address comments

brancz · Jan 20, 2023 · fdcc27b · fdcc27b
1 parent cad9a34
commit fdcc27b
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 20 deletions.
diff --git a/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go b/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go
@@ -268,14 +268,14 @@ func Run(opts *completedProxyRunOptions) error {
 				return err
 			}
 			cfg.SecureServing.ClientCA = clientCAProvider
-			prepareSecureServer(ctx, gr, cfg.SecureServing, mux)
+			gr.Add(secureServerRunner(ctx, cfg.SecureServing, mux))
 
 			if cfg.KubeRBACProxyInfo.ProxyEndpointsSecureServing != nil {
 				proxyEndpointsMux := http.NewServeMux()
 				proxyEndpointsMux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) { _, _ = w.Write([]byte("ok")) })
 
 				cfg.KubeRBACProxyInfo.ProxyEndpointsSecureServing.ClientCA = clientCAProvider
-				prepareSecureServer(ctx, gr, cfg.KubeRBACProxyInfo.ProxyEndpointsSecureServing, proxyEndpointsMux)
+				gr.Add(secureServerRunner(ctx, cfg.KubeRBACProxyInfo.ProxyEndpointsSecureServing, proxyEndpointsMux))
 			}
 		}
 	}
@@ -344,14 +344,14 @@ func createKubeRBACProxyConfig(opts *completedProxyRunOptions) (*server.KubeRBAC
 	return proxyConfig, nil
 }
 
-func prepareSecureServer(
+func secureServerRunner(
 	ctx context.Context,
-	runGroup *run.Group,
 	config *serverconfig.SecureServingInfo,
 	handler http.Handler,
-) {
+) (func() error, func(error)) {
 	serverStopCtx, serverCtxCancel := context.WithCancel(ctx)
-	runGroup.Add(func() error {
+
+	runner := func() error {
 		stoppedCh, listenerStoppedCh, err := config.Serve(handler, 10*time.Second, serverStopCtx.Done())
 		if err != nil {
 			serverCtxCancel()
@@ -361,7 +361,11 @@ func prepareSecureServer(
 		<-listenerStoppedCh
 		<-stoppedCh
 		return err
-	}, func(err error) {
+	}
+
+	interrupter := func(err error) {
 		serverCtxCancel()
-	})
+	}
+
+	return runner, interrupter
 }
diff --git a/cmd/kube-rbac-proxy/app/options/legacyoptions.go b/cmd/kube-rbac-proxy/app/options/legacyoptions.go
@@ -20,7 +20,6 @@ import (
 	"fmt"
 	"net"
 	"strconv"
-	"time"
 
 	"github.com/brancz/kube-rbac-proxy/pkg/server"
 	"github.com/spf13/pflag"
@@ -30,22 +29,17 @@ import (
 	netutils "k8s.io/utils/net"
 )
 
+// LegacyOptions are options that existed in the original KRP, these shall be
+// removed before we submit the repository for the next sig-auth acceptance review
 type LegacyOptions struct {
 	InsecureListenAddress string
 	SecureListenAddress   string
-
-	TLSReloadInterval time.Duration
 }
 
 func (o *LegacyOptions) AddFlags(flagset *pflag.FlagSet) {
 	// kube-rbac-proxy flags
 	flagset.StringVar(&o.InsecureListenAddress, "insecure-listen-address", "", "The address the kube-rbac-proxy HTTP server should listen on.")
 	flagset.StringVar(&o.SecureListenAddress, "secure-listen-address", "", "The address the kube-rbac-proxy HTTPs server should listen on.")
-
-	// TLS flags
-	flagset.DurationVar(&o.TLSReloadInterval, "tls-reload-interval", 0, "The interval at which to watch for TLS certificate changes, by default set to 1 minute.")
-	_ = flagset.MarkHidden("tls-reload-interval")
-
 }
 
 func (o *LegacyOptions) Validate(certFile, keyFile string) []error {
@@ -70,10 +64,6 @@ For more information, please go to https://github.com/brancz/kube-rbac-proxy/iss
 		`)
 	}
 
-	if o.TLSReloadInterval != 0 {
-		klog.Warning("--tls-reload-interval no longer has any effect and will be removed in the next version")
-	}
-
 	return errs
 }
 

diff --git a/cmd/kube-rbac-proxy/app/options/options.go b/cmd/kube-rbac-proxy/app/options/options.go
@@ -22,6 +22,8 @@ import (
 	kubeflags "k8s.io/component-base/cli/flag"
 )
 
+// ProxyRunOptions bundles both generic server run options from upstream, the
+// proxy-specific options and legacy options
 type ProxyRunOptions struct {
 	SecureServing *genericoptions.SecureServingOptions
 	// ProxySecureServing are options for the proxy endpoints, they will be copied

diff --git a/cmd/kube-rbac-proxy/app/options/proxyoptions.go b/cmd/kube-rbac-proxy/app/options/proxyoptions.go
@@ -35,6 +35,7 @@ import (
 	"github.com/brancz/kube-rbac-proxy/pkg/server"
 )
 
+// ProxyOptions are options specific to the kube-rbac-proxy
 type ProxyOptions struct {
 	Upstream         string
 	UpstreamForceH2C bool

diff --git a/pkg/server/config.go b/pkg/server/config.go
@@ -34,12 +34,16 @@ import (
 	"github.com/brancz/kube-rbac-proxy/pkg/proxy"
 )
 
+// KubeRBACProxyConfig stores the configuration for running the proxy server and
+// kube-rbac-proxy specific configuration
 type KubeRBACProxyConfig struct {
 	SecureServing *serverconfig.SecureServingInfo
 
 	KubeRBACProxyInfo *KubeRBACProxyInfo
 }
 
+// KubeRBACProxyInfo stores the kube-rbac-proxy specific configuration and serving
+// configuration for the proxy endpoints server
 type KubeRBACProxyInfo struct {
 	InsecureListenAddress string // DEPRECATED
 
@@ -74,6 +78,9 @@ func NewConfig() *KubeRBACProxyConfig {
 	}
 }
 
+// SetUpstreamTransport configures the transport to use when talking to upstream
+// with a CA and/or client cert/key pair.
+// An empty string on `upstreamCAPath` means system cert pool will be used.
 func (i *KubeRBACProxyInfo) SetUpstreamTransport(upstreamCAPath, upstreamClientCertPath, upstreamClientKeyPath string) error {
 	transport := (http.DefaultTransport.(*http.Transport)).Clone()
 
@@ -111,6 +118,8 @@ func (i *KubeRBACProxyInfo) SetUpstreamTransport(upstreamCAPath, upstreamClientC
 	return nil
 }
 
+// GetClientCAProvider returns the provider which dynamically loads and reloads
+// the client CA certificate
 func (i *KubeRBACProxyConfig) GetClientCAProvider() (dynamiccertificates.CAContentProvider, error) {
 	clientCAFile := i.KubeRBACProxyInfo.Auth.Authentication.X509.ClientCAFile