[wip] remove insecure listen address

README.md

@@ -39,7 +39,6 @@ Usage of _output/kube-rbac-proxy:
       --client-ca-file string                       If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
       --config-file string                          Configuration file to configure kube-rbac-proxy.
       --ignore-paths strings                        Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths.
-      --insecure-listen-address string              The address the kube-rbac-proxy HTTP server should listen on.
       --kubeconfig string                           Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used
       --log_backtrace_at traceLocation              when logging hits line file:N, emit a stack trace (default :0)
       --log_dir string                              If non-empty, write log files in this directory (no effect when -logtostderr=true)

main.go

@@ -36,13 +36,11 @@ import (
 	"github.com/oklog/run"
 	"github.com/spf13/pflag"
 	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authorization/union"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
-	certutil "k8s.io/client-go/util/cert"
 	k8sapiflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog/v2"
 
@@ -53,16 +51,15 @@ import (
 )
 
 type config struct {
-	insecureListenAddress string
-	secureListenAddress   string
-	upstream              string
-	upstreamForceH2C      bool
-	upstreamCAFile        string
-	auth                  proxy.Config
-	tls                   tlsConfig
-	kubeconfigLocation    string
-	allowPaths            []string
-	ignorePaths           []string
+	secureListenAddress string
+	upstream            string
+	upstreamForceH2C    bool
+	upstreamCAFile      string
+	auth                proxy.Config
+	tls                 tlsConfig
+	kubeconfigLocation  string
+	allowPaths          []string
+	ignorePaths         []string
 }
 
 type tlsConfig struct {
@@ -99,7 +96,6 @@ func main() {
 	flagset.AddGoFlagSet(klogFlags)
 
 	// kube-rbac-proxy flags
-	flagset.StringVar(&cfg.insecureListenAddress, "insecure-listen-address", "", "The address the kube-rbac-proxy HTTP server should listen on.")
 	flagset.StringVar(&cfg.secureListenAddress, "secure-listen-address", "", "The address the kube-rbac-proxy HTTPs server should listen on.")
 	flagset.StringVar(&cfg.upstream, "upstream", "", "The upstream URL to proxy to once requests have successfully been authenticated and authorized.")
 	flagset.BoolVar(&cfg.upstreamForceH2C, "upstream-force-h2c", false, "Force h2c to communiate with the upstream. This is required when the upstream speaks h2c(http/2 cleartext - insecure variant of http/2) only. For example, go-grpc server in the insecure mode, such as helm's tiller w/o TLS, speaks h2c only")
@@ -146,6 +142,10 @@ func main() {
 		klog.Fatalf("Failed to parse upstream URL: %v", err)
 	}
 
+	if cfg.tls.certFile == "" || cfg.tls.keyFile == "" {
+		klog.Fatal("Failed to read TLS cert and key")
+	}
+
 	if configFileName != "" {
 		klog.Infof("Reading config file: %s", configFileName)
 		b, err := ioutil.ReadFile(configFileName)
@@ -312,38 +312,20 @@ func main() {
 		if cfg.secureListenAddress != "" {
 			srv := &http.Server{Handler: mux, TLSConfig: &tls.Config{}}
 
-			if cfg.tls.certFile == "" && cfg.tls.keyFile == "" {
-				klog.Info("Generating self signed cert as no cert is provided")
-				host, err := os.Hostname()
-				if err != nil {
-					klog.Fatalf("Failed to retrieve hostname for self-signed cert: %v", err)
-				}
-				certBytes, keyBytes, err := certutil.GenerateSelfSignedCertKey(host, nil, nil)
-				if err != nil {
-					klog.Fatalf("Failed to generate self signed cert and key: %v", err)
-				}
-				cert, err := tls.X509KeyPair(certBytes, keyBytes)
-				if err != nil {
-					klog.Fatalf("Failed to load generated self signed cert and key: %v", err)
-				}
-
-				srv.TLSConfig.Certificates = []tls.Certificate{cert}
-			} else {
-				klog.Info("Reading certificate files")
-				ctx, cancel := context.WithCancel(context.Background())
-				r, err := rbac_proxy_tls.NewCertReloader(cfg.tls.certFile, cfg.tls.keyFile, cfg.tls.reloadInterval)
-				if err != nil {
-					klog.Fatalf("Failed to initialize certificate reloader: %v", err)
-				}
+			klog.Info("Reading certificate files")
+			ctx, cancel := context.WithCancel(context.Background())
+			r, err := rbac_proxy_tls.NewCertReloader(cfg.tls.certFile, cfg.tls.keyFile, cfg.tls.reloadInterval)
+			if err != nil {
+				klog.Fatalf("Failed to initialize certificate reloader: %v", err)
+			}
 
-				srv.TLSConfig.GetCertificate = r.GetCertificate
+			srv.TLSConfig.GetCertificate = r.GetCertificate
 
-				gr.Add(func() error {
-					return r.Watch(ctx)
-				}, func(error) {
-					cancel()
-				})
-			}
+			gr.Add(func() error {
+				return r.Watch(ctx)
+			}, func(error) {
+				cancel()
+			})
 
 			version, err := k8sapiflag.TLSVersion(cfg.tls.minVersion)
 			if err != nil {
@@ -383,28 +365,6 @@ func main() {
 			})
 		}
 	}
-	{
-		if cfg.insecureListenAddress != "" {
-			srv := &http.Server{Handler: h2c.NewHandler(mux, &http2.Server{})}
-
-			l, err := net.Listen("tcp", cfg.insecureListenAddress)
-			if err != nil {
-				klog.Fatalf("Failed to listen on insecure address: %v", err)
-			}
-
-			gr.Add(func() error {
-				klog.Infof("Listening insecurely on %v", cfg.insecureListenAddress)
-				return srv.Serve(l)
-			}, func(err error) {
-				if err := srv.Shutdown(context.Background()); err != nil {
-					klog.Errorf("failed to gracefully shutdown server: %v", err)
-				}
-				if err := l.Close(); err != nil {
-					klog.Errorf("failed to gracefully close listener: %v", err)
-				}
-			})
-		}
-	}
 	{
 		sig := make(chan os.Signal, 1)
 		gr.Add(func() error {