Drop unsafe unwrapper for exec.roundTripper
exec.roundTripper now implements utilnet.RoundTripperWrapper so this unsafe hack is no longer needed. Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
parent
86f2bea8c5
commit
a6085c9678
@ -8,8 +8,6 @@ import (
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"reflect"
|
||||
"unsafe"
|
||||
|
||||
"github.com/google/go-cmp/cmp"
|
||||
"github.com/google/go-cmp/cmp/cmpopts"
|
||||
@ -155,7 +153,7 @@ func createSecureKubeConfig(kubeConfig *restclient.Config) (*restclient.Config,
|
||||
}
|
||||
}()
|
||||
|
||||
tlsConfig, err := netTLSClientConfig(rt)
|
||||
tlsConfig, err := net.TLSClientConfig(rt)
|
||||
if err != nil {
|
||||
// this assumes none of our production code calls Wrap or messes with WrapTransport.
|
||||
// this is a reasonable assumption because all such code should live in this package
|
||||
@ -205,7 +203,7 @@ func AssertSecureConfig(kubeConfig *restclient.Config) error {
|
||||
}
|
||||
|
||||
func AssertSecureTransport(rt http.RoundTripper) error {
|
||||
tlsConfig, err := netTLSClientConfig(rt)
|
||||
tlsConfig, err := net.TLSClientConfig(rt)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get TLS config: %w", err)
|
||||
}
|
||||
@ -224,33 +222,6 @@ func AssertSecureTransport(rt http.RoundTripper) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func netTLSClientConfig(rt http.RoundTripper) (*tls.Config, error) {
|
||||
tlsConfig, err := net.TLSClientConfig(rt)
|
||||
if err == nil {
|
||||
return tlsConfig, nil
|
||||
}
|
||||
|
||||
// TODO fix when we pick up https://github.com/kubernetes/kubernetes/pull/106014
|
||||
if err.Error() == "unknown transport type: *exec.roundTripper" {
|
||||
return net.TLSClientConfig(extractRTUnsafe(rt))
|
||||
}
|
||||
|
||||
return nil, err
|
||||
}
|
||||
|
||||
func extractRTUnsafe(rt http.RoundTripper) (out http.RoundTripper) {
|
||||
for wrapper, ok := rt.(net.RoundTripperWrapper); ok; wrapper, ok = rt.(net.RoundTripperWrapper) {
|
||||
// keep peeling the wrappers until we get to the exec.roundTripper
|
||||
rt = wrapper.WrappedRoundTripper()
|
||||
}
|
||||
|
||||
// this is some dark magic to read a private field
|
||||
baseField := reflect.ValueOf(rt).Elem().FieldByName("base")
|
||||
basePointer := (*http.RoundTripper)(unsafe.Pointer(baseField.UnsafeAddr()))
|
||||
|
||||
return *basePointer
|
||||
}
|
||||
|
||||
func Secure(config *restclient.Config) (kubernetes.Interface, *restclient.Config, error) {
|
||||
// our middleware does not apply to the returned restclient.Config, therefore, this
|
||||
// client not having a leader election lock is irrelevant since it would not be enforced
|
||||
|
@ -19,6 +19,7 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apimachinery/pkg/util/net"
|
||||
clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
|
||||
"k8s.io/client-go/rest"
|
||||
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
||||
@ -1109,7 +1110,7 @@ func testUnwrap(t *testing.T, client *Client, serverSubjects [][]byte) {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
t.Parallel() // make sure to run in parallel to confirm that our client-go TLS cache busting works (i.e. assert no data races)
|
||||
|
||||
tlsConfig, err := netTLSClientConfig(tt.rt)
|
||||
tlsConfig, err := net.TLSClientConfig(tt.rt)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, tlsConfig)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user