Merge pull request #753 from scydas/feature_gate_cluster_authentication_secrets

add feature gate ClusterAuthenticationFromSecret

Author: Iceber

pkg/kubeapiserver/apiserver.go

@@ -18,6 +18,7 @@ import (
 	"k8s.io/apiserver/pkg/server/healthz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/version"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/restmapper"
 	"k8s.io/component-base/tracing"
 
@@ -142,7 +143,11 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 	restManager := NewRESTManager(c.GenericConfig.Serializer, runtime.ContentTypeJSON, c.StorageFactory, c.InitialAPIGroupResources)
 	discoveryManager := discovery.NewDiscoveryManager(c.GenericConfig.Serializer, restManager, delegate)
 
-	secretLister := c.GenericConfig.SharedInformerFactory.Core().V1().Secrets().Lister().Secrets(c.ExtraConfig.SecretNamespace)
+	var secretLister corev1listers.SecretNamespaceLister
+	if utilfeature.DefaultFeatureGate.Enabled(ClusterAuthenticationFromSecret) {
+		secretLister = c.GenericConfig.SharedInformerFactory.Core().V1().Secrets().Lister().Secrets(c.ExtraConfig.SecretNamespace)
+	}
+
 	clusterInformer := c.InformerFactory.Cluster().V1alpha2().PediaClusters()
 	connector := proxyrest.NewProxyConnector(clusterInformer.Lister(), secretLister, c.ExtraConfig.AllowPediaClusterConfigReuse, c.ExtraConfig.ExtraProxyRequestHeaderPrefixes)
 

pkg/kubeapiserver/features.go

@@ -12,6 +12,12 @@ const (
 	// owner: @scydas
 	// alpha: v0.9.0
 	AllowProxyRequestToClusters featuregate.Feature = "AllowProxyRequestToClusters"
+
+	// ClusterAuthenticationFromSecret could get authentication information of the PediaCluster from Secret.
+	//
+	// owner: @scydas
+	// alpha: v0.9.0
+	ClusterAuthenticationFromSecret featuregate.Feature = "ClusterAuthenticationFromSecret"
 )
 
 func init() {
@@ -21,5 +27,6 @@ func init() {
 // defaultInternalStorageFeatureGates consists of all known custom internalstorage feature keys.
 // To add a new feature, define a key for it above and add it here.
 var defaultInternalStorageFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
-	AllowProxyRequestToClusters: {Default: false, PreRelease: featuregate.Alpha},
+	AllowProxyRequestToClusters:     {Default: false, PreRelease: featuregate.Alpha},
+	ClusterAuthenticationFromSecret: {Default: false, PreRelease: featuregate.Alpha},
 }

pkg/synchromanager/clustersynchro_manager.go

@@ -92,24 +92,27 @@ func NewManager(client kubernetes.Interface, clusterpediaClient crdclientset.Int
 		synchros:          make(map[string]*clustersynchro.ClusterSynchro),
 	}
 
-	secretInformer := corev1informers.NewSecretInformer(client, secretNamespace, 0, nil)
-	if _, err := secretInformer.AddEventHandler(
-		cache.ResourceEventHandlerFuncs{
-			AddFunc:    func(obj any) { manager.handleSecret(nil, obj.(*v1.Secret)) },
-			UpdateFunc: func(older, newer any) { manager.handleSecret(older.(*v1.Secret), newer.(*v1.Secret)) },
-			DeleteFunc: func(obj any) {
-				objName, err := cache.DeletionHandlingObjectToName(obj)
-				if err != nil {
-					return
-				}
-				manager.handleDeletedSecret(objName.Name)
+	if clusterpediafeature.FeatureGate.Enabled(features.ClusterAuthenticationFromSecret) {
+		secretInformer := corev1informers.NewSecretInformer(client, secretNamespace, 0, nil)
+		if _, err := secretInformer.AddEventHandler(
+			cache.ResourceEventHandlerFuncs{
+				AddFunc:    func(obj any) { manager.handleSecret(nil, obj.(*v1.Secret)) },
+				UpdateFunc: func(older, newer any) { manager.handleSecret(older.(*v1.Secret), newer.(*v1.Secret)) },
+				DeleteFunc: func(obj any) {
+					objName, err := cache.DeletionHandlingObjectToName(obj)
+					if err != nil {
+						return
+					}
+					manager.handleDeletedSecret(objName.Name)
+				},
 			},
-		},
-	); err != nil {
-		klog.ErrorS(err, "error when adding event handler to informer")
+		); err != nil {
+			klog.ErrorS(err, "error when adding event handler to informer")
+		}
+
+		manager.secretInformer = secretInformer
+		manager.secretLister = corev1listers.NewSecretLister(secretInformer.GetIndexer()).Secrets(secretNamespace)
 	}
-	manager.secretInformer = secretInformer
-	manager.secretLister = corev1listers.NewSecretLister(secretInformer.GetIndexer()).Secrets(secretNamespace)
 
 	if _, err := clusterinformer.Informer().AddEventHandler(
 		cache.ResourceEventHandlerFuncs{
@@ -159,18 +162,20 @@ func (manager *Manager) Run(workers int, stopCh <-chan struct{}) {
 	// informerFactory should not be controlled by stopCh
 	stopInformer := make(chan struct{})
 
-	// Start the secret informer first
-	go manager.secretInformer.Run(stopInformer)
-	timeout := make(chan struct{})
-	go func() {
-		select {
-		case <-stopCh:
-		case <-time.After(60 * time.Second):
+	if manager.secretInformer != nil {
+		// Start the secret informer first
+		go manager.secretInformer.Run(stopInformer)
+		timeout := make(chan struct{})
+		go func() {
+			select {
+			case <-stopCh:
+			case <-time.After(60 * time.Second):
+			}
+			close(timeout)
+		}()
+		if !cache.WaitForCacheSync(timeout, manager.secretInformer.HasSynced) {
+			klog.Fatal("clustersynchro manager: wait for secret informer failed")
 		}
-		close(timeout)
-	}()
-	if !cache.WaitForCacheSync(timeout, manager.secretInformer.HasSynced) {
-		klog.Fatal("clustersynchro manager: wait for secret informer failed")
 	}
 
 	manager.informerFactory.Start(stopInformer)

pkg/synchromanager/features/features.go

@@ -68,6 +68,12 @@ const (
 	// owner: @27149chen
 	// alpha: v0.8.0
 	IgnoreSyncLease featuregate.Feature = "IgnoreSyncLease"
+
+	// ClusterAuthenticationFromSecret could get authentication information of the PediaCluster from Secret.
+	//
+	// owner: @scydas
+	// alpha: v0.9.0
+	ClusterAuthenticationFromSecret featuregate.Feature = "ClusterAuthenticationFromSecret"
 )
 
 func init() {
@@ -86,4 +92,5 @@ var defaultClusterSynchroManagerFeatureGates = map[featuregate.Feature]featurega
 	ForcePaginatedListForResourceSync:        {Default: false, PreRelease: featuregate.Alpha},
 	StreamHandlePaginatedListForResourceSync: {Default: false, PreRelease: featuregate.Alpha},
 	IgnoreSyncLease:                          {Default: false, PreRelease: featuregate.Alpha},
+	ClusterAuthenticationFromSecret:          {Default: false, PreRelease: featuregate.Alpha},
 }

pkg/utils/rest.go

@@ -19,6 +19,9 @@ func BuildClusterRestConfig(cluster *clusterv1alpha2.PediaCluster, lister v1.Sec
 	if len(cluster.Spec.Kubeconfig) == 0 && len(cluster.Spec.TokenData) == 0 &&
 		(len(cluster.Spec.CertData) == 0 || len(cluster.Spec.KeyData) == 0) &&
 		cluster.Spec.AuthenticationFrom != nil {
+		if lister == nil {
+			return nil, fmt.Errorf("cluster authentication secret listers is nil, perhaps you need to enable feature gate %s", "ClusterAuthenticationFromSecret")
+		}
 		config, err := buildClusterRestConfigFromSecret(cluster.Spec.APIServer, cluster.Spec.AuthenticationFrom, lister)
 		if err != nil {
 			return nil, fmt.Errorf("Cluster Authentication Error: %w", err)