Merge pull request kubernetes#39442 from deads2k/generic-08-client-go-01

Automatic merge from submit-queue

switch webhook to clientgo

Switches the delegating authentication and authorization webhooks to use client-go.  The ripples go out aways, but I kept it as contained as I could.

@sttts

Author: Kubernetes Submit Queue

cmd/kubelet/app/BUILD

@@ -8,11 +8,28 @@ load(
     "go_test",
 )
 
+go_test(
+    name = "go_default_test",
+    srcs = [
+        "bootstrap_test.go",
+        "server_test.go",
+    ],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/client/restclient:go_default_library",
+        "//pkg/kubelet:go_default_library",
+        "//pkg/util/config:go_default_library",
+        "//pkg/util/diff:go_default_library",
+    ],
+)
+
 go_library(
     name = "go_default_library",
     srcs = [
         "auth.go",
         "bootstrap.go",
+        "clientgo.go",
         "plugins.go",
         "server.go",
         "server_linux.go",
@@ -28,8 +45,6 @@ go_library(
         "//pkg/capabilities:go_default_library",
         "//pkg/client/chaosclient:go_default_library",
         "//pkg/client/clientset_generated/clientset:go_default_library",
-        "//pkg/client/clientset_generated/clientset/typed/authentication/v1beta1:go_default_library",
-        "//pkg/client/clientset_generated/clientset/typed/authorization/v1beta1:go_default_library",
         "//pkg/client/clientset_generated/clientset/typed/certificates/v1alpha1:go_default_library",
         "//pkg/client/clientset_generated/clientset/typed/core/v1:go_default_library",
         "//pkg/client/record:go_default_library",
@@ -101,22 +116,13 @@ go_library(
         "//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
         "//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
         "//vendor:k8s.io/apiserver/pkg/healthz",
-    ],
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = [
-        "bootstrap_test.go",
-        "server_test.go",
-    ],
-    library = ":go_default_library",
-    tags = ["automanaged"],
-    deps = [
-        "//pkg/client/restclient:go_default_library",
-        "//pkg/kubelet:go_default_library",
-        "//pkg/util/config:go_default_library",
-        "//pkg/util/diff:go_default_library",
+        "//vendor:k8s.io/client-go/kubernetes",
+        "//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
+        "//vendor:k8s.io/client-go/kubernetes/typed/authorization/v1beta1",
+        "//vendor:k8s.io/client-go/rest",
+        "//vendor:k8s.io/client-go/tools/auth",
+        "//vendor:k8s.io/client-go/tools/clientcmd",
+        "//vendor:k8s.io/client-go/tools/clientcmd/api",
     ],
 )
 

cmd/kubelet/app/auth.go

@@ -23,10 +23,11 @@ import (
 
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	clientset "k8s.io/client-go/kubernetes"
+	authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
+	authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
+
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
-	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
-	authenticationclient "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/authentication/v1beta1"
-	authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/authorization/v1beta1"
 	apiserverauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
 	alwaysallowauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"

cmd/kubelet/app/clientgo.go

@@ -0,0 +1,120 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// this file contains parallel methods for getting a client-go clientconfig
+// The types are not reasonably compatibly between the client-go and kubernetes restclient.Interface,
+// restclient.Config, or typed clients, so this is the simplest solution during the transition
+package app
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/golang/glog"
+
+	"k8s.io/client-go/rest"
+	clientauth "k8s.io/client-go/tools/auth"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+
+	"k8s.io/kubernetes/cmd/kubelet/app/options"
+	"k8s.io/kubernetes/pkg/client/chaosclient"
+)
+
+func kubeconfigClientGoConfig(s *options.KubeletServer) (*rest.Config, error) {
+	if s.RequireKubeConfig {
+		// Ignores the values of s.APIServerList
+		return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+			&clientcmd.ClientConfigLoadingRules{ExplicitPath: s.KubeConfig.Value()},
+			&clientcmd.ConfigOverrides{},
+		).ClientConfig()
+	}
+	return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+		&clientcmd.ClientConfigLoadingRules{ExplicitPath: s.KubeConfig.Value()},
+		&clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: s.APIServerList[0]}},
+	).ClientConfig()
+}
+
+// createClientConfig creates a client configuration from the command line
+// arguments. If --kubeconfig is explicitly set, it will be used. If it is
+// not set, we attempt to load the default kubeconfig file, and if we cannot,
+// we fall back to the default client with no auth - this fallback does not, in
+// and of itself, constitute an error.
+func createClientGoConfig(s *options.KubeletServer) (*rest.Config, error) {
+	if s.RequireKubeConfig {
+		return kubeconfigClientGoConfig(s)
+	}
+
+	// TODO: handle a new --standalone flag that bypasses kubeconfig loading and returns no error.
+	// DEPRECATED: all subsequent code is deprecated
+	if len(s.APIServerList) == 0 {
+		return nil, fmt.Errorf("no api servers specified")
+	}
+	// TODO: adapt Kube client to support LB over several servers
+	if len(s.APIServerList) > 1 {
+		glog.Infof("Multiple api servers specified.  Picking first one")
+	}
+
+	if s.KubeConfig.Provided() {
+		return kubeconfigClientGoConfig(s)
+	}
+	// If KubeConfig was not provided, try to load the default file, then fall back
+	// to a default auth config.
+	clientConfig, err := kubeconfigClientGoConfig(s)
+	if err != nil {
+		glog.Warningf("Could not load kubeconfig file %s: %v. Using default client config instead.", s.KubeConfig, err)
+
+		authInfo := &clientauth.Info{}
+		authConfig, err := authInfo.MergeWithConfig(rest.Config{})
+		if err != nil {
+			return nil, err
+		}
+		authConfig.Host = s.APIServerList[0]
+		clientConfig = &authConfig
+	}
+	return clientConfig, nil
+}
+
+// createAPIServerClientGoConfig generates a client.Config from command line flags,
+// including api-server-list, via createClientConfig and then injects chaos into
+// the configuration via addChaosToClientConfig. This func is exported to support
+// integration with third party kubelet extensions (e.g. kubernetes-mesos).
+func createAPIServerClientGoConfig(s *options.KubeletServer) (*rest.Config, error) {
+	clientConfig, err := createClientGoConfig(s)
+	if err != nil {
+		return nil, err
+	}
+
+	clientConfig.ContentType = s.ContentType
+	// Override kubeconfig qps/burst settings from flags
+	clientConfig.QPS = float32(s.KubeAPIQPS)
+	clientConfig.Burst = int(s.KubeAPIBurst)
+
+	addChaosToClientGoConfig(s, clientConfig)
+	return clientConfig, nil
+}
+
+// addChaosToClientConfig injects random errors into client connections if configured.
+func addChaosToClientGoConfig(s *options.KubeletServer, config *rest.Config) {
+	if s.ChaosChance != 0.0 {
+		config.WrapTransport = func(rt http.RoundTripper) http.RoundTripper {
+			seed := chaosclient.NewSeed(1)
+			// TODO: introduce a standard chaos package with more tunables - this is just a proof of concept
+			// TODO: introduce random latency and stalls
+			return chaosclient.NewChaosRoundTripper(rt, chaosclient.LogChaos, seed.P(s.ChaosChance, chaosclient.ErrSimulatedConnectionResetByPeer))
+		}
+	}
+}

cmd/kubelet/app/server.go

@@ -37,6 +37,8 @@ import (
 	"github.com/spf13/pflag"
 
 	"k8s.io/apiserver/pkg/healthz"
+	clientgoclientset "k8s.io/client-go/kubernetes"
+
 	"k8s.io/kubernetes/cmd/kubelet/app/options"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/v1"
@@ -137,19 +139,20 @@ func UnsecuredKubeletDeps(s *options.KubeletServer) (*kubelet.KubeletDeps, error
 	}
 
 	return &kubelet.KubeletDeps{
-		Auth:              nil, // default does not enforce auth[nz]
-		CAdvisorInterface: nil, // cadvisor.New launches background processes (bg http.ListenAndServe, and some bg cleaners), not set here
-		Cloud:             nil, // cloud provider might start background processes
-		ContainerManager:  nil,
-		DockerClient:      dockerClient,
-		KubeClient:        nil,
-		Mounter:           mounter,
-		NetworkPlugins:    ProbeNetworkPlugins(s.NetworkPluginDir, s.CNIConfDir, s.CNIBinDir),
-		OOMAdjuster:       oom.NewOOMAdjuster(),
-		OSInterface:       kubecontainer.RealOS{},
-		Writer:            writer,
-		VolumePlugins:     ProbeVolumePlugins(s.VolumePluginDir),
-		TLSOptions:        tlsOptions,
+		Auth:               nil, // default does not enforce auth[nz]
+		CAdvisorInterface:  nil, // cadvisor.New launches background processes (bg http.ListenAndServe, and some bg cleaners), not set here
+		Cloud:              nil, // cloud provider might start background processes
+		ContainerManager:   nil,
+		DockerClient:       dockerClient,
+		KubeClient:         nil,
+		ExternalKubeClient: nil,
+		Mounter:            mounter,
+		NetworkPlugins:     ProbeNetworkPlugins(s.NetworkPluginDir, s.CNIConfDir, s.CNIBinDir),
+		OOMAdjuster:        oom.NewOOMAdjuster(),
+		OSInterface:        kubecontainer.RealOS{},
+		Writer:             writer,
+		VolumePlugins:      ProbeVolumePlugins(s.VolumePluginDir),
+		TLSOptions:         tlsOptions,
 	}, nil
 }
 
@@ -359,6 +362,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) {
 
 	if kubeDeps == nil {
 		var kubeClient, eventClient *clientset.Clientset
+		var externalKubeClient clientgoclientset.Interface
 		var cloud cloudprovider.Interface
 
 		if s.CloudProvider != componentconfigv1alpha1.AutoDetectCloudProvider {
@@ -406,13 +410,35 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) {
 			}
 		}
 
+		// client-go and kuberenetes generated clients are incompatible because the runtime
+		// and runtime/serializer types have been duplicated in client-go.  This means that
+		// you can't reasonably convert from one to the other and its impossible for a single
+		// type to fulfill both interfaces.  Because of that, we have to build the clients
+		// up from scratch twice.
+		// TODO eventually the kubelet should only use the client-go library
+		clientGoConfig, err := createAPIServerClientGoConfig(s)
+		if err == nil {
+			externalKubeClient, err = clientgoclientset.NewForConfig(clientGoConfig)
+			if err != nil {
+				glog.Warningf("New kubeClient from clientConfig error: %v", err)
+			}
+		} else {
+			if s.RequireKubeConfig {
+				return fmt.Errorf("invalid kubeconfig: %v", err)
+			}
+			if standaloneMode {
+				glog.Warningf("No API client: %v", err)
+			}
+		}
+
 		kubeDeps, err = UnsecuredKubeletDeps(s)
 		if err != nil {
 			return err
 		}
 
 		kubeDeps.Cloud = cloud
 		kubeDeps.KubeClient = kubeClient
+		kubeDeps.ExternalKubeClient = externalKubeClient
 		kubeDeps.EventClient = eventClient
 	}
 
@@ -421,7 +447,8 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) {
 		if err != nil {
 			return err
 		}
-		auth, err := buildAuth(nodeName, kubeDeps.KubeClient, s.KubeletConfiguration)
+
+		auth, err := buildAuth(nodeName, kubeDeps.ExternalKubeClient, s.KubeletConfiguration)
 		if err != nil {
 			return err
 		}