c/k/a/options: dont fail on disabled flags

ibihim · Dec 21, 2023 · 711f865 · 711f865
1 parent f38dae7
commit 711f865
Show file tree

Hide file tree

Showing 21 changed files with 253 additions and 10 deletions.
diff --git a/cmd/kube-rbac-proxy/app/options/options.go b/cmd/kube-rbac-proxy/app/options/options.go
@@ -45,6 +45,23 @@ type ProxyRunOptions struct {
 	HTTP2Disable              bool
 	HTTP2MaxConcurrentStreams uint32
 	HTTP2MaxSize              uint32
+
+	disabled disabledOptions
+}
+
+type disabledOptions struct {
+	logtostderr bool
+
+	adddirheader    bool
+	alsologtostderr bool
+	logbacktrace    int
+	logdir          string
+	logfile         string
+	logfilemaxsize  uint32
+	oneoutput       bool
+	skipheaders     bool
+	skiplogheaders  bool
+	stderrthreshold int
 }
 
 type TLSConfig struct {
@@ -122,5 +139,18 @@ func (o *ProxyRunOptions) Flags() k8sapiflag.NamedFlagSets {
 	flagset.Uint32Var(&o.HTTP2MaxConcurrentStreams, "http2-max-concurrent-streams", 100, "The maximum number of concurrent streams per HTTP/2 connection.")
 	flagset.Uint32Var(&o.HTTP2MaxSize, "http2-max-size", 256*1024, "The maximum number of bytes that the server will accept for frame size and buffer per stream in a HTTP/2 request.")
 
+	// disabled flags
+	flagset.BoolVar(&o.disabled.logtostderr, "logtostderr", false, "[DISABLED] Log to standard error instead of files")
+	flagset.BoolVar(&o.disabled.adddirheader, "add-dir-header", false, "[DISABLED] If true, adds the file directory to the header of the log messages")
+	flagset.BoolVar(&o.disabled.alsologtostderr, "alsologtostderr", false, "[DISABLED] Log to standard error as well as files")
+	flagset.IntVar(&o.disabled.logbacktrace, "log-backtrace-at", 0, "[DISABLED] when logging hits line file:N, emit a stack trace")
+	flagset.StringVar(&o.disabled.logdir, "log-dir", "", "[DISABLED] If non-empty, write log files in this directory")
+	flagset.StringVar(&o.disabled.logfile, "log-file", "", "[DISABLED] If non-empty, use this log file")
+	flagset.Uint32Var(&o.disabled.logfilemaxsize, "log-file-max-size", 1800, "[DISABLED] Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.")
+	flagset.BoolVar(&o.disabled.oneoutput, "one-output", false, "[DISABLED] If true, only write logs to their native severity level (vs also writing to each lower severity level)")
+	flagset.BoolVar(&o.disabled.skipheaders, "skip-headers", false, "[DISABLED] If true, avoid header prefixes in the log messages")
+	flagset.BoolVar(&o.disabled.skiplogheaders, "skip-log-headers", false, "[DISABLED] If true, avoid headers when opening log files")
+	flagset.IntVar(&o.disabled.stderrthreshold, "stderrthreshold", 2, "[DISABLED] logs at or above this threshold go to stderr")
+
 	return namedFlagSets
 }
diff --git a/test/e2e/allowpaths/deployment.yaml b/test/e2e/allowpaths/deployment.yaml
@@ -22,7 +22,6 @@ spec:
             - "--proxy-endpoints-port=8643"
             - "--upstream=http://127.0.0.1:8081/"
             - "--allow-paths=/metrics,/api/v1/label/*/values"
-            - "--logtostderr=true"
             - "--v=10"
           ports:
             - containerPort: 8443

diff --git a/test/e2e/basics.go b/test/e2e/basics.go
@@ -108,6 +108,92 @@ func testBasics(client kubernetes.Interface) kubetest.TestSuite {
 	}
 }
 
+func testFlags(client kubernetes.Interface) kubetest.TestSuite {
+	return func(t *testing.T) {
+		command := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics`
+
+		kubetest.Scenario{
+			Name: "WithAllOtherDisabledFlags",
+			Description: `
+				This should succeed. Even though all flags are set for kube-rbac-proxy.
+				This implies deprecated flags that got disabled.
+			`,
+
+			Given: kubetest.Actions(
+				kubetest.CreatedManifests(
+					client,
+					"flags/clusterRole.yaml",
+					"flags/clusterRoleBinding.yaml",
+					"flags/deployment-other-flags.yaml",
+					"flags/service.yaml",
+					"flags/serviceAccount.yaml",
+					"flags/clusterRole-client.yaml",
+					"flags/clusterRoleBinding-client.yaml",
+				),
+			),
+			When: kubetest.Actions(
+				kubetest.PodsAreReady(
+					client,
+					1,
+					"app=kube-rbac-proxy",
+				),
+				kubetest.ServiceIsReady(
+					client,
+					"kube-rbac-proxy",
+				),
+			),
+			Then: kubetest.Actions(
+				kubetest.ClientSucceeds(
+					client,
+					command,
+					nil,
+				),
+			),
+		}.Run(t)
+
+		kubetest.Scenario{
+			Name: "WithDisabledLogToStdErr",
+			Description: `
+				This should succeed. Even though logtostderr flag is set for
+				kube-rbac-proxy.
+				It is complementary to the other flags above.
+			`,
+
+			Given: kubetest.Actions(
+				kubetest.CreatedManifests(
+					client,
+					"flags/clusterRole.yaml",
+					"flags/clusterRoleBinding.yaml",
+					"flags/deployment-logtostderr.yaml",
+					"flags/service.yaml",
+					"flags/serviceAccount.yaml",
+					// This adds the clients cluster role to succeed
+					"flags/clusterRole-client.yaml",
+					"flags/clusterRoleBinding-client.yaml",
+				),
+			),
+			When: kubetest.Actions(
+				kubetest.PodsAreReady(
+					client,
+					1,
+					"app=kube-rbac-proxy",
+				),
+				kubetest.ServiceIsReady(
+					client,
+					"kube-rbac-proxy",
+				),
+			),
+			Then: kubetest.Actions(
+				kubetest.ClientSucceeds(
+					client,
+					command,
+					nil,
+				),
+			),
+		}.Run(t)
+	}
+}
+
 func testTokenAudience(client kubernetes.Interface) kubetest.TestSuite {
 	return func(t *testing.T) {
 		command := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/tokens/requestedtoken)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics`

diff --git a/test/e2e/basics/deployment.yaml b/test/e2e/basics/deployment.yaml
@@ -20,7 +20,6 @@ spec:
           args:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
-            - "--logtostderr=true"
             - "--v=10"
           ports:
             - containerPort: 8443

diff --git a/test/e2e/clientcertificates/deployment-wrongca.yaml b/test/e2e/clientcertificates/deployment-wrongca.yaml
@@ -20,7 +20,6 @@ spec:
           args:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
-            - "--logtostderr=true"
             - "--client-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
             - "--v=10"
           ports:

diff --git a/test/e2e/clientcertificates/deployment.yaml b/test/e2e/clientcertificates/deployment.yaml
@@ -20,7 +20,6 @@ spec:
           args:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
-            - "--logtostderr=true"
             - "--client-ca-file=/certs/ca.crt"
             - "--v=10"
           ports:

diff --git a/test/e2e/flags/clusterRole-client.yaml b/test/e2e/flags/clusterRole-client.yaml
@@ -0,0 +1,7 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics
+rules:
+  - nonResourceURLs: ["/metrics"]
+    verbs: ["get"]
diff --git a/test/e2e/flags/clusterRole.yaml b/test/e2e/flags/clusterRole.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-rbac-proxy
+  namespace: default
+rules:
+  - apiGroups: ["authentication.k8s.io"]
+    resources:
+      - tokenreviews
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources:
+      - subjectaccessreviews
+    verbs: ["create"]
diff --git a/test/e2e/flags/clusterRoleBinding-client.yaml b/test/e2e/flags/clusterRoleBinding-client.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metrics
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: default
diff --git a/test/e2e/flags/clusterRoleBinding.yaml b/test/e2e/flags/clusterRoleBinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-rbac-proxy
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-rbac-proxy
+subjects:
+  - kind: ServiceAccount
+    name: kube-rbac-proxy
+    namespace: default
diff --git a/test/e2e/flags/deployment-logtostderr.yaml b/test/e2e/flags/deployment-logtostderr.yaml
@@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-rbac-proxy
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kube-rbac-proxy
+  template:
+    metadata:
+      labels:
+        app: kube-rbac-proxy
+    spec:
+      serviceAccountName: kube-rbac-proxy
+      containers:
+        - name: kube-rbac-proxy
+          image: quay.io/brancz/kube-rbac-proxy:local
+          args:
+            - "--secure-listen-address=0.0.0.0:8443"
+            - "--upstream=http://127.0.0.1:8081/"
+            - "--logtostderr=true"
+            - "--v=10"
+          ports:
+            - containerPort: 8443
+              name: https
+        - name: prometheus-example-app
+          image: quay.io/brancz/prometheus-example-app:v0.1.0
+          args:
+            - "--bind=127.0.0.1:8081"
diff --git a/test/e2e/flags/deployment-other-flags.yaml b/test/e2e/flags/deployment-other-flags.yaml
@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-rbac-proxy
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kube-rbac-proxy
+  template:
+    metadata:
+      labels:
+        app: kube-rbac-proxy
+    spec:
+      serviceAccountName: kube-rbac-proxy
+      containers:
+        - name: kube-rbac-proxy
+          image: quay.io/brancz/kube-rbac-proxy:local
+          args:
+            - "--secure-listen-address=0.0.0.0:8443"
+            - "--upstream=http://127.0.0.1:8081/"
+            - "--add-dir-header=true"
+            - "--alsologtostderr=true"
+            - "--log-backtrace-at=0"
+            - "--log-dir=mustnotexist"
+            - "--log-file=mustnotexist"
+            - "--log-file-max-size=1800"
+            - "--one-output=true"
+            - "--skip-headers=true"
+            - "--skip-log-headers=true"
+            - "--stderrthreshold=2"
+            - "--v=10"
+          ports:
+            - containerPort: 8443
+              name: https
+        - name: prometheus-example-app
+          image: quay.io/brancz/prometheus-example-app:v0.1.0
+          args:
+            - "--bind=127.0.0.1:8081"
diff --git a/test/e2e/flags/service.yaml b/test/e2e/flags/service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: kube-rbac-proxy
+  name: kube-rbac-proxy
+  namespace: default
+spec:
+  ports:
+    - name: https
+      port: 8443
+      targetPort: https
+  selector:
+    app: kube-rbac-proxy
diff --git a/test/e2e/flags/serviceAccount.yaml b/test/e2e/flags/serviceAccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-rbac-proxy
+  namespace: default
diff --git a/test/e2e/h2c-upstream/deployment.yaml b/test/e2e/h2c-upstream/deployment.yaml
@@ -21,7 +21,6 @@ spec:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
             - "--upstream-force-h2c=true"
-            - "--logtostderr=true"
             - "--v=10"
           ports:
             - containerPort: 8443

diff --git a/test/e2e/http2/deployment-no-http2.yaml b/test/e2e/http2/deployment-no-http2.yaml
@@ -21,7 +21,6 @@ spec:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
             - "--ignore-paths=/metrics,/api/v1/*"
-            - "--logtostderr=true"
             - "--http2-disable=true"
             - "--v=10"
           ports:

diff --git a/test/e2e/http2/deployment.yaml b/test/e2e/http2/deployment.yaml
@@ -21,7 +21,6 @@ spec:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
             - "--ignore-paths=/metrics,/api/v1/*"
-            - "--logtostderr=true"
             - "--v=10"
           ports:
             - containerPort: 8443

diff --git a/test/e2e/ignorepaths/deployment.yaml b/test/e2e/ignorepaths/deployment.yaml
@@ -21,7 +21,6 @@ spec:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
             - "--ignore-paths=/metrics,/api/v1/*"
-            - "--logtostderr=true"
             - "--v=10"
           ports:
             - containerPort: 8443

diff --git a/test/e2e/main_test.go b/test/e2e/main_test.go
@@ -60,6 +60,7 @@ func Test(t *testing.T) {
 		"TLS":                testTLS(client),
 		"StaticAuthorizer":   testStaticAuthorizer(client),
 		"HTTP2":              testHTTP2(client),
+		"Flags":              testFlags(client),
 	}
 
 	for name, tc := range tests {

diff --git a/test/e2e/static-auth/deployment.yaml b/test/e2e/static-auth/deployment.yaml
@@ -23,7 +23,6 @@ spec:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
             - "--config-file=/etc/kube-rbac-proxy/config-file.yaml"
-            - "--logtostderr=true"
             - "--v=10"
           ports:
             - containerPort: 8443

diff --git a/test/e2e/tokenrequest/deployment.yaml b/test/e2e/tokenrequest/deployment.yaml
@@ -21,7 +21,6 @@ spec:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8081/"
             - "--auth-token-audiences=kube-rbac-proxy"
-            - "--logtostderr=true"
             - "--v=10"
           ports:
             - containerPort: 8443