reuse apiserver serving logic #213
Conversation
stlaz
force-pushed
the
apiserver_serving
branch
15 times, most recently
from
446b305
to
0960e48
Compare
stlaz
changed the title
stlaz
force-pushed
the
apiserver_serving
branch
3 times, most recently
from
7075969
to
c90f90b
Compare
| } | ||
|
|
||
| if o.TLS.ReloadInterval != time.Minute { | ||
| klog.Warning("--tls-reload-interval no longer has any effect and will be removed in the next version") |
There was a problem hiding this comment.
The previous deprecation message was removed in favor of this.
There was a problem hiding this comment.
This message might give the impression, that there is not TLS reload interval anymore. Would it be possible to change the message slightly?
There was a problem hiding this comment.
What was called "TLS reload interval" no longer exists. Since we have feature branch now and don't need to care as much about backward compatibility, I'm going to remove the option instead.
| so.CipherSuites = o.TLS.CipherSuites | ||
| } | ||
|
|
||
| if so.BindAddress.Equal(netutils.ParseIPSloppy("0.0.0.0")) && len(o.SecureListenAddress) > 0 { |
There was a problem hiding this comment.
Nit: This is quite a long line.
pkg/config/config.go
Outdated
| return nil | ||
| } | ||
|
|
||
| func (i *KubeRBACProxyConfig) GetClientCAProvider() (dynamiccertificates.CAContentProvider, error) { |
There was a problem hiding this comment.
Yeah, at this point I am curious if it wouldn't be better to name it something like DownstreamClientCA. In reference to the explicit UpstreamClientCA.
There was a problem hiding this comment.
maybe we should rename the UpstreamClientCA to just UpstreamCA instead
There was a problem hiding this comment.
We could do so as well. But Client itself is not specific enough as we receive client connections and we create client connections.
There was a problem hiding this comment.
I did not notice this originally. I think the name Client CA matches its use - it's a CA for client certs that we use in order to perform mTLS for the incoming client requests.
|
Comparing the CLI output, I see the following flags being dropped:
But they are listed as deprecated when used. |
|
lgtm, approve, I will make a release without it first. |
stlaz
force-pushed
the
apiserver_serving
branch
from
da4ea5b
to
d0b2968
Compare
|
Thanks. I squashed the changes into two commits only |
stlaz
force-pushed
the
apiserver_serving
branch
from
d0b2968
to
9c62393
Compare
|
/hold |
stlaz
force-pushed
the
apiserver_serving
branch
from
9c62393
to
abc945f
Compare
stlaz
force-pushed
the
apiserver_serving
branch
from
a583511
to
cad9a34
Compare
|
/hold cancel |
| } | ||
|
|
||
| if o.TLS.ReloadInterval != time.Minute { | ||
| klog.Warning("--tls-reload-interval no longer has any effect and will be removed in the next version") |
There was a problem hiding this comment.
This message might give the impression, that there is not TLS reload interval anymore. Would it be possible to change the message slightly?
| } | ||
| func prepareSecureServer( | ||
| ctx context.Context, | ||
| runGroup *run.Group, |
There was a problem hiding this comment.
Handing something like a run.Group down is not a good thing to do. it would be better to return the func.
|
/lgtm |
stlaz
force-pushed
the
apiserver_serving
branch
from
fdcc27b
to
c2b3c5c
Compare
This PR reuses the serving logic used by kube-apiservers.
Related to #169
This PR is not bringing the graceful termination logic kube-apiserver is using. If that is required, it should be done as a feature follow up that's based on https://github.com/kubernetes/kubernetes/blob/0e54bd294237e8fc3e0f60f3195353f7c25e8a4c/staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go#L534