adapt: match ClientCARegistrationHook code with upstream

sttts · sttts · commit c12bd72a82c0 · 2017-04-12T15:37:05.000+02:00
diff --git a/pkg/cmd/server/kubernetes/master/master_config.go b/pkg/cmd/server/kubernetes/master/master_config.go
@@ -124,6 +124,11 @@ func BuildKubeAPIserverOptions(masterConfig configapi.MasterConfig) (*kapiserver
 	server.InsecureServing.BindPort = 0
 
 	server.Authentication.ClientCert = &apiserveroptions.ClientCertAuthenticationOptions{masterConfig.ServingInfo.ClientCA}
+	server.Authentication.RequestHeader.ClientCAFile = masterConfig.AuthConfig.RequestHeader.ClientCA
+	server.Authentication.RequestHeader.UsernameHeaders = masterConfig.AuthConfig.RequestHeader.UsernameHeaders
+	server.Authentication.RequestHeader.GroupHeaders = masterConfig.AuthConfig.RequestHeader.GroupHeaders
+	server.Authentication.RequestHeader.ExtraHeaderPrefixes = masterConfig.AuthConfig.RequestHeader.ExtraHeaderPrefixes
+	server.Authentication.RequestHeader.AllowedNames = masterConfig.AuthConfig.RequestHeader.ClientCommonNames
 
 	server.Etcd.EnableGarbageCollection = false              // disabled until we add the controller. MUST be in synced with the value in CMServer
 	server.Etcd.StorageConfig.Type = "etcd2"                 // TODO(rebase): enable etcd3 as upstream
@@ -259,6 +264,27 @@ func buildUpstreamGenericConfig(s *kapiserveroptions.ServerRunOptions) (*apiserv
 	return genericConfig, nil
 }
 
+// buildUpstreamClientCARegistrationHook copies the ClientCARegistrationHook code from k8s.io/kubernetes/cmd/kube-apiserver/app/server.go.
+// ONLY COMMENT OUT CODE HERE, do not modify it. Do modifications outside of this function.
+func buildUpstreamClientCARegistrationHook(s *kapiserveroptions.ServerRunOptions) (*master.ClientCARegistrationHook, error) {
+	clientCA, err := readCAorNil(s.Authentication.ClientCert.ClientCA)
+	if err != nil {
+		return nil, err
+	}
+	requestHeaderProxyCA, err := readCAorNil(s.Authentication.RequestHeader.ClientCAFile)
+	if err != nil {
+		return nil, err
+	}
+	return &master.ClientCARegistrationHook{
+		ClientCA:                         clientCA,
+		RequestHeaderUsernameHeaders:     s.Authentication.RequestHeader.UsernameHeaders,
+		RequestHeaderGroupHeaders:        s.Authentication.RequestHeader.GroupHeaders,
+		RequestHeaderExtraHeaderPrefixes: s.Authentication.RequestHeader.ExtraHeaderPrefixes,
+		RequestHeaderCA:                  requestHeaderProxyCA,
+		RequestHeaderAllowedNames:        s.Authentication.RequestHeader.AllowedNames,
+	}, nil
+}
+
 func buildControllerManagerServer(masterConfig configapi.MasterConfig) (*cmapp.CMServer, cloudprovider.Interface, error) {
 	podEvictionTimeout, err := time.ParseDuration(masterConfig.KubernetesMasterConfig.PodEvictionTimeout)
 	if err != nil {
@@ -373,6 +399,11 @@ func buildKubeApiserverConfig(
 		return nil, err
 	}
 
+	clientCARegistrationHook, err := buildUpstreamClientCARegistrationHook(apiserverOptions)
+	if err != nil {
+		return nil, err
+	}
+
 	// override config values
 	kubeVersion := kversion.Get()
 	genericConfig.Version = &kubeVersion
@@ -428,11 +459,6 @@ func buildKubeApiserverConfig(
 		return nil, err
 	}
 
-	clientCARegistrationHook, err := ClientCARegistrationHook(&masterConfig)
-	if err != nil {
-		return nil, err
-	}
-
 	kubeApiserverConfig := &master.Config{
 		GenericConfig: genericConfig,
 		MasterCount:   apiserverOptions.MasterCount,
@@ -577,29 +603,6 @@ func BuildKubernetesMasterConfig(
 	return kmaster, nil
 }
 
-func ClientCARegistrationHook(options *configapi.MasterConfig) (*master.ClientCARegistrationHook, error) {
-	clientCA, err := readCAorNil(options.ServingInfo.ClientCA)
-	if err != nil {
-		return nil, err
-	}
-	ret := &master.ClientCARegistrationHook{ClientCA: clientCA}
-
-	var requestHeaderProxyCA []byte
-	if options.AuthConfig.RequestHeader != nil {
-		requestHeaderProxyCA, err = readCAorNil(options.AuthConfig.RequestHeader.ClientCA)
-		if err != nil {
-			return nil, err
-		}
-		ret.RequestHeaderUsernameHeaders = options.AuthConfig.RequestHeader.UsernameHeaders
-		ret.RequestHeaderGroupHeaders = options.AuthConfig.RequestHeader.GroupHeaders
-		ret.RequestHeaderExtraHeaderPrefixes = options.AuthConfig.RequestHeader.ExtraHeaderPrefixes
-		ret.RequestHeaderCA = requestHeaderProxyCA
-		ret.RequestHeaderAllowedNames = options.AuthConfig.RequestHeader.ClientCommonNames
-	}
-
-	return ret, nil
-}
-
 func DefaultOpenAPIConfig() *openapicommon.Config {
 	return &openapicommon.Config{
 		GetDefinitions: openapigenerated.GetOpenAPIDefinitions,
