Drop unsafe unwrapper for exec.roundTripper

exec.roundTripper now implements utilnet.RoundTripperWrapper so this unsafe hack is no longer needed. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 09:39:46 -05:00 · 2021-12-15 09:39:46 -05:00 · a6085c9678
commit a6085c9678
parent 86f2bea8c5
2 changed files with 4 additions and 32 deletions
--- a/internal/kubeclient/kubeclient.go
+++ b/internal/kubeclient/kubeclient.go
@ -8,8 +8,6 @@ import (
 	"crypto/x509"
 	"fmt"
 	"net/http"
-	"reflect"
-	"unsafe"

 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
@ -155,7 +153,7 @@ func createSecureKubeConfig(kubeConfig *restclient.Config) (*restclient.Config,
 			}
 		}()

-		tlsConfig, err := netTLSClientConfig(rt)
+		tlsConfig, err := net.TLSClientConfig(rt)
 		if err != nil {
 			// this assumes none of our production code calls Wrap or messes with WrapTransport.
 			// this is a reasonable assumption because all such code should live in this package
@ -205,7 +203,7 @@ func AssertSecureConfig(kubeConfig *restclient.Config) error {
 }

 func AssertSecureTransport(rt http.RoundTripper) error {
-	tlsConfig, err := netTLSClientConfig(rt)
+	tlsConfig, err := net.TLSClientConfig(rt)
 	if err != nil {
 		return fmt.Errorf("failed to get TLS config: %w", err)
 	}
@ -224,33 +222,6 @@ func AssertSecureTransport(rt http.RoundTripper) error {
 	return nil
 }

-func netTLSClientConfig(rt http.RoundTripper) (*tls.Config, error) {
-	tlsConfig, err := net.TLSClientConfig(rt)
-	if err == nil {
-		return tlsConfig, nil
-	}
-
-	// TODO fix when we pick up https://github.com/kubernetes/kubernetes/pull/106014
-	if err.Error() == "unknown transport type: *exec.roundTripper" {
-		return net.TLSClientConfig(extractRTUnsafe(rt))
-	}
-
-	return nil, err
-}
-
-func extractRTUnsafe(rt http.RoundTripper) (out http.RoundTripper) {
-	for wrapper, ok := rt.(net.RoundTripperWrapper); ok; wrapper, ok = rt.(net.RoundTripperWrapper) {
-		// keep peeling the wrappers until we get to the exec.roundTripper
-		rt = wrapper.WrappedRoundTripper()
-	}
-
-	// this is some dark magic to read a private field
-	baseField := reflect.ValueOf(rt).Elem().FieldByName("base")
-	basePointer := (*http.RoundTripper)(unsafe.Pointer(baseField.UnsafeAddr()))
-
-	return *basePointer
-}
-
 func Secure(config *restclient.Config) (kubernetes.Interface, *restclient.Config, error) {
 	// our middleware does not apply to the returned restclient.Config, therefore, this
 	// client not having a leader election lock is irrelevant since it would not be enforced
--- a/internal/kubeclient/kubeclient_test.go
+++ b/internal/kubeclient/kubeclient_test.go
@ -19,6 +19,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/net"
 	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
 	"k8s.io/client-go/rest"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@ -1109,7 +1110,7 @@ func testUnwrap(t *testing.T, client *Client, serverSubjects [][]byte) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel() // make sure to run in parallel to confirm that our client-go TLS cache busting works (i.e. assert no data races)

-			tlsConfig, err := netTLSClientConfig(tt.rt)
+			tlsConfig, err := net.TLSClientConfig(tt.rt)
 			require.NoError(t, err)
 			require.NotNil(t, tlsConfig)