apiserver: move controller-manager's insecure config into apiserver

Kubernetes-commit: 1d9a896066b3e10e8c1a0d506e00bc354b7772f0

pkg/server/deprecated_insecure_serving.go

@@ -0,0 +1,72 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package server
+
+import (
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/golang/glog"
+
+	"k8s.io/client-go/rest"
+)
+
+// DeprecatedInsecureServingInfo is the main context object for the insecure http server.
+type DeprecatedInsecureServingInfo struct {
+	// Listener is the secure server network listener.
+	Listener net.Listener
+	// optional server name for log messages
+	Name string
+}
+
+// Serve starts an insecure http server with the given handler. It fails only if
+// the initial listen call fails. It does not block.
+func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
+	insecureServer := &http.Server{
+		Addr:           s.Listener.Addr().String(),
+		Handler:        handler,
+		MaxHeaderBytes: 1 << 20,
+	}
+
+	if len(s.Name) > 0 {
+		glog.Infof("Serving %s insecurely on %s", s.Name, s.Listener.Addr())
+	} else {
+		glog.Infof("Serving insecurely on %s", s.Listener.Addr())
+	}
+	return RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh)
+}
+
+func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) {
+	if s == nil {
+		return nil, nil
+	}
+
+	host, port, err := LoopbackHostPort(s.Listener.Addr().String())
+	if err != nil {
+		return nil, err
+	}
+
+	return &rest.Config{
+		Host: "http://" + net.JoinHostPort(host, port),
+		// Increase QPS limits. The client is currently passed to all admission plugins,
+		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
+		// for more details. Once #22422 is fixed, we may want to remove it.
+		QPS:   50,
+		Burst: 100,
+	}, nil
+}

pkg/server/options/deprecated_insecure_serving.go

@@ -0,0 +1,164 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/spf13/pflag"
+
+	"k8s.io/apiserver/pkg/server"
+	"k8s.io/client-go/rest"
+)
+
+// DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
+// No one should be using these anymore.
+// DEPRECATED: all insecure serving options are removed in a future version
+type DeprecatedInsecureServingOptions struct {
+	BindAddress net.IP
+	BindPort    int
+	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
+	// "tcp4", and "tcp6".
+	BindNetwork string
+
+	// Listener is the secure server network listener.
+	// either Listener or BindAddress/BindPort/BindNetwork is set,
+	// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
+	Listener net.Listener
+
+	// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
+	// It defaults to options.CreateListener.
+	ListenFunc func(network, addr string) (net.Listener, int, error)
+}
+
+// Validate ensures that the insecure port values within the range of the port.
+func (s *DeprecatedInsecureServingOptions) Validate() []error {
+	if s == nil {
+		return nil
+	}
+
+	errors := []error{}
+
+	if s.BindPort < 0 || s.BindPort > 65335 {
+		errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65335, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
+	}
+
+	return errors
+}
+
+// AddFlags adds flags related to insecure serving to the specified FlagSet.
+func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
+	if s == nil {
+		return
+	}
+
+	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
+		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
+	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
+	fs.Lookup("insecure-bind-address").Hidden = false
+
+	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
+		"The port on which to serve unsecured, unauthenticated access.")
+	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
+	fs.Lookup("insecure-port").Hidden = false
+}
+
+// AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet.
+func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet) {
+	if s == nil {
+		return
+	}
+
+	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
+		"DEPRECATED: see --bind-address instead.")
+	fs.MarkDeprecated("address", "see --bind-address instead.")
+
+	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --secure-port instead.")
+	fs.MarkDeprecated("port", "see --secure-port instead.")
+}
+
+// ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration.
+// Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer.
+func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error {
+	if s == nil {
+		return nil
+	}
+	if s.BindPort <= 0 {
+		return nil
+	}
+
+	if s.Listener == nil {
+		var err error
+		listen := CreateListener
+		if s.ListenFunc != nil {
+			listen = s.ListenFunc
+		}
+		addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
+		s.Listener, s.BindPort, err = listen(s.BindNetwork, addr)
+		if err != nil {
+			return fmt.Errorf("failed to create listener: %v", err)
+		}
+	}
+
+	*c = &server.DeprecatedInsecureServingInfo{
+		Listener: s.Listener,
+	}
+
+	return nil
+}
+
+// WithLoopback adds loopback functionality to the serving options.
+func (o *DeprecatedInsecureServingOptions) WithLoopback() *DeprecatedInsecureServingOptionsWithLoopback {
+	return &DeprecatedInsecureServingOptionsWithLoopback{o}
+}
+
+// DeprecatedInsecureServingOptionsWithLoopback adds loopback functionality to the DeprecatedInsecureServingOptions.
+// DEPRECATED: all insecure serving options are removed in a future version
+type DeprecatedInsecureServingOptionsWithLoopback struct {
+	*DeprecatedInsecureServingOptions
+}
+
+// ApplyTo fills up serving information in the server configuration.
+func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingInfo **server.DeprecatedInsecureServingInfo, loopbackClientConfig **rest.Config) error {
+	if s == nil || s.DeprecatedInsecureServingOptions == nil || insecureServingInfo == nil {
+		return nil
+	}
+
+	if err := s.DeprecatedInsecureServingOptions.ApplyTo(insecureServingInfo); err != nil {
+		return err
+	}
+
+	if *insecureServingInfo == nil || loopbackClientConfig == nil {
+		return nil
+	}
+
+	secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig()
+	switch {
+	// if we failed and there's no fallback loopback client config, we need to fail
+	case err != nil && secureLoopbackClientConfig == nil:
+		return err
+
+		// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
+	case err != nil && secureLoopbackClientConfig != nil:
+
+	default:
+		*loopbackClientConfig = secureLoopbackClientConfig
+	}
+
+	return nil
+}

pkg/server/options/recommended.go

@@ -54,7 +54,7 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio
 
 	return &RecommendedOptions{
 		Etcd:                       NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)),
-		SecureServing:              WithLoopback(sso),
+		SecureServing:              sso.WithLoopback(),
 		Authentication:             NewDelegatingAuthenticationOptions(),
 		Authorization:              NewDelegatingAuthorizationOptions(),
 		Audit:                      NewAuditOptions(),

pkg/server/options/serving_test.go

@@ -464,7 +464,7 @@ func TestServerRunWithSNI(t *testing.T) {
 			config.Version = &v
 
 			config.EnableIndex = true
-			secureOptions := WithLoopback(&SecureServingOptions{
+			secureOptions := SecureServingOptions{
 				BindAddress: net.ParseIP("127.0.0.1"),
 				BindPort:    6443,
 				ServerCert: GeneratableKeyCert{
@@ -474,7 +474,7 @@ func TestServerRunWithSNI(t *testing.T) {
 					},
 				},
 				SNICertKeys: namedCertKeys,
-			})
+			}.WithLoopback()
 			// use a random free port
 			ln, err := net.Listen("tcp", "127.0.0.1:0")
 			if err != nil {

pkg/server/options/serving_with_loopback.go

@@ -31,7 +31,7 @@ type SecureServingOptionsWithLoopback struct {
 	*SecureServingOptions
 }
 
-func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback {
+func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback {
 	return &SecureServingOptionsWithLoopback{o}
 }