Skip to content

Commit

Permalink
Merge pull request brancz#98 from ibihim/release-0.17.1-downstream
Browse files Browse the repository at this point in the history 
OCPBUGS-31955: Merge upstream v0.17.1 release
  • Loading branch information
@openshift-merge-bot
openshift-merge-bot[bot] authored May 8, 2024
2 parents 04d0a78 + f027071 commit 8ea2c99
Show file tree
Hide file tree
Showing 2,642 changed files with 268,227 additions and 79,001 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on: [push, pull_request]

env:
QUAY_PATH: quay.io/brancz/kube-rbac-proxy
go-version: '1.21.3'
go-version: '1.22.2'
kind-version: 'v0.20.0'

jobs:
Expand Down
14 changes: 14 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,17 @@
## 0.17.1 / 2024-05-07

- [BUGFIX] make deprecated (usptream removed) flags behave like before

## 0.17.0 / 2024-02-08

- [ENHANCEMENT] add command-line args --kube-api-qps/--kube-api-burst
- [ENHANCEMENT] Bump deps

## 0.16.0 / 2024-02-08

- [ENHANCEMENT] Bump dependencies and in particular to kubernetes to v1.28
- [CHANGE] Due to the bump to k8s v1.28 some logging flags are disabled

## 0.15.0 / 2023-10-20

- [ENHANCEMENT] bump opentelemetry to fix CVE
Expand Down
3 changes: 2 additions & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
ARG GOARCH=amd64
ARG GOOS=linux
FROM gcr.io/distroless/static:nonroot-$GOARCH
ARG BASEIMAGE=gcr.io/distroless/static:nonroot-$GOARCH
FROM $BASEIMAGE

ARG BINARY=kube-rbac-proxy-$GOOS-$GOARCH
COPY _output/$BINARY /usr/local/bin/kube-rbac-proxy
Expand Down
3 changes: 2 additions & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ PROGRAM_NAME?=kube-rbac-proxy
GITHUB_URL=github.com/brancz/kube-rbac-proxy
GOOS?=$(shell uname -s | tr A-Z a-z)
GOARCH?=$(shell go env GOARCH)
BASEIMAGE?=gcr.io/distroless/static:nonroot-$(GOARCH)
OUT_DIR=_output
VERSION?=$(shell cat VERSION)-$(shell git rev-parse --short HEAD)
VERSION_SEMVER?=$(shell echo $(VERSION) | grep -o 'v[0-9]\+\.[0-9]\+\.[0-9]\+')
Expand Down Expand Up @@ -56,7 +57,7 @@ update-go-deps:
go mod tidy

container: $(OUT_DIR)/$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) Dockerfile
docker build --build-arg BINARY=$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) --build-arg GOARCH=$(GOARCH) -t $(CONTAINER_NAME)-$(GOARCH) .
docker build --build-arg BINARY=$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) --build-arg GOARCH=$(GOARCH) --build-arg BASEIMAGE=$(BASEIMAGE) -t $(CONTAINER_NAME)-$(GOARCH) .
ifeq ($(GOARCH), amd64)
docker tag $(DOCKER_REPO):$(VERSION)-$(GOARCH) $(CONTAINER_NAME)
endif
Expand Down
17 changes: 4 additions & 13 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,8 @@ Kube-rbac-proxy flags:
--http2-max-size uint32 The maximum number of bytes that the server will accept for frame size and buffer per stream in a HTTP/2 request. (default 262144)
--ignore-paths strings Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths.
--insecure-listen-address string [DEPRECATED] The address the kube-rbac-proxy HTTP server should listen on.
--kube-api-burst int kube-api burst value; needed when kube-api-qps is set
--kube-api-qps float32 queries per second to the api, kube-client starts client-side throttling, when breached
--kubeconfig string Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used
--oidc-ca-file string If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
--oidc-clientID string The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
Expand All @@ -90,19 +92,8 @@ Kube-rbac-proxy flags:
Global flags:
--add-dir-header If true, adds the file directory to the header of the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-h, --help help for kube-rbac-proxy
--log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--log-dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--log-file string If non-empty, use this log file (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--log-file-max-size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--logtostderr log to standard error instead of files (default true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--one-output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--skip-headers If true, avoid header prefixes in the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--skip-log-headers If true, avoid headers when opening log files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--version version[=true] Print version information and quit
-h, --help help for kube-rbac-proxy
--version version[=true] --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version
```


Expand Down
5 changes: 4 additions & 1 deletion RELEASE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@ Release shepherds are chosen on a voluntary basis.

| release series | date of release (year-month-day) | release shepherd |
|----------------|----------------------------------|---------------------------------------------|
| v0.16.0 | TBD | Krzysztof Ostrowski (GitHub: @ibihim) |
| v0.18.0 | TBD | Krzysztof Ostrowski (GitHub: @ibihim) |
| v0.17.1 | 2024-05-07 | Krzysztof Ostrowski (GitHub: @ibihim) |
| v0.17.0 | 2024-04-18 | Krzysztof Ostrowski (GitHub: @ibihim) |
| v0.16.0 | 2024-02-08 | Krzysztof Ostrowski (GitHub: @ibihim) |
| v0.15.0 | 2023-10-20 | Krzysztof Ostrowski (GitHub: @ibihim) |
| v0.14.4 | 2023-10-16 | Krzysztof Ostrowski (GitHub: @ibihim) |
| v0.14.3 | 2023-09-07 | Krzysztof Ostrowski (GitHub: @ibihim) |
Expand Down
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v0.15.0
v0.17.1
86 changes: 19 additions & 67 deletions cmd/kube-rbac-proxy/app/kube-rbac-proxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ import (
"golang.org/x/net/http2"
"golang.org/x/net/http2/h2c"

utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authorization/union"
"k8s.io/client-go/kubernetes"
Expand Down Expand Up @@ -85,17 +84,16 @@ that can perform RBAC authorization against the Kubernetes API using SubjectAcce

k8sapiflag.PrintFlags(fs)

if err := o.Validate(); err != nil {
return err
}

// set default options
completedOptions, err := Complete(o)
if err != nil {
return err
}

// validate options
if errs := completedOptions.Validate(); len(errs) != 0 {
return utilerrors.NewAggregate(errs)
}

return Run(completedOptions)
},
Args: func(cmd *cobra.Command, args []string) error {
Expand Down Expand Up @@ -147,63 +145,6 @@ type completedProxyRunOptions struct {
ignorePaths []string
}

func (o *completedProxyRunOptions) Validate() []error {
var errs []error

hasCerts := !(o.tls.CertFile == "") && !(o.tls.KeyFile == "")
hasInsecureListenAddress := o.insecureListenAddress != ""
if !hasCerts || hasInsecureListenAddress {
klog.Warning(`
==== Deprecation Warning ======================
Insecure listen address will be removed.
Using --insecure-listen-address won't be possible!
The ability to run kube-rbac-proxy without TLS certificates will be removed.
Not using --tls-cert-file and --tls-private-key-file won't be possible!
For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/187
===============================================
`)
}

if o.tls.ReloadInterval != time.Minute {
klog.Warning(`
==== Deprecation Warning ======================
tls-reload-interval will be removed.
Using --tls-reload-interval won't be possible!
For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/196
===============================================
`)

}

if len(o.allowPaths) > 0 && len(o.ignorePaths) > 0 {
errs = append(errs, fmt.Errorf("cannot use --allow-paths and --ignore-paths together"))
}

for _, pathAllowed := range o.allowPaths {
_, err := path.Match(pathAllowed, "")
if err != nil {
errs = append(errs, fmt.Errorf("failed to verify allow path: %s", pathAllowed))
}
}

for _, pathIgnored := range o.ignorePaths {
_, err := path.Match(pathIgnored, "")
if err != nil {
errs = append(errs, fmt.Errorf("failed to verify ignored path: %s", pathIgnored))
}
}

return errs
}

func Complete(o *options.ProxyRunOptions) (*completedProxyRunOptions, error) {
var err error
completed := &completedProxyRunOptions{
Expand Down Expand Up @@ -249,6 +190,13 @@ func Complete(o *options.ProxyRunOptions) (*completedProxyRunOptions, error) {
return nil, fmt.Errorf("failed to load kubeconfig: %w", err)
}

if o.QPS > 0 {
kubeconfig.QPS = o.QPS
}
if o.Burst > 0 {
kubeconfig.Burst = o.Burst
}

completed.kubeClient, err = kubernetes.NewForConfig(kubeconfig)
if err != nil {
return nil, fmt.Errorf("failed to instantiate Kubernetes client: %w", err)
Expand Down Expand Up @@ -456,7 +404,7 @@ func Run(cfg *completedProxyRunOptions) error {
return srv.Serve(tlsListener)
}, func(err error) {
if err := srv.Shutdown(context.Background()); err != nil {
klog.Errorf("failed to gracefully shutdown server: %w", err)
klog.Errorf("failed to gracefully shutdown server: %+v", err)
}
})

Expand Down Expand Up @@ -504,7 +452,7 @@ func Run(cfg *completedProxyRunOptions) error {
return proxyEndpointsSrv.Serve(tlsListener)
}, func(err error) {
if err := proxyEndpointsSrv.Shutdown(context.Background()); err != nil {
klog.Errorf("failed to gracefully shutdown proxy endpoints server: %w", err)
klog.Errorf("failed to gracefully shutdown proxy endpoints server: %+v", err)
}
})
}
Expand All @@ -529,10 +477,10 @@ func Run(cfg *completedProxyRunOptions) error {
return srv.Serve(l)
}, func(err error) {
if err := srv.Shutdown(context.Background()); err != nil {
klog.Errorf("failed to gracefully shutdown server: %w", err)
klog.Errorf("failed to gracefully shutdown server: %+v", err)
}
if err := l.Close(); err != nil {
klog.Errorf("failed to gracefully close listener: %w", err)
klog.Errorf("failed to gracefully close listener: %+v", err)
}
})
}
Expand All @@ -549,6 +497,10 @@ func Run(cfg *completedProxyRunOptions) error {
})
}

if len(cfg.secureListenAddress) == 0 && len(cfg.insecureListenAddress) == 0 {
return fmt.Errorf("no listen address provided")
}

if err := gr.Run(); err != nil {
return fmt.Errorf("failed to run groups: %w", err)
}
Expand Down
77 changes: 77 additions & 0 deletions cmd/kube-rbac-proxy/app/options/deprecated.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
/*
Copyright 2024 the kube-rbac-proxy maintainers. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package options

import (
"fmt"

"github.com/spf13/pflag"
"k8s.io/klog/v2"
)

var disabledFlagsType = map[string]string{
"logtostderr": "bool",
"add-dir-header": "bool",
"alsologtostderr": "bool",
"log-backtrace-at": "string",
"log-dir": "string",
"log-file": "string",
"log-file-max-size": "uint64",
"one-output": "bool",
"skip-headers": "bool",
"skip-log-headers": "bool",
"stderrthreshold": "string",
}

func (o *ProxyRunOptions) addDisabledFlags(flagset *pflag.FlagSet) {
// disabled flags
o.flagSet = flagset // reference used for validation

for name, typeStr := range disabledFlagsType {
switch typeStr {
case "bool":
_ = flagset.Bool(name, false, "[DISABLED]")
case "string":
_ = flagset.String(name, "", "[DISABLED]")
case "uint64":
_ = flagset.Uint64(name, 0, "[DISABLED]")
default:
panic(fmt.Sprintf("unknown type %q", typeStr))
}

if err := flagset.MarkHidden(name); err != nil {
panic(err)
}
}
}

func (o *ProxyRunOptions) validateDisabledFlags() error {
// Removed upstream flags shouldn't be use
for disabledOpt := range disabledFlagsType {
if flag := o.flagSet.Lookup(disabledOpt); flag.Changed {
klog.Warningf(`
==== Removed Flag Warning ======================
%s is removed in the k8s upstream and has no effect any more.
===============================================
`, disabledOpt)
}
}

return nil
}
Loading

0 comments on commit 8ea2c99

Please sign in to comment.