auto-create the loopback token

2017-02-07 11:02:47 -05:00 · 2017-02-07 11:02:47 -05:00 · 147d3934cf
parent aa75ef0b36
commit 147d3934cf
5 changed files with 39 additions and 25 deletions
--- a/pkg/server/config.go
+++ b/pkg/server/config.go
@ -371,6 +371,9 @@ func (c completedConfig) New() (*GenericAPIServer, error) {
 	if c.Serializer == nil {
 		return nil, fmt.Errorf("Genericapiserver.New() called with config.Serializer == nil")
 	}
+	if c.LoopbackClientConfig == nil {
+		return nil, fmt.Errorf("Genericapiserver.New() called with config.LoopbackClientConfig == nil")
+	}

 	s := &GenericAPIServer{
 		discoveryAddresses:     c.DiscoveryAddresses,
--- a/pkg/server/config_selfclient.go
+++ b/pkg/server/config_selfclient.go
@ -20,36 +20,12 @@ import (
 	"bytes"
 	"crypto/x509"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"net"

 	restclient "k8s.io/client-go/rest"
-
-	"github.com/golang/glog"
 )

-// NewSelfClientConfig returns a clientconfig which can be used to talk to this apiserver.
-func NewSelfClientConfig(secureServingInfo *SecureServingInfo, insecureServingInfo *ServingInfo, token string) (*restclient.Config, error) {
-	cfg, err := secureServingInfo.NewSelfClientConfig(token)
-	if cfg != nil && err == nil {
-		return cfg, nil
-	}
-	if err != nil {
-		if insecureServingInfo == nil {
-			// be fatal if insecure port is not available
-			return nil, err
-		}
-
-		glog.Warningf("Failed to create secure local client, falling back to insecure local connection: %v", err)
-	}
-	if cfg, err := insecureServingInfo.NewSelfClientConfig(token); err != nil || cfg != nil {
-		return cfg, err
-	}
-
-	return nil, errors.New("Unable to set url for apiserver local client")
-}
-
 func (s *SecureServingInfo) NewSelfClientConfig(token string) (*restclient.Config, error) {
 	if s == nil || (s.Cert == nil && len(s.SNICerts) == 0) {
 		return nil, nil
--- a/pkg/server/genericapiserver_test.go
+++ b/pkg/server/genericapiserver_test.go
@ -46,10 +46,11 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/rest"
 	etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing"
 	"k8s.io/client-go/pkg/api"
+	restclient "k8s.io/client-go/rest"
 	openapigen "k8s.io/kubernetes/pkg/generated/openapi"
-	"k8s.io/apiserver/pkg/registry/rest"
 )

 const (
@ -85,6 +86,7 @@ func setUp(t *testing.T) (*etcdtesting.EtcdTestServer, Config, *assert.Assertion
 	config.PublicAddress = net.ParseIP("192.168.10.4")
 	config.RequestContextMapper = genericapirequest.NewRequestContextMapper()
 	config.LegacyAPIGroupPrefixes = sets.NewString("/api")
+	config.LoopbackClientConfig = &restclient.Config{}

 	config.OpenAPIConfig = DefaultOpenAPIConfig(openapigen.GetOpenAPIDefinitions, api.Scheme)
 	config.OpenAPIConfig.Info = &spec.Info{
--- a/pkg/server/options/serving.go
+++ b/pkg/server/options/serving.go
@ -26,6 +26,7 @@ import (
 	"strconv"

 	"github.com/golang/glog"
+	"github.com/pborman/uuid"
 	"github.com/spf13/pflag"

 	utilnet "k8s.io/apimachinery/pkg/util/net"
@ -139,6 +140,30 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
 	if s.ServingOptions.BindPort <= 0 {
 		return nil
 	}
+	if err := s.applyServingInfoTo(c); err != nil {
+		return err
+	}
+
+	loopbackClientConfig, err := c.SecureServingInfo.NewSelfClientConfig(uuid.NewRandom().String())
+	switch {
+	// if we failed and there's no fallback loopback client config, we need to fail
+	case err != nil && c.LoopbackClientConfig == nil:
+		return err
+
+	// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
+	case err != nil && c.LoopbackClientConfig != nil:
+
+	default:
+		c.LoopbackClientConfig = loopbackClientConfig
+	}
+
+	return nil
+}
+
+func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
+	if s.ServingOptions.BindPort <= 0 {
+		return nil
+	}

 	secureServingInfo := &server.SecureServingInfo{
 		ServingInfo: server.ServingInfo{
@ -250,6 +275,12 @@ func (s *ServingOptions) ApplyTo(c *server.Config) error {
 		BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
 	}

+	var err error
+	privilegedLoopbackToken := uuid.NewRandom().String()
+	if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewSelfClientConfig(privilegedLoopbackToken); err != nil {
+		return err
+	}
+
 	return nil
 }

--- a/pkg/server/options/serving_test.go
+++ b/pkg/server/options/serving_test.go
@ -36,6 +36,7 @@ import (
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	. "k8s.io/apiserver/pkg/server"
 	utilflag "k8s.io/apiserver/pkg/util/flag"
+	restclient "k8s.io/client-go/rest"
 	utilcert "k8s.io/client-go/util/cert"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
 )
@ -493,6 +494,7 @@ NextTest:
 			},
 			SNICertKeys: namedCertKeys,
 		}
+		config.LoopbackClientConfig = &restclient.Config{}
 		if err := secureOptions.ApplyTo(&config); err != nil {
 			t.Errorf("%q - failed applying the SecureServingOptions: %v", title, err)
 			continue NextTest