Allow authenticator to return post start hooks

This change allows the authenticator to return post start hooks that can be used to set up any infrastructure the authenticator needs. It also makes sure that these resources are properly cleaned up when the post start hooks are stopped. Signed-off-by: Monis Khan <[email protected]>
openshift · Dec 5, 2017 · f27d947 · f27d947
1 parent 5b379e3
commit f27d947
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 10 deletions.
diff --git a/pkg/cmd/server/origin/authenticator.go b/pkg/cmd/server/origin/authenticator.go
@@ -15,6 +15,7 @@ import (
 	x509request "k8s.io/apiserver/pkg/authentication/request/x509"
 	tokencache "k8s.io/apiserver/pkg/authentication/token/cache"
 	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
+	genericapiserver "k8s.io/apiserver/pkg/server"
 	kclientsetexternal "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/cert"
 	sacontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
@@ -37,26 +38,26 @@ func NewAuthenticator(
 	options configapi.MasterConfig,
 	privilegedLoopbackConfig *rest.Config,
 	informers InformerAccess,
-) (authenticator.Request, error) {
+) (authenticator.Request, map[string]genericapiserver.PostStartHookFunc, error) {
 	kubeExternalClient, err := kclientsetexternal.NewForConfig(privilegedLoopbackConfig)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	oauthClient, err := oauthclient.NewForConfig(privilegedLoopbackConfig)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	userClient, err := userclient.NewForConfig(privilegedLoopbackConfig)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	// this is safe because the server does a quorum read and we're hitting a "magic" authorizer to get permissions based on system:masters
 	// once the cache is added, we won't be paying a double hop cost to etcd on each request, so the simplification will help.
 	serviceAccountTokenGetter := sacontroller.NewGetterFromClient(kubeExternalClient)
 	apiClientCAs, err := configapi.GetAPIClientCertCAPool(options)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	return newAuthenticator(
@@ -69,7 +70,8 @@ func NewAuthenticator(
 	)
 }
 
-func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclient.OAuthAccessTokenInterface, tokenGetter serviceaccount.ServiceAccountTokenGetter, userGetter usertypedclient.UserResourceInterface, apiClientCAs *x509.CertPool, groupMapper identitymapper.UserToGroupMapper) (authenticator.Request, error) {
+func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclient.OAuthAccessTokenInterface, tokenGetter serviceaccount.ServiceAccountTokenGetter, userGetter usertypedclient.UserResourceInterface, apiClientCAs *x509.CertPool, groupMapper identitymapper.UserToGroupMapper) (authenticator.Request, map[string]genericapiserver.PostStartHookFunc, error) {
+	postStartHooks := map[string]genericapiserver.PostStartHookFunc{}
 	authenticators := []authenticator.Request{}
 	tokenAuthenticators := []authenticator.Token{}
 
@@ -79,7 +81,7 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 		for _, keyFile := range config.ServiceAccountConfig.PublicKeyFiles {
 			readPublicKeys, err := cert.PublicKeysFromFile(keyFile)
 			if err != nil {
-				return nil, fmt.Errorf("Error reading service account key file %s: %v", keyFile, err)
+				return nil, nil, fmt.Errorf("Error reading service account key file %s: %v", keyFile, err)
 			}
 			publicKeys = append(publicKeys, readPublicKeys...)
 		}
@@ -134,7 +136,7 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 			config.AuthConfig.RequestHeader.ExtraHeaderPrefixes,
 		)
 		if err != nil {
-			return nil, fmt.Errorf("Error building front proxy auth config: %v", err)
+			return nil, nil, fmt.Errorf("Error building front proxy auth config: %v", err)
 		}
 		topLevelAuthenticators = append(topLevelAuthenticators, union.New(requestHeaderAuthenticator, resultingAuthenticator))
 
@@ -144,5 +146,5 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 	}
 	topLevelAuthenticators = append(topLevelAuthenticators, anonymous.NewAuthenticator())
 
-	return group.NewAuthenticatedGroupAdder(union.NewFailOnError(topLevelAuthenticators...)), nil
+	return group.NewAuthenticatedGroupAdder(union.NewFailOnError(topLevelAuthenticators...)), postStartHooks, nil
 }
diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -136,7 +136,7 @@ func BuildMasterConfig(
 
 	kubeletClientConfig := configapi.GetKubeletClientConfig(options)
 
-	authenticator, err := NewAuthenticator(options, privilegedLoopbackConfig, informers)
+	authenticator, authenticatorPostStartHooks, err := NewAuthenticator(options, privilegedLoopbackConfig, informers)
 	if err != nil {
 		return nil, err
 	}
@@ -206,6 +206,10 @@ func BuildMasterConfig(
 		SecurityInformers:      informers.GetSecurityInformers(),
 	}
 
+	for name, hook := range authenticatorPostStartHooks {
+		config.additionalPostStartHooks[name] = hook
+	}
+
 	// ensure that the limit range informer will be started
 	informer := config.InternalKubeInformers.Core().InternalVersion().LimitRanges().Informer()
 	config.LimitVerifier = imageadmission.NewLimitVerifier(imageadmission.LimitRangesForNamespaceFunc(func(ns string) ([]*kapi.LimitRange, error) {