Merge pull request #121 from josephschorr/config-improvements

josephschorr · web-flow · commit 98f1b32cf22c · 2025-06-24T10:49:10.000-07:00
Small improvements and fixes to configuration of the proxy
diff --git a/cmd/spicedb-kubeapi-proxy/main.go b/cmd/spicedb-kubeapi-proxy/main.go
@@ -35,14 +35,15 @@ func NewProxyCommand(ctx context.Context) *cobra.Command {
 requests with SpiceDB and keeps relationship data up to date. The proxy handles
 TLS termination and authentication with a backend kube apiserver.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			if err := options.Complete(ctx); err != nil {
+			completed, err := options.Complete(ctx)
+			if err != nil {
 				return err
 			}
 			if errs := options.Validate(); errs != nil {
 				return errors.NewAggregate(errs)
 			}
 
-			server, err := proxy.NewServer(ctx, *options)
+			server, err := proxy.NewServer(ctx, completed)
 			if err != nil {
 				return err
 			}
diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
@@ -133,8 +133,11 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 	opts.SpiceDBOptions.SpiceDBEndpoint = proxy.EmbeddedSpiceDBEndpoint
 	opts.SecureServing.BindAddress = net.ParseIP("127.0.0.1")
 	opts.Authentication.BuiltInOptions.ClientCert.ClientCA = clientCA.Path()
-	Expect(opts.Complete(ctx)).To(Succeed())
-	proxySrv, err = proxy.NewServer(ctx, *opts)
+
+	c, err := opts.Complete(ctx)
+	Expect(err).To(Succeed())
+
+	proxySrv, err = proxy.NewServer(ctx, c)
 	Expect(err).To(Succeed())
 
 	// speed up backoff for tests
diff --git a/pkg/proxy/authn_test.go b/pkg/proxy/authn_test.go
@@ -185,8 +185,11 @@ func runProxyRequest(t testing.TB, ctx context.Context, headers map[string][]str
 		return rules.NewResolveInputFromHttp(req)
 	})
 
-	require.NoError(t, opts.Complete(ctx))
-	proxySrv, err := NewServer(ctx, *opts)
+	c, err := opts.Complete(context.Background())
+	require.NoError(t, err)
+	require.NotNil(t, c)
+
+	proxySrv, err := NewServer(ctx, c)
 	require.NoError(t, err)
 
 	// Start the server in a separate context that won't be cancelled until we're done
diff --git a/pkg/proxy/options.go b/pkg/proxy/options.go
@@ -126,7 +126,11 @@ func (o *Options) FromConfigFlags(configFlags *genericclioptions.ConfigFlags) *O
 			return nil, nil, fmt.Errorf("unable to load kube REST config: %w", err)
 		}
 
-		return restConfig, restConfig.WrapTransport(http.DefaultTransport), nil
+		transport, err := rest.TransportFor(restConfig)
+		if err != nil {
+			return nil, nil, fmt.Errorf("unable to create transport: %w", err)
+		}
+		return restConfig, transport, nil
 	}
 	return o
 }
@@ -144,9 +148,13 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.RuleConfigFile, "rule-config", "", "The path to a file containing proxy rule configuration")
 }
 
-func (o *Options) Complete(ctx context.Context) error {
+type CompletedConfig struct {
+	config *Options
+}
+
+func (o *Options) Complete(ctx context.Context) (*CompletedConfig, error) {
 	if err := logsv1.ValidateAndApply(o.Logs, utilfeature.DefaultFeatureGate); err != nil {
-		return err
+		return nil, err
 	}
 
 	var err error
@@ -171,7 +179,7 @@ func (o *Options) Complete(ctx context.Context) error {
 		default:
 			backendConfig, err := o.configFromPath()
 			if err != nil {
-				return fmt.Errorf("couldn't load kubeconfig from path: %w", err)
+				return nil, fmt.Errorf("couldn't load kubeconfig from path: %w", err)
 			}
 
 			o.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {
@@ -195,15 +203,15 @@ func (o *Options) Complete(ctx context.Context) error {
 	if o.Matcher == nil {
 		ruleFile, err := os.Open(o.RuleConfigFile)
 		if err != nil {
-			return fmt.Errorf("couldn't open rule config file: %w", err)
+			return nil, fmt.Errorf("couldn't open rule config file: %w", err)
 		}
 		ruleConfigs, err := proxyrule.Parse(ruleFile)
 		if err != nil {
-			return fmt.Errorf("couldn't parse rule config file: %w", err)
+			return nil, fmt.Errorf("couldn't parse rule config file: %w", err)
 		}
 		o.Matcher, err = rules.NewMapMatcher(ruleConfigs)
 		if err != nil {
-			return fmt.Errorf("couldn't compile rule configs: %w", err)
+			return nil, fmt.Errorf("couldn't compile rule configs: %w", err)
 		}
 	}
 	if o.InputExtractor == nil {
@@ -215,35 +223,35 @@ func (o *Options) Complete(ctx context.Context) error {
 	}
 
 	if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}, nil); err != nil {
-		return err
+		return nil, err
 	}
 
 	var loopbackClientConfig *rest.Config
 	if err := o.SecureServing.ApplyTo(&o.ServingInfo, &loopbackClientConfig); err != nil {
-		return err
+		return nil, err
 	}
 	if err := o.Authentication.ApplyTo(ctx, &o.AuthenticationInfo, o.ServingInfo); err != nil {
-		return err
+		return nil, err
 	}
 
 	o.AdditionalAuthEnabled = o.Authentication.AdditionalAuthEnabled()
 
 	spicedbURl, err := url.Parse(o.SpiceDBOptions.SpiceDBEndpoint)
 	if err != nil {
-		return fmt.Errorf("unable to parse SpiceDB endpoint URL: %w", err)
+		return nil, fmt.Errorf("unable to parse SpiceDB endpoint URL: %w", err)
 	}
 
 	var conn *grpc.ClientConn
 	if spicedbURl.Scheme == "embedded" {
 		klog.FromContext(ctx).WithValues("spicedb-endpoint", spicedbURl).Info("using embedded SpiceDB")
 		o.SpiceDBOptions.EmbeddedSpiceDB, err = spicedb.NewServer(ctx, spicedbURl.Path)
 		if err != nil {
-			return fmt.Errorf("unable to stand up embedded SpiceDB: %w", err)
+			return nil, fmt.Errorf("unable to stand up embedded SpiceDB: %w", err)
 		}
 
 		conn, err = o.SpiceDBOptions.EmbeddedSpiceDB.GRPCDialContext(ctx, grpc.WithTransportCredentials(insecure.NewCredentials()))
 		if err != nil {
-			return fmt.Errorf("unable to open gRPC connection with embedded SpiceDB: %w", err)
+			return nil, fmt.Errorf("unable to open gRPC connection with embedded SpiceDB: %w", err)
 		}
 	} else {
 		klog.FromContext(ctx).WithValues("spicedb-endpoint", o.SpiceDBOptions.SpiceDBEndpoint).
@@ -255,7 +263,7 @@ func (o *Options) Complete(ctx context.Context) error {
 
 		tokens := strings.Split(o.SpiceDBOptions.SecureSpiceDBTokensBySpace, ",")
 		if len(tokens) == 0 {
-			return fmt.Errorf("no SpiceDB token defined")
+			return nil, fmt.Errorf("no SpiceDB token defined")
 		}
 
 		token := strings.TrimSpace(tokens[0])
@@ -272,12 +280,12 @@ func (o *Options) Complete(ctx context.Context) error {
 			if len(o.SpiceDBOptions.SpicedbCAPath) > 0 {
 				certs, err = grpcutil.WithCustomCerts(verification, o.SpiceDBOptions.SpicedbCAPath)
 				if err != nil {
-					return fmt.Errorf("unable to load custom certificates: %w", err)
+					return nil, fmt.Errorf("unable to load custom certificates: %w", err)
 				}
 			} else {
 				certs, err = grpcutil.WithSystemCerts(verification)
 				if err != nil {
-					return fmt.Errorf("unable to load system certificates: %w", err)
+					return nil, fmt.Errorf("unable to load system certificates: %w", err)
 				}
 			}
 
@@ -289,7 +297,7 @@ func (o *Options) Complete(ctx context.Context) error {
 		defer cancel()
 		conn, err = grpc.DialContext(timeoutCtx, o.SpiceDBOptions.SpiceDBEndpoint, opts...)
 		if err != nil {
-			return fmt.Errorf("unable to open gRPC connection to remote SpiceDB at %s: %w", o.SpiceDBOptions.SpiceDBEndpoint, err)
+			return nil, fmt.Errorf("unable to open gRPC connection to remote SpiceDB at %s: %w", o.SpiceDBOptions.SpiceDBEndpoint, err)
 		}
 	}
 
@@ -301,7 +309,7 @@ func (o *Options) Complete(ctx context.Context) error {
 		o.WatchClient = v1.NewWatchServiceClient(conn)
 	}
 
-	return nil
+	return &CompletedConfig{o}, nil
 }
 
 func (o *Options) configFromPath() (*clientcmdapi.Config, error) {
diff --git a/pkg/proxy/options_test.go b/pkg/proxy/options_test.go
@@ -28,14 +28,19 @@ func TestKubeConfig(t *testing.T) {
 	opts := optionsForTesting(t)
 	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
 	require.Empty(t, opts.Validate())
-	require.NoError(t, opts.Complete(context.Background()))
+
+	c, err := opts.Complete(context.Background())
+	require.NoError(t, err)
+	require.NotNil(t, c)
 
 	require.NoError(t, logsv1.ResetForTest(utilfeature.DefaultFeatureGate))
 	opts = optionsForTesting(t)
 	opts.BackendKubeconfigPath = uuid.NewString()
-	err := opts.Complete(context.Background())
+
+	c, err = opts.Complete(context.Background())
 	require.ErrorContains(t, err, "couldn't load kubeconfig")
 	require.ErrorContains(t, err, opts.BackendKubeconfigPath)
+	require.Nil(t, c, "expected nil config on error")
 }
 
 func TestInClusterConfig(t *testing.T) {
@@ -46,9 +51,12 @@ func TestInClusterConfig(t *testing.T) {
 	opts.BackendKubeconfigPath = ""
 	opts.UseInClusterConfig = true
 	require.Empty(t, opts.Validate())
-	err := opts.Complete(context.Background())
+
+	c, err := opts.Complete(context.Background())
 	require.NoError(t, err)
+	require.NotNil(t, c)
 	require.NotNil(t, opts.RestConfigFunc, "missing kube client REST config")
+
 	_, _, err = opts.RestConfigFunc()
 	require.ErrorContains(t, err, "unable to load in-cluster configuration")
 }
@@ -57,7 +65,11 @@ func TestEmbeddedSpiceDB(t *testing.T) {
 	opts := optionsForTesting(t)
 	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
 	require.Empty(t, opts.Validate())
-	require.NoError(t, opts.Complete(context.Background()))
+
+	c, err := opts.Complete(context.Background())
+	require.NoError(t, err)
+	require.NotNil(t, c)
+
 	require.NotNil(t, opts.SpiceDBOptions.EmbeddedSpiceDB)
 	require.NotNil(t, opts.PermissionsClient)
 	require.NotNil(t, opts.WatchClient)
@@ -79,13 +91,16 @@ func TestRemoteSpiceDB(t *testing.T) {
 	opts.SpiceDBOptions.Insecure = true
 	opts.SpiceDBOptions.SecureSpiceDBTokensBySpace = "foobar"
 	require.Empty(t, opts.Validate())
-	require.NoError(t, opts.Complete(context.Background()))
+
+	c, err := opts.Complete(context.Background())
+	require.NoError(t, err)
+	require.NotNil(t, c)
 
 	require.Nil(t, opts.SpiceDBOptions.EmbeddedSpiceDB)
 	require.NotNil(t, opts.PermissionsClient)
 	require.NotNil(t, opts.WatchClient)
 
-	_, err := opts.PermissionsClient.CheckPermission(ctx, &v1.CheckPermissionRequest{})
+	_, err = opts.PermissionsClient.CheckPermission(ctx, &v1.CheckPermissionRequest{})
 	grpcutil.RequireStatus(t, codes.InvalidArgument, err)
 }
 
@@ -95,14 +110,19 @@ func TestRemoteSpiceDBCerts(t *testing.T) {
 	opts.SpiceDBOptions.SecureSpiceDBTokensBySpace = "foobar"
 	opts.SpiceDBOptions.SpicedbCAPath = "test"
 	require.Empty(t, opts.Validate())
-	require.ErrorContains(t, opts.Complete(context.Background()), "unable to load custom certificates")
+
+	_, err := opts.Complete(context.Background())
+	require.ErrorContains(t, err, "unable to load custom certificates")
 }
 
 func TestRuleConfig(t *testing.T) {
 	opts := optionsForTesting(t)
 	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
 	require.Empty(t, opts.Validate())
-	require.NoError(t, opts.Complete(context.Background()))
+
+	c, err := opts.Complete(context.Background())
+	require.NoError(t, err)
+	require.NotNil(t, c)
 
 	rules := opts.Matcher.Match(&request.RequestInfo{
 		APIGroup:   "authzed.com",
@@ -135,7 +155,9 @@ prefilter:
 	opts.SpiceDBOptions.SpiceDBEndpoint = EmbeddedSpiceDBEndpoint
 	opts.RuleConfigFile = errConfigFile
 	require.Empty(t, opts.Validate())
-	require.ErrorContains(t, opts.Complete(context.Background()), "SyntaxError")
+
+	_, err = opts.Complete(context.Background())
+	require.ErrorContains(t, err, "SyntaxError")
 }
 
 func optionsForTesting(t *testing.T) *Options {
diff --git a/pkg/proxy/server.go b/pkg/proxy/server.go
@@ -44,9 +44,13 @@ type Server struct {
 	Matcher        *rules.Matcher
 }
 
-func NewServer(ctx context.Context, o Options) (*Server, error) {
+func NewServer(ctx context.Context, c *CompletedConfig) (*Server, error) {
+	if c == nil {
+		return nil, fmt.Errorf("nil completed config")
+	}
+
 	s := &Server{
-		opts: o,
+		opts: *c.config,
 	}
 
 	var err error
@@ -126,15 +130,15 @@ func NewServer(ctx context.Context, o Options) (*Server, error) {
 	workflowClient, worker, err := distributedtx.SetupWithSQLiteBackend(ctx,
 		s.opts.PermissionsClient,
 		s.KubeClient.RESTClient(),
-		o.WorkflowDatabasePath)
+		c.config.WorkflowDatabasePath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize distributed transaction handling: %w", err)
 	}
 	s.WorkflowWorker = worker
 
 	// Matcher is a pointer to an interface to make it easy to swap at runtime in tests
 	s.Matcher = &s.opts.Matcher
-	handler, err := authz.WithAuthorization(clusterProxy, failHandler, restMapper, o.PermissionsClient, o.WatchClient, workflowClient, s.Matcher, s.opts.InputExtractor)
+	handler, err := authz.WithAuthorization(clusterProxy, failHandler, restMapper, c.config.PermissionsClient, c.config.WatchClient, workflowClient, s.Matcher, s.opts.InputExtractor)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create authorization handler: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -35,14 +35,15 @@ func NewProxyCommand(ctx context.Context) *cobra.Command {`
`35`	`35`	`requests with SpiceDB and keeps relationship data up to date. The proxy handles`
`36`	`36`	TLS termination and authentication with a backend kube apiserver.`,
`37`	`37`	`RunE: func(cmd *cobra.Command, args []string) error {`
`38`		`- if err := options.Complete(ctx); err != nil {`
	`38`	`+ completed, err := options.Complete(ctx)`
	`39`	`+ if err != nil {`
`39`	`40`	`return err`
`40`	`41`	`}`
`41`	`42`	`if errs := options.Validate(); errs != nil {`
`42`	`43`	`return errors.NewAggregate(errs)`
`43`	`44`	`}`
`44`	`45`
`45`		`- server, err := proxy.NewServer(ctx, *options)`
	`46`	`+ server, err := proxy.NewServer(ctx, completed)`
`46`	`47`	`if err != nil {`
`47`	`48`	`return err`
`48`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,11 @@ func (o Options) FromConfigFlags(configFlags genericclioptions.ConfigFlags) *O`
`126`	`126`	`return nil, nil, fmt.Errorf("unable to load kube REST config: %w", err)`
`127`	`127`	`}`
`128`	`128`
`129`		`- return restConfig, restConfig.WrapTransport(http.DefaultTransport), nil`
	`129`	`+ transport, err := rest.TransportFor(restConfig)`
	`130`	`+ if err != nil {`
	`131`	`+ return nil, nil, fmt.Errorf("unable to create transport: %w", err)`
	`132`	`+ }`
	`133`	`+ return restConfig, transport, nil`
`130`	`134`	`}`
`131`	`135`	`return o`
`132`	`136`	`}`
`@@ -144,9 +148,13 @@ func (o Options) AddFlags(fs pflag.FlagSet) {`
`144`	`148`	`fs.StringVar(&o.RuleConfigFile, "rule-config", "", "The path to a file containing proxy rule configuration")`
`145`	`149`	`}`
`146`	`150`
`147`		`-func (o *Options) Complete(ctx context.Context) error {`
	`151`	`+type CompletedConfig struct {`
	`152`	`+ config *Options`
	`153`	`+}`
	`154`	`+`
	`155`	`+func (o Options) Complete(ctx context.Context) (CompletedConfig, error) {`
`148`	`156`	`if err := logsv1.ValidateAndApply(o.Logs, utilfeature.DefaultFeatureGate); err != nil {`
`149`		`- return err`
	`157`	`+ return nil, err`
`150`	`158`	`}`
`151`	`159`
`152`	`160`	`var err error`
`@@ -171,7 +179,7 @@ func (o *Options) Complete(ctx context.Context) error {`
`171`	`179`	`default:`
`172`	`180`	`backendConfig, err := o.configFromPath()`
`173`	`181`	`if err != nil {`
`174`		`- return fmt.Errorf("couldn't load kubeconfig from path: %w", err)`
	`182`	`+ return nil, fmt.Errorf("couldn't load kubeconfig from path: %w", err)`
`175`	`183`	`}`
`176`	`184`
`177`	`185`	`o.RestConfigFunc = func() (*rest.Config, http.RoundTripper, error) {`
`@@ -195,15 +203,15 @@ func (o *Options) Complete(ctx context.Context) error {`
`195`	`203`	`if o.Matcher == nil {`
`196`	`204`	`ruleFile, err := os.Open(o.RuleConfigFile)`
`197`	`205`	`if err != nil {`
`198`		`- return fmt.Errorf("couldn't open rule config file: %w", err)`
	`206`	`+ return nil, fmt.Errorf("couldn't open rule config file: %w", err)`
`199`	`207`	`}`
`200`	`208`	`ruleConfigs, err := proxyrule.Parse(ruleFile)`
`201`	`209`	`if err != nil {`
`202`		`- return fmt.Errorf("couldn't parse rule config file: %w", err)`
	`210`	`+ return nil, fmt.Errorf("couldn't parse rule config file: %w", err)`
`203`	`211`	`}`
`204`	`212`	`o.Matcher, err = rules.NewMapMatcher(ruleConfigs)`
`205`	`213`	`if err != nil {`
`206`		`- return fmt.Errorf("couldn't compile rule configs: %w", err)`
	`214`	`+ return nil, fmt.Errorf("couldn't compile rule configs: %w", err)`
`207`	`215`	`}`
`208`	`216`	`}`
`209`	`217`	`if o.InputExtractor == nil {`
`@@ -215,35 +223,35 @@ func (o *Options) Complete(ctx context.Context) error {`
`215`	`223`	`}`
`216`	`224`
`217`	`225`	`if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}, nil); err != nil {`
`218`		`- return err`
	`226`	`+ return nil, err`
`219`	`227`	`}`
`220`	`228`
`221`	`229`	`var loopbackClientConfig *rest.Config`
`222`	`230`	`if err := o.SecureServing.ApplyTo(&o.ServingInfo, &loopbackClientConfig); err != nil {`
`223`		`- return err`
	`231`	`+ return nil, err`
`224`	`232`	`}`
`225`	`233`	`if err := o.Authentication.ApplyTo(ctx, &o.AuthenticationInfo, o.ServingInfo); err != nil {`
`226`		`- return err`
	`234`	`+ return nil, err`
`227`	`235`	`}`
`228`	`236`
`229`	`237`	`o.AdditionalAuthEnabled = o.Authentication.AdditionalAuthEnabled()`
`230`	`238`
`231`	`239`	`spicedbURl, err := url.Parse(o.SpiceDBOptions.SpiceDBEndpoint)`
`232`	`240`	`if err != nil {`
`233`		`- return fmt.Errorf("unable to parse SpiceDB endpoint URL: %w", err)`
	`241`	`+ return nil, fmt.Errorf("unable to parse SpiceDB endpoint URL: %w", err)`
`234`	`242`	`}`
`235`	`243`
`236`	`244`	`var conn *grpc.ClientConn`
`237`	`245`	`if spicedbURl.Scheme == "embedded" {`
`238`	`246`	`klog.FromContext(ctx).WithValues("spicedb-endpoint", spicedbURl).Info("using embedded SpiceDB")`
`239`	`247`	`o.SpiceDBOptions.EmbeddedSpiceDB, err = spicedb.NewServer(ctx, spicedbURl.Path)`
`240`	`248`	`if err != nil {`
`241`		`- return fmt.Errorf("unable to stand up embedded SpiceDB: %w", err)`
	`249`	`+ return nil, fmt.Errorf("unable to stand up embedded SpiceDB: %w", err)`
`242`	`250`	`}`
`243`	`251`
`244`	`252`	`conn, err = o.SpiceDBOptions.EmbeddedSpiceDB.GRPCDialContext(ctx, grpc.WithTransportCredentials(insecure.NewCredentials()))`
`245`	`253`	`if err != nil {`
`246`		`- return fmt.Errorf("unable to open gRPC connection with embedded SpiceDB: %w", err)`
	`254`	`+ return nil, fmt.Errorf("unable to open gRPC connection with embedded SpiceDB: %w", err)`
`247`	`255`	`}`
`248`	`256`	`} else {`
`249`	`257`	`klog.FromContext(ctx).WithValues("spicedb-endpoint", o.SpiceDBOptions.SpiceDBEndpoint).`
`@@ -255,7 +263,7 @@ func (o *Options) Complete(ctx context.Context) error {`
`255`	`263`
`256`	`264`	`tokens := strings.Split(o.SpiceDBOptions.SecureSpiceDBTokensBySpace, ",")`
`257`	`265`	`if len(tokens) == 0 {`
`258`		`- return fmt.Errorf("no SpiceDB token defined")`
	`266`	`+ return nil, fmt.Errorf("no SpiceDB token defined")`
`259`	`267`	`}`
`260`	`268`
`261`	`269`	`token := strings.TrimSpace(tokens[0])`
`@@ -272,12 +280,12 @@ func (o *Options) Complete(ctx context.Context) error {`
`272`	`280`	`if len(o.SpiceDBOptions.SpicedbCAPath) > 0 {`
`273`	`281`	`certs, err = grpcutil.WithCustomCerts(verification, o.SpiceDBOptions.SpicedbCAPath)`
`274`	`282`	`if err != nil {`
`275`		`- return fmt.Errorf("unable to load custom certificates: %w", err)`
	`283`	`+ return nil, fmt.Errorf("unable to load custom certificates: %w", err)`
`276`	`284`	`}`
`277`	`285`	`} else {`
`278`	`286`	`certs, err = grpcutil.WithSystemCerts(verification)`
`279`	`287`	`if err != nil {`
`280`		`- return fmt.Errorf("unable to load system certificates: %w", err)`
	`288`	`+ return nil, fmt.Errorf("unable to load system certificates: %w", err)`
`281`	`289`	`}`
`282`	`290`	`}`
`283`	`291`
`@@ -289,7 +297,7 @@ func (o *Options) Complete(ctx context.Context) error {`
`289`	`297`	`defer cancel()`
`290`	`298`	`conn, err = grpc.DialContext(timeoutCtx, o.SpiceDBOptions.SpiceDBEndpoint, opts...)`
`291`	`299`	`if err != nil {`
`292`		`- return fmt.Errorf("unable to open gRPC connection to remote SpiceDB at %s: %w", o.SpiceDBOptions.SpiceDBEndpoint, err)`
	`300`	`+ return nil, fmt.Errorf("unable to open gRPC connection to remote SpiceDB at %s: %w", o.SpiceDBOptions.SpiceDBEndpoint, err)`
`293`	`301`	`}`
`294`	`302`	`}`
`295`	`303`
`@@ -301,7 +309,7 @@ func (o *Options) Complete(ctx context.Context) error {`
`301`	`309`	`o.WatchClient = v1.NewWatchServiceClient(conn)`
`302`	`310`	`}`
`303`	`311`
`304`		`- return nil`
	`312`	`+ return &CompletedConfig{o}, nil`
`305`	`313`	`}`
`306`	`314`
`307`	`315`	`func (o Options) configFromPath() (clientcmdapi.Config, error) {`