From 79f762de77d3e5187fea332905f7616c64a593fb Mon Sep 17 00:00:00 2001 From: zhouhaibing089 Date: Wed, 11 Jan 2017 14:40:09 +0800 Subject: [PATCH] componentstatus: support client cert health check etcd has support for client-cert-auth, which can be configured via the flag `--ca-file`, when that is enabled, all the client requests must present with a client certificate, however, the current component status check uses a single transport for all of the checks, this is wrong, the checks should be different for each of different component, and make each of them use different transport(tls configurations). Kubernetes-commit: b1040171b68217dccb617de85defa4a5063c638b --- pkg/server/storage/storage_factory.go | 54 ++++++++++++++++++++++++--- 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/pkg/server/storage/storage_factory.go b/pkg/server/storage/storage_factory.go index c7af97808..790d9ca0c 100644 --- a/pkg/server/storage/storage_factory.go +++ b/pkg/server/storage/storage_factory.go @@ -17,6 +17,9 @@ limitations under the License. package storage import ( + "crypto/tls" + "crypto/x509" + "io/ioutil" "strings" "github.com/golang/glog" @@ -27,6 +30,15 @@ import ( "k8s.io/apiserver/pkg/storage/storagebackend" ) +// Backend describes the storage servers, the information here should be enough +// for health validations. +type Backend struct { + // the url of storage backend like: https://etcd.domain:2379 + Server string + // the required tls config + TLSConfig *tls.Config +} + // StorageFactory is the interface to locate the storage for a given GroupResource type StorageFactory interface { // New finds the storage destination for the given group and resource. It will @@ -40,7 +52,7 @@ type StorageFactory interface { // Backends gets all backends for all registered storage destinations. // Used for getting all instances for health validations. - Backends() []string + Backends() []Backend } // DefaultStorageFactory takes a GroupResource and returns back its storage interface. This result includes: @@ -252,15 +264,45 @@ func (s *DefaultStorageFactory) NewConfig(groupResource schema.GroupResource) (* return &storageConfig, nil } -// Get all backends for all registered storage destinations. +// Backends returns all backends for all registered storage destinations. // Used for getting all instances for health validations. -func (s *DefaultStorageFactory) Backends() []string { - backends := sets.NewString(s.StorageConfig.ServerList...) +func (s *DefaultStorageFactory) Backends() []Backend { + servers := sets.NewString(s.StorageConfig.ServerList...) for _, overrides := range s.Overrides { - backends.Insert(overrides.etcdLocation...) + servers.Insert(overrides.etcdLocation...) } - return backends.List() + + tlsConfig := &tls.Config{ + InsecureSkipVerify: true, + } + if len(s.StorageConfig.CertFile) > 0 && len(s.StorageConfig.KeyFile) > 0 { + cert, err := tls.LoadX509KeyPair(s.StorageConfig.CertFile, s.StorageConfig.KeyFile) + if err != nil { + glog.Errorf("failed to load key pair while getting backends: %s", err) + } else { + tlsConfig.Certificates = []tls.Certificate{cert} + } + } + if len(s.StorageConfig.CAFile) > 0 { + if caCert, err := ioutil.ReadFile(s.StorageConfig.CAFile); err != nil { + glog.Errorf("failed to read ca file while getting backends: %s", err) + } else { + caPool := x509.NewCertPool() + caPool.AppendCertsFromPEM(caCert) + tlsConfig.RootCAs = caPool + tlsConfig.InsecureSkipVerify = false + } + } + + backends := []Backend{} + for server := range servers { + backends = append(backends, Backend{ + Server: server, + TLSConfig: tlsConfig, + }) + } + return backends } func (s *DefaultStorageFactory) ResourcePrefix(groupResource schema.GroupResource) string {