componentstatus: support client cert health check

etcd has support for client-cert-auth, which can be configured via the flag `--ca-file`, when that is enabled, all the client requests must present with a client certificate, however, the current component status check uses a single transport for all of the checks, this is wrong, the checks should be different for each of different component, and make each of them use different transport(tls configurations). Kubernetes-commit: b1040171b68217dccb617de85defa4a5063c638b
2017-01-11 14:40:09 +08:00 · 2017-01-11 14:40:09 +08:00 · 79f762de77
parent fdec4c499e
commit 79f762de77
1 changed files with 48 additions and 6 deletions
--- a/pkg/server/storage/storage_factory.go
+++ b/pkg/server/storage/storage_factory.go
@ -17,6 +17,9 @@ limitations under the License.
 package storage

 import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
 	"strings"

 	"github.com/golang/glog"
@ -27,6 +30,15 @@ import (
 	"k8s.io/apiserver/pkg/storage/storagebackend"
 )

+// Backend describes the storage servers, the information here should be enough
+// for health validations.
+type Backend struct {
+	// the url of storage backend like: https://etcd.domain:2379
+	Server string
+	// the required tls config
+	TLSConfig *tls.Config
+}
+
 // StorageFactory is the interface to locate the storage for a given GroupResource
 type StorageFactory interface {
 	// New finds the storage destination for the given group and resource. It will
@ -40,7 +52,7 @@ type StorageFactory interface {

 	// Backends gets all backends for all registered storage destinations.
 	// Used for getting all instances for health validations.
-	Backends() []string
+	Backends() []Backend
 }

 // DefaultStorageFactory takes a GroupResource and returns back its storage interface.  This result includes:
@ -252,15 +264,45 @@ func (s *DefaultStorageFactory) NewConfig(groupResource schema.GroupResource) (*
 	return &storageConfig, nil
 }

-// Get all backends for all registered storage destinations.
+// Backends returns all backends for all registered storage destinations.
 // Used for getting all instances for health validations.
-func (s *DefaultStorageFactory) Backends() []string {
-	backends := sets.NewString(s.StorageConfig.ServerList...)
+func (s *DefaultStorageFactory) Backends() []Backend {
+	servers := sets.NewString(s.StorageConfig.ServerList...)

 	for _, overrides := range s.Overrides {
-		backends.Insert(overrides.etcdLocation...)
+		servers.Insert(overrides.etcdLocation...)
 	}
-	return backends.List()
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true,
+	}
+	if len(s.StorageConfig.CertFile) > 0 && len(s.StorageConfig.KeyFile) > 0 {
+		cert, err := tls.LoadX509KeyPair(s.StorageConfig.CertFile, s.StorageConfig.KeyFile)
+		if err != nil {
+			glog.Errorf("failed to load key pair while getting backends: %s", err)
+		} else {
+			tlsConfig.Certificates = []tls.Certificate{cert}
+		}
+	}
+	if len(s.StorageConfig.CAFile) > 0 {
+		if caCert, err := ioutil.ReadFile(s.StorageConfig.CAFile); err != nil {
+			glog.Errorf("failed to read ca file while getting backends: %s", err)
+		} else {
+			caPool := x509.NewCertPool()
+			caPool.AppendCertsFromPEM(caCert)
+			tlsConfig.RootCAs = caPool
+			tlsConfig.InsecureSkipVerify = false
+		}
+	}
+
+	backends := []Backend{}
+	for server := range servers {
+		backends = append(backends, Backend{
+			Server:    server,
+			TLSConfig: tlsConfig,
+		})
+	}
+	return backends
 }

 func (s *DefaultStorageFactory) ResourcePrefix(groupResource schema.GroupResource) string {