remove --insecure-listen-address

brancz · Dec 15, 2022 · e48a719 · e48a719
1 parent c11823a
commit e48a719
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 60 deletions.
diff --git a/README.md b/README.md
@@ -89,7 +89,6 @@ Legacy kube-rbac-proxy [DEPRECATED] flags:
       --auth-header-user-field-name string          The name of the field inside a http(2) request header to tell the upstream server about the user's name (default "x-remote-user")
       --auth-token-audiences strings                Comma-separated list of token audiences to accept. By default a token does not have to have any specific audience. It is recommended to set a specific audience.
       --client-ca-file string                       If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
-      --insecure-listen-address string              The address the kube-rbac-proxy HTTP server should listen on.
       --kubeconfig string                           Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used
       --oidc-ca-file string                         If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
       --oidc-clientID string                        The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.

diff --git a/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go b/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go
@@ -31,7 +31,6 @@ import (
 	"github.com/oklog/run"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
 
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
@@ -138,7 +137,7 @@ func (o *completedProxyRunOptions) Validate() []error {
 	errs = append(errs, o.DelegatingAuthentication.Validate()...)
 	errs = append(errs, o.DelegatingAuthorization.Validate()...)
 	errs = append(errs, o.ProxyOptions.Validate()...)
-	errs = append(errs, o.LegacyOptions.Validate(o.SecureServing.ServerCert.CertKey.CertFile, o.SecureServing.ServerCert.CertKey.KeyFile)...)
+	errs = append(errs, o.LegacyOptions.Validate()...)
 
 	return errs
 }
@@ -243,29 +242,6 @@ func Run(opts *completedProxyRunOptions) error {
 			}
 		}
 	}
-	{
-		// FIXME: remove before first stable release
-		if insecureListenAddress := cfg.KubeRBACProxyInfo.InsecureListenAddress; insecureListenAddress != "" {
-			srv := &http.Server{Handler: h2c.NewHandler(mux, &http2.Server{})}
-
-			l, err := net.Listen("tcp", insecureListenAddress)
-			if err != nil {
-				return fmt.Errorf("failed to listen on insecure address: %w", err)
-			}
-
-			gr.Add(func() error {
-				klog.Infof("Listening insecurely on %v", insecureListenAddress)
-				return srv.Serve(l)
-			}, func(err error) {
-				if err := srv.Shutdown(context.Background()); err != nil {
-					klog.Errorf("failed to gracefully shutdown server: %w", err)
-				}
-				if err := l.Close(); err != nil {
-					klog.Errorf("failed to gracefully close listener: %w", err)
-				}
-			})
-		}
-	}
 	{
 		sig := make(chan os.Signal, 1)
 		gr.Add(func() error {

diff --git a/cmd/kube-rbac-proxy/app/options/legacyoptions.go b/cmd/kube-rbac-proxy/app/options/legacyoptions.go
@@ -26,13 +26,11 @@ import (
 	"github.com/spf13/pflag"
 
 	genericoptions "k8s.io/apiserver/pkg/server/options"
-	"k8s.io/klog/v2"
 	netutils "k8s.io/utils/net"
 )
 
 type LegacyOptions struct {
-	InsecureListenAddress string
-	SecureListenAddress   string
+	SecureListenAddress string
 
 	Authentication *authn.AuthnConfig
 
@@ -41,7 +39,6 @@ type LegacyOptions struct {
 
 func (o *LegacyOptions) AddFlags(flagset *pflag.FlagSet) {
 	// kube-rbac-proxy flags
-	flagset.StringVar(&o.InsecureListenAddress, "insecure-listen-address", "", "The address the kube-rbac-proxy HTTP server should listen on.")
 	flagset.StringVar(&o.SecureListenAddress, "secure-listen-address", "", "The address the kube-rbac-proxy HTTPs server should listen on.")
 
 	// Auth flags
@@ -65,28 +62,8 @@ func (o *LegacyOptions) AddFlags(flagset *pflag.FlagSet) {
 	flagset.StringVar(&o.KubeconfigLocation, "kubeconfig", "", "Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used")
 }
 
-func (o *LegacyOptions) Validate(certFile, keyFile string) []error {
+func (o *LegacyOptions) Validate() []error {
 	var errs []error
-
-	hasCerts := !(certFile == "") && !(keyFile == "")
-	hasInsecureListenAddress := o.InsecureListenAddress != ""
-	if !hasCerts || hasInsecureListenAddress {
-		klog.Warning(`
-==== Deprecation Warning ======================
-
-Insecure listen address will be removed.
-Using --insecure-listen-address won't be possible!
-
-The ability to run kube-rbac-proxy without TLS certificates will be removed.
-Not using --tls-cert-file and --tls-private-key-file won't be possible!
-
-For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/187
-
-===============================================
-
-		`)
-	}
-
 	return errs
 }
 
@@ -129,6 +106,5 @@ func (o *LegacyOptions) ConvertToNewOptions(
 }
 
 func (o *LegacyOptions) ApplyTo(c *server.KubeRBACProxyInfo) error {
-	c.InsecureListenAddress = o.InsecureListenAddress
 	return nil
 }
diff --git a/examples/oidc/deployment.yaml b/examples/oidc/deployment.yaml
@@ -40,7 +40,7 @@ metadata:
 spec:
   ports:
   - name: https
-    port: 8444
+    port: 8443
     targetPort: https
   selector:
     app: kube-rbac-proxy
@@ -68,14 +68,14 @@ spec:
       - name: kube-rbac-proxy
         image: quay.io/brancz/kube-rbac-proxy:v0.13.1
         args:
-        - "--insecure-listen-address=0.0.0.0:8444"
+        - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"
         - "--logtostderr=true"
         - "--v=10"
         - "--oidc-issuer={ISSUER}"
         - "--oidc-clientID={CLIENT_ID}"
         ports:
-        - containerPort: 8444
+        - containerPort: 8443
           name: https
         securityContext:
           allowPrivilegeEscalation: false

diff --git a/pkg/server/config.go b/pkg/server/config.go
@@ -42,8 +42,6 @@ type KubeRBACProxyConfig struct {
 }
 
 type KubeRBACProxyInfo struct {
-	InsecureListenAddress string // DEPRECATED
-
 	UpstreamURL       *url.URL
 	UpstreamForceH2C  bool
 	UpstreamTransport http.RoundTripper

diff --git a/scripts/templates/oidc-deployment.yaml b/scripts/templates/oidc-deployment.yaml
@@ -40,7 +40,7 @@ metadata:
 spec:
   ports:
   - name: https
-    port: 8444
+    port: 8443
     targetPort: https
   selector:
     app: kube-rbac-proxy
@@ -68,14 +68,14 @@ spec:
       - name: kube-rbac-proxy
         image: quay.io/brancz/kube-rbac-proxy:KUBE_RBAC_PROXY_VERSION
         args:
-        - "--insecure-listen-address=0.0.0.0:8444"
+        - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8081/"
         - "--logtostderr=true"
         - "--v=10"
         - "--oidc-issuer={ISSUER}"
         - "--oidc-clientID={CLIENT_ID}"
         ports:
-        - containerPort: 8444
+        - containerPort: 8443
           name: https
         securityContext:
           allowPrivilegeEscalation: false