	// To apply different access control to a system component, create a client config specifically for that component.
-	KubeClientConfig kclient.Config
-	// OSClientConfig is the client configuration used to call OpenShift APIs from system components
-	// To apply different access control to a system component, create a client config specifically for that component.
-	OSClientConfig kclient.Config
-	// DeployerOSClientConfig is the client configuration used to call OpenShift APIs from launched deployer pods
+	PrivilegedLoopbackClientConfig kclient.Config
+	// DeployerPrivilegedLoopbackClientConfig is the client configuration used to call OpenShift APIs from launched deployer pods
 	DeployerOSClientConfig kclient.Config
 
 	// kubeClient is the client used to call Kubernetes APIs from system components, built from KubeClientConfig.
 	// It should only be accessed via the *Client() helper methods.
 	// To apply different access control to a system component, create a separate client/config specifically for that component.
-	KubernetesClient *kclient.Client
-	// osClient is the client used to call OpenShift APIs from system components, built from OSClientConfig.
+	PrivilegedLoopbackKubernetesClient *kclient.Client
+	// osClient is the client used to call OpenShift APIs from system components, built from PrivilegedLoopbackClientConfig.
 	// It should only be accessed via the *Client() helper methods.
 	// To apply different access control to a system component, create a separate client/config specifically for that component.
-	OSClient *osclient.Client
+	PrivilegedLoopbackOpenShiftClient *osclient.Client
 }
 
 func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
@@ -114,11 +111,11 @@ func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
 		return nil, err
 	}
 
-	kubeClient, kubeClientConfig, err := configapi.GetKubeClient(options.MasterClients.KubernetesKubeConfig)
+	privilegedLoopbackKubeClient, _, err := configapi.GetKubeClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
 	if err != nil {
 		return nil, err
 	}
-	openshiftClient, osClientConfig, err := configapi.GetOpenShiftClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
+	privilegedLoopbackOpenShiftClient, privilegedLoopbackClientConfig, err := configapi.GetOpenShiftClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -138,7 +135,7 @@ func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
 
 	// in-order list of plug-ins that should intercept admission decisions (origin only intercepts)
 	admissionControlPluginNames := []string{"OriginNamespaceLifecycle"}
-	admissionController := admission.NewFromPlugins(kubeClient, admissionControlPluginNames, "")
+	admissionController := admission.NewFromPlugins(privilegedLoopbackKubeClient, admissionControlPluginNames, "")
 
 	config := &MasterConfig{
 		Options: options,
@@ -148,7 +145,7 @@ func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
 		AuthorizationAttributeBuilder: newAuthorizationAttributeBuilder(requestContextMapper),
 
 		PolicyCache:               policyCache,
-		ProjectAuthorizationCache: newProjectAuthorizationCache(options.PolicyConfig.MasterAuthorizationNamespace, openshiftClient, kubeClient),
+		ProjectAuthorizationCache: newProjectAuthorizationCache(options.PolicyConfig.MasterAuthorizationNamespace, privilegedLoopbackOpenShiftClient, privilegedLoopbackKubeClient),
 
 		RequestContextMapper: requestContextMapper,
 
@@ -163,11 +160,10 @@ func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
 		ClientCAs:    clientCAs,
 		APIClientCAs: apiClientCAs,
 
-		KubeClientConfig:       *kubeClientConfig,
-		OSClientConfig:         *osClientConfig,
-		DeployerOSClientConfig: *deployerOSClientConfig,
-		OSClient:               openshiftClient,
-		KubernetesClient:       kubeClient,
+		DeployerOSClientConfig:             *deployerOSClientConfig,
+		PrivilegedLoopbackClientConfig:     *privilegedLoopbackClientConfig,
+		PrivilegedLoopbackOpenShiftClient:  privilegedLoopbackOpenShiftClient,
+		PrivilegedLoopbackKubernetesClient: privilegedLoopbackKubeClient,
 	}
 
 	return config, nil
@@ -240,7 +236,7 @@ func getEtcdTokenAuthenticator(etcdHelper tools.EtcdHelper) authenticator.Token
 
 // KubeClient returns the kubernetes client object
 func (c *MasterConfig) KubeClient() *kclient.Client {
-	return c.KubernetesClient
+	return c.PrivilegedLoopbackKubernetesClient
 }
 
 // PolicyClient returns the policy client object
@@ -249,49 +245,49 @@ func (c *MasterConfig) KubeClient() *kclient.Client {
 //  list, watch all policies in all namespaces
 //  create resourceAccessReviews in all namespaces
 func (c *MasterConfig) PolicyClient() *osclient.Client {
-	return c.OSClient
+	return c.PrivilegedLoopbackOpenShiftClient
 }
 
 // DeploymentClient returns the deployment client object
 func (c *MasterConfig) DeploymentClient() *kclient.Client {
-	return c.KubernetesClient
+	return c.PrivilegedLoopbackKubernetesClient
 }
 
 // DNSServerClient returns the DNS server client object
 // It must have the following capabilities:
 //   list, watch all services in all namespaces
 func (c *MasterConfig) DNSServerClient() *kclient.Client {
-	return c.KubernetesClient
+	return c.PrivilegedLoopbackKubernetesClient
 }
 
 // BuildLogClient returns the build log client object
 func (c *MasterConfig) BuildLogClient() *kclient.Client {
-	return c.KubernetesClient
+	return c.PrivilegedLoopbackKubernetesClient
 }
 
 // WebHookClient returns the webhook client object
 func (c *MasterConfig) WebHookClient() *osclient.Client {
-	return c.OSClient
+	return c.PrivilegedLoopbackOpenShiftClient
 }
 
 // BuildControllerClients returns the build controller client objects
 func (c *MasterConfig) BuildControllerClients() (*osclient.Client, *kclient.Client) {
-	return c.OSClient, c.KubernetesClient
+	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient
 }
 
 // ImageChangeControllerClient returns the openshift client object
 func (c *MasterConfig) ImageChangeControllerClient() *osclient.Client {
-	return c.OSClient
+	return c.PrivilegedLoopbackOpenShiftClient
 }
 
 // ImageImportControllerClient returns the deployment client object
 func (c *MasterConfig) ImageImportControllerClient() *osclient.Client {
-	return c.OSClient
+	return c.PrivilegedLoopbackOpenShiftClient
 }
 
 // DeploymentControllerClients returns the deployment controller client object
 func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, *kclient.Client) {
-	return c.OSClient, c.KubernetesClient
+	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient
 }
 
 // DeployerClientConfig returns the client configuration a Deployer instance launched in a pod
@@ -301,20 +297,20 @@ func (c *MasterConfig) DeployerClientConfig() *kclient.Config {
 }
 
 func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, *kclient.Client) {
-	return c.OSClient, c.KubernetesClient
+	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient
 }
 func (c *MasterConfig) DeploymentConfigChangeControllerClients() (*osclient.Client, *kclient.Client) {
-	return c.OSClient, c.KubernetesClient
+	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient
 }
 func (c *MasterConfig) DeploymentImageChangeControllerClient() *osclient.Client {
-	return c.OSClient
+	return c.PrivilegedLoopbackOpenShiftClient
 }
 
 // OriginNamespaceControllerClients returns a client for openshift and kubernetes.
 // The openshift client object must have authority to delete openshift content in any namespace
 // The kubernetes client object must have authority to execute a finalize request on a namespace
 func (c *MasterConfig) OriginNamespaceControllerClients() (*osclient.Client, *kclient.Client) {
-	return c.OSClient, c.KubernetesClient
+	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient
 }
 
 // NewEtcdHelper returns an EtcdHelper for the provided storage version.

diff --git a/pkg/cmd/server/start/master_args.go b/pkg/cmd/server/start/master_args.go
@@ -169,9 +169,9 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig
 		},
 
 		MasterClients: configapi.MasterClients{
-			DeployerKubeConfig:          admin.DefaultKubeConfigFilename(args.ConfigDir.Value(), "openshift-deployer"),
-			OpenShiftLoopbackKubeConfig: admin.DefaultKubeConfigFilename(args.ConfigDir.Value(), "openshift-client"),
-			KubernetesKubeConfig:        admin.DefaultKubeConfigFilename(args.ConfigDir.Value(), "kube-client"),
+			DeployerKubeConfig:           admin.DefaultKubeConfigFilename(args.ConfigDir.Value(), "openshift-deployer"),
+			OpenShiftLoopbackKubeConfig:  admin.DefaultKubeConfigFilename(args.ConfigDir.Value(), "openshift-client"),
+			ExternalKubernetesKubeConfig: args.KubeConnectionArgs.ClientConfigLoadingRules.ExplicitPath,
 		},
 
 		EtcdClientInfo: configapi.EtcdConnectionInfo{

diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go
@@ -358,7 +358,7 @@ func StartMaster(openshiftMasterConfig *configapi.MasterConfig) error {
 		kubeConfig.RunNamespaceController()
 
 	} else {
-		_, kubeConfig, err := configapi.GetKubeClient(openshiftMasterConfig.MasterClients.KubernetesKubeConfig)
+		_, kubeConfig, err := configapi.GetKubeClient(openshiftMasterConfig.MasterClients.ExternalKubernetesKubeConfig)
 		if err != nil {
 			return err
 		}