Drop unsafe unwrapper for exec.roundTripper

exec.roundTripper now implements utilnet.RoundTripperWrapper so this
unsafe hack is no longer needed.

Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2021-12-15 09:39:46 -05:00
parent 86f2bea8c5
commit a6085c9678
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
2 changed files with 4 additions and 32 deletions

View File

@ -8,8 +8,6 @@ import (
"crypto/x509" "crypto/x509"
"fmt" "fmt"
"net/http" "net/http"
"reflect"
"unsafe"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts" "github.com/google/go-cmp/cmp/cmpopts"
@ -155,7 +153,7 @@ func createSecureKubeConfig(kubeConfig *restclient.Config) (*restclient.Config,
} }
}() }()
tlsConfig, err := netTLSClientConfig(rt) tlsConfig, err := net.TLSClientConfig(rt)
if err != nil { if err != nil {
// this assumes none of our production code calls Wrap or messes with WrapTransport. // this assumes none of our production code calls Wrap or messes with WrapTransport.
// this is a reasonable assumption because all such code should live in this package // this is a reasonable assumption because all such code should live in this package
@ -205,7 +203,7 @@ func AssertSecureConfig(kubeConfig *restclient.Config) error {
} }
func AssertSecureTransport(rt http.RoundTripper) error { func AssertSecureTransport(rt http.RoundTripper) error {
tlsConfig, err := netTLSClientConfig(rt) tlsConfig, err := net.TLSClientConfig(rt)
if err != nil { if err != nil {
return fmt.Errorf("failed to get TLS config: %w", err) return fmt.Errorf("failed to get TLS config: %w", err)
} }
@ -224,33 +222,6 @@ func AssertSecureTransport(rt http.RoundTripper) error {
return nil return nil
} }
func netTLSClientConfig(rt http.RoundTripper) (*tls.Config, error) {
tlsConfig, err := net.TLSClientConfig(rt)
if err == nil {
return tlsConfig, nil
}
// TODO fix when we pick up https://github.com/kubernetes/kubernetes/pull/106014
if err.Error() == "unknown transport type: *exec.roundTripper" {
return net.TLSClientConfig(extractRTUnsafe(rt))
}
return nil, err
}
func extractRTUnsafe(rt http.RoundTripper) (out http.RoundTripper) {
for wrapper, ok := rt.(net.RoundTripperWrapper); ok; wrapper, ok = rt.(net.RoundTripperWrapper) {
// keep peeling the wrappers until we get to the exec.roundTripper
rt = wrapper.WrappedRoundTripper()
}
// this is some dark magic to read a private field
baseField := reflect.ValueOf(rt).Elem().FieldByName("base")
basePointer := (*http.RoundTripper)(unsafe.Pointer(baseField.UnsafeAddr()))
return *basePointer
}
func Secure(config *restclient.Config) (kubernetes.Interface, *restclient.Config, error) { func Secure(config *restclient.Config) (kubernetes.Interface, *restclient.Config, error) {
// our middleware does not apply to the returned restclient.Config, therefore, this // our middleware does not apply to the returned restclient.Config, therefore, this
// client not having a leader election lock is irrelevant since it would not be enforced // client not having a leader election lock is irrelevant since it would not be enforced

View File

@ -19,6 +19,7 @@ import (
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/net"
clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1" clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api" clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@ -1109,7 +1110,7 @@ func testUnwrap(t *testing.T, client *Client, serverSubjects [][]byte) {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
t.Parallel() // make sure to run in parallel to confirm that our client-go TLS cache busting works (i.e. assert no data races) t.Parallel() // make sure to run in parallel to confirm that our client-go TLS cache busting works (i.e. assert no data races)
tlsConfig, err := netTLSClientConfig(tt.rt) tlsConfig, err := net.TLSClientConfig(tt.rt)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, tlsConfig) require.NotNil(t, tlsConfig)