Merge pull request kubernetes-sigs#731 from kinvolk/imran/fix-k8sclient-for-mtls

k8s-ci-robot · web-flow · commit 721c864c7f92 · 2025-04-30T10:25:55.000-07:00
fix: k8s client setup if agent service account auth is not used
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -20,7 +20,7 @@ env:
 jobs:
   build:
     name: build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
     - name: Check out code
       uses: actions/checkout@v4
@@ -51,7 +51,7 @@ jobs:
         path: _output/konnectivity-agent.tar
   kind-e2e:
     name: kind-e2e
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 100
     needs:
     - build
@@ -98,7 +98,7 @@ jobs:
       run: make test-e2e-ci
   e2e:
     name: e2e
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 100
     needs:
       - build
@@ -136,7 +136,7 @@ jobs:
         sudo cp ${TMP_DIR}/e2e.test /usr/local/bin/e2e.test
         sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl
         sudo cp ${TMP_DIR}/kind /usr/local/bin/kind
-        sudo chmod +x /usr/local/bin/*
+        sudo chmod +x /usr/local/bin/ginkgo /usr/local/bin/e2e.test /usr/local/bin/kubectl /usr/local/bin/kind
 
     - name: Create multi node cluster
       run: |
diff --git a/cmd/server/app/options/options.go b/cmd/server/app/options/options.go
@@ -112,6 +112,8 @@ type ProxyRunOptions struct {
 	LeaseNamespace string
 	// Lease Labels
 	LeaseLabel string
+	// Needs kubernetes client
+	NeedsKubernetesClient bool
 }
 
 func (o *ProxyRunOptions) Flags() *pflag.FlagSet {
@@ -287,29 +289,27 @@ func (o *ProxyRunOptions) Validate() error {
 	if o.EnableContentionProfiling && !o.EnableProfiling {
 		return fmt.Errorf("if --enable-contention-profiling is set, --enable-profiling must also be set")
 	}
-
-	// validate agent authentication params
-	// all 4 parameters must be empty or must have value (except KubeconfigPath that might be empty)
-	if o.AgentNamespace != "" || o.AgentServiceAccount != "" || o.AuthenticationAudience != "" || o.KubeconfigPath != "" {
+	usingServiceAccountAuth := o.AgentNamespace != "" || o.AgentServiceAccount != "" || o.AuthenticationAudience != ""
+	if usingServiceAccountAuth {
 		if o.ClusterCaCert != "" {
-			return fmt.Errorf("ClusterCaCert can not be used when service account authentication is enabled")
+			return fmt.Errorf("--cluster-ca-cert can not be used when agent authentication is enabled")
 		}
 		if o.AgentNamespace == "" {
-			return fmt.Errorf("AgentNamespace cannot be empty when agent authentication is enabled")
+			return fmt.Errorf("--agent-namespace cannot be empty when agent authentication is enabled")
 		}
 		if o.AgentServiceAccount == "" {
-			return fmt.Errorf("AgentServiceAccount cannot be empty when agent authentication is enabled")
+			return fmt.Errorf("--agent-service-account cannot be empty when agent authentication is enabled")
 		}
 		if o.AuthenticationAudience == "" {
-			return fmt.Errorf("AuthenticationAudience cannot be empty when agent authentication is enabled")
+			return fmt.Errorf("--authentication-audience cannot be empty when agent authentication is enabled")
 		}
-		if o.KubeconfigPath != "" {
-			if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) {
-				return fmt.Errorf("error checking KubeconfigPath %q, got %v", o.KubeconfigPath, err)
-			}
+	}
+	// Validate kubeconfig path if provided
+	if o.KubeconfigPath != "" {
+		if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) {
+			return fmt.Errorf("checking KubeconfigPath %q, got %v", o.KubeconfigPath, err)
 		}
 	}
-
 	// validate the proxy strategies
 	if len(o.ProxyStrategies) == 0 {
 		return fmt.Errorf("ProxyStrategies cannot be empty")
@@ -338,6 +338,8 @@ func (o *ProxyRunOptions) Validate() error {
 		}
 	}
 
+	o.NeedsKubernetesClient = usingServiceAccountAuth || o.EnableLeaseController
+
 	return nil
 }
 
diff --git a/cmd/server/app/server.go b/cmd/server/app/server.go
@@ -105,7 +105,7 @@ func (p *Proxy) Run(o *options.ProxyRunOptions, stopCh <-chan struct{}) error {
 	defer cancel()
 
 	var k8sClient *kubernetes.Clientset
-	if o.AgentNamespace != "" {
+	if o.NeedsKubernetesClient {
 		config, err := clientcmd.BuildConfigFromFlags("", o.KubeconfigPath)
 		if err != nil {
 			return fmt.Errorf("failed to load kubernetes client config: %v", err)

Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,8 @@ type ProxyRunOptions struct {`
`112`	`112`	`LeaseNamespace string`
`113`	`113`	`// Lease Labels`
`114`	`114`	`LeaseLabel string`
	`115`	`+ // Needs kubernetes client`
	`116`	`+ NeedsKubernetesClient bool`
`115`	`117`	`}`
`116`	`118`
`117`	`119`	`func (o ProxyRunOptions) Flags() pflag.FlagSet {`
`@@ -287,29 +289,27 @@ func (o *ProxyRunOptions) Validate() error {`
`287`	`289`	`if o.EnableContentionProfiling && !o.EnableProfiling {`
`288`	`290`	`return fmt.Errorf("if --enable-contention-profiling is set, --enable-profiling must also be set")`
`289`	`291`	`}`
`290`		`-`
`291`		`- // validate agent authentication params`
`292`		`- // all 4 parameters must be empty or must have value (except KubeconfigPath that might be empty)`
`293`		`- if o.AgentNamespace != "" \|\| o.AgentServiceAccount != "" \|\| o.AuthenticationAudience != "" \|\| o.KubeconfigPath != "" {`
	`292`	`+ usingServiceAccountAuth := o.AgentNamespace != "" \|\| o.AgentServiceAccount != "" \|\| o.AuthenticationAudience != ""`
	`293`	`+ if usingServiceAccountAuth {`
`294`	`294`	`if o.ClusterCaCert != "" {`
`295`		`- return fmt.Errorf("ClusterCaCert can not be used when service account authentication is enabled")`
	`295`	`+ return fmt.Errorf("--cluster-ca-cert can not be used when agent authentication is enabled")`
`296`	`296`	`}`
`297`	`297`	`if o.AgentNamespace == "" {`
`298`		`- return fmt.Errorf("AgentNamespace cannot be empty when agent authentication is enabled")`
	`298`	`+ return fmt.Errorf("--agent-namespace cannot be empty when agent authentication is enabled")`
`299`	`299`	`}`
`300`	`300`	`if o.AgentServiceAccount == "" {`
`301`		`- return fmt.Errorf("AgentServiceAccount cannot be empty when agent authentication is enabled")`
	`301`	`+ return fmt.Errorf("--agent-service-account cannot be empty when agent authentication is enabled")`
`302`	`302`	`}`
`303`	`303`	`if o.AuthenticationAudience == "" {`
`304`		`- return fmt.Errorf("AuthenticationAudience cannot be empty when agent authentication is enabled")`
	`304`	`+ return fmt.Errorf("--authentication-audience cannot be empty when agent authentication is enabled")`
`305`	`305`	`}`
`306`		`- if o.KubeconfigPath != "" {`
`307`		`- if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) {`
`308`		`- return fmt.Errorf("error checking KubeconfigPath %q, got %v", o.KubeconfigPath, err)`
`309`		`- }`
	`306`	`+ }`
	`307`	`+ // Validate kubeconfig path if provided`
	`308`	`+ if o.KubeconfigPath != "" {`
	`309`	`+ if _, err := os.Stat(o.KubeconfigPath); os.IsNotExist(err) {`
	`310`	`+ return fmt.Errorf("checking KubeconfigPath %q, got %v", o.KubeconfigPath, err)`
`310`	`311`	`}`
`311`	`312`	`}`
`312`		`-`
`313`	`313`	`// validate the proxy strategies`
`314`	`314`	`if len(o.ProxyStrategies) == 0 {`
`315`	`315`	`return fmt.Errorf("ProxyStrategies cannot be empty")`
`@@ -338,6 +338,8 @@ func (o *ProxyRunOptions) Validate() error {`
`338`	`338`	`}`
`339`	`339`	`}`
`340`	`340`
	`341`	`+ o.NeedsKubernetesClient = usingServiceAccountAuth \|\| o.EnableLeaseController`
	`342`	`+`
`341`	`343`	`return nil`
`342`	`344`	`}`
`343`	`345`