Drop unsafe unwrapper for exec.roundTripper
exec.roundTripper now implements utilnet.RoundTripperWrapper so this unsafe hack is no longer needed. Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
parent
86f2bea8c5
commit
a6085c9678
@ -8,8 +8,6 @@ import (
|
|||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"reflect"
|
|
||||||
"unsafe"
|
|
||||||
|
|
||||||
"github.com/google/go-cmp/cmp"
|
"github.com/google/go-cmp/cmp"
|
||||||
"github.com/google/go-cmp/cmp/cmpopts"
|
"github.com/google/go-cmp/cmp/cmpopts"
|
||||||
@ -155,7 +153,7 @@ func createSecureKubeConfig(kubeConfig *restclient.Config) (*restclient.Config,
|
|||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
tlsConfig, err := netTLSClientConfig(rt)
|
tlsConfig, err := net.TLSClientConfig(rt)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// this assumes none of our production code calls Wrap or messes with WrapTransport.
|
// this assumes none of our production code calls Wrap or messes with WrapTransport.
|
||||||
// this is a reasonable assumption because all such code should live in this package
|
// this is a reasonable assumption because all such code should live in this package
|
||||||
@ -205,7 +203,7 @@ func AssertSecureConfig(kubeConfig *restclient.Config) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func AssertSecureTransport(rt http.RoundTripper) error {
|
func AssertSecureTransport(rt http.RoundTripper) error {
|
||||||
tlsConfig, err := netTLSClientConfig(rt)
|
tlsConfig, err := net.TLSClientConfig(rt)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to get TLS config: %w", err)
|
return fmt.Errorf("failed to get TLS config: %w", err)
|
||||||
}
|
}
|
||||||
@ -224,33 +222,6 @@ func AssertSecureTransport(rt http.RoundTripper) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func netTLSClientConfig(rt http.RoundTripper) (*tls.Config, error) {
|
|
||||||
tlsConfig, err := net.TLSClientConfig(rt)
|
|
||||||
if err == nil {
|
|
||||||
return tlsConfig, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO fix when we pick up https://github.com/kubernetes/kubernetes/pull/106014
|
|
||||||
if err.Error() == "unknown transport type: *exec.roundTripper" {
|
|
||||||
return net.TLSClientConfig(extractRTUnsafe(rt))
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
func extractRTUnsafe(rt http.RoundTripper) (out http.RoundTripper) {
|
|
||||||
for wrapper, ok := rt.(net.RoundTripperWrapper); ok; wrapper, ok = rt.(net.RoundTripperWrapper) {
|
|
||||||
// keep peeling the wrappers until we get to the exec.roundTripper
|
|
||||||
rt = wrapper.WrappedRoundTripper()
|
|
||||||
}
|
|
||||||
|
|
||||||
// this is some dark magic to read a private field
|
|
||||||
baseField := reflect.ValueOf(rt).Elem().FieldByName("base")
|
|
||||||
basePointer := (*http.RoundTripper)(unsafe.Pointer(baseField.UnsafeAddr()))
|
|
||||||
|
|
||||||
return *basePointer
|
|
||||||
}
|
|
||||||
|
|
||||||
func Secure(config *restclient.Config) (kubernetes.Interface, *restclient.Config, error) {
|
func Secure(config *restclient.Config) (kubernetes.Interface, *restclient.Config, error) {
|
||||||
// our middleware does not apply to the returned restclient.Config, therefore, this
|
// our middleware does not apply to the returned restclient.Config, therefore, this
|
||||||
// client not having a leader election lock is irrelevant since it would not be enforced
|
// client not having a leader election lock is irrelevant since it would not be enforced
|
||||||
|
@ -19,6 +19,7 @@ import (
|
|||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
|
"k8s.io/apimachinery/pkg/util/net"
|
||||||
clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
|
clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
||||||
@ -1109,7 +1110,7 @@ func testUnwrap(t *testing.T, client *Client, serverSubjects [][]byte) {
|
|||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
t.Parallel() // make sure to run in parallel to confirm that our client-go TLS cache busting works (i.e. assert no data races)
|
t.Parallel() // make sure to run in parallel to confirm that our client-go TLS cache busting works (i.e. assert no data races)
|
||||||
|
|
||||||
tlsConfig, err := netTLSClientConfig(tt.rt)
|
tlsConfig, err := net.TLSClientConfig(tt.rt)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, tlsConfig)
|
require.NotNil(t, tlsConfig)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user