From c2afcd59a61dd631aabfd0c17b6bbd87fa1e124f Mon Sep 17 00:00:00 2001 From: deads2k Date: Thu, 9 Mar 2017 13:51:59 -0500 Subject: [PATCH] move insecure options to kubeapiserver Kubernetes-commit: c2f8ef1b1a4e0e60379b7b7447d59a87b0b0ccf9 --- pkg/server/options/server_run_options.go | 32 +++---- pkg/server/options/serving.go | 102 +++++------------------ pkg/server/options/serving_test.go | 6 +- 3 files changed, 33 insertions(+), 107 deletions(-) diff --git a/pkg/server/options/server_run_options.go b/pkg/server/options/server_run_options.go index 4d51ae072..81ce92b8a 100644 --- a/pkg/server/options/server_run_options.go +++ b/pkg/server/options/server_run_options.go @@ -71,29 +71,19 @@ func (s *ServerRunOptions) ApplyTo(c *server.Config) error { return nil } -// DefaultAdvertiseAddress sets the field AdvertiseAddress if -// unset. The field will be set based on the SecureServingOptions. If -// the SecureServingOptions is not present, DefaultExternalAddress -// will fall back to the insecure ServingOptions. -func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions, insecure *ServingOptions) error { - if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() { - switch { - case secure != nil: - hostIP, err := secure.ServingOptions.DefaultExternalAddress() - if err != nil { - return fmt.Errorf("Unable to find suitable network address.error='%v'. "+ - "Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err) - } - s.AdvertiseAddress = hostIP +// DefaultAdvertiseAddress sets the field AdvertiseAddress if unset. The field will be set based on the SecureServingOptions. +func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions) error { + if secure == nil { + return nil + } - case insecure != nil: - hostIP, err := insecure.DefaultExternalAddress() - if err != nil { - return fmt.Errorf("Unable to find suitable network address.error='%v'. "+ - "Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err) - } - s.AdvertiseAddress = hostIP + if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() { + hostIP, err := secure.DefaultExternalAddress() + if err != nil { + return fmt.Errorf("Unable to find suitable network address.error='%v'. "+ + "Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err) } + s.AdvertiseAddress = hostIP } return nil diff --git a/pkg/server/options/serving.go b/pkg/server/options/serving.go index c122d1e10..103a99c47 100644 --- a/pkg/server/options/serving.go +++ b/pkg/server/options/serving.go @@ -35,13 +35,9 @@ import ( certutil "k8s.io/client-go/util/cert" ) -type ServingOptions struct { +type SecureServingOptions struct { BindAddress net.IP BindPort int -} - -type SecureServingOptions struct { - ServingOptions ServingOptions // ServerCert is the TLS cert info for serving secure traffic ServerCert GeneratableKeyCert @@ -71,10 +67,8 @@ type GeneratableKeyCert struct { func NewSecureServingOptions() *SecureServingOptions { return &SecureServingOptions{ - ServingOptions: ServingOptions{ - BindAddress: net.ParseIP("0.0.0.0"), - BindPort: 443, - }, + BindAddress: net.ParseIP("0.0.0.0"), + BindPort: 443, ServerCert: GeneratableKeyCert{ PairName: "apiserver", CertDirectory: "apiserver.local.config/certificates", @@ -82,23 +76,27 @@ func NewSecureServingOptions() *SecureServingOptions { } } +func (s *SecureServingOptions) DefaultExternalAddress() (net.IP, error) { + return utilnet.ChooseBindAddress(s.BindAddress) +} + func (s *SecureServingOptions) Validate() []error { errors := []error{} - if s == nil { - return errors + + if s.BindPort < 0 || s.BindPort > 65535 { + errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", s.BindPort)) } - errors = append(errors, s.ServingOptions.Validate("secure-port")...) return errors } func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { - fs.IPVar(&s.ServingOptions.BindAddress, "bind-address", s.ServingOptions.BindAddress, ""+ + fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+ "The IP address on which to listen for the --secure-port port. The "+ "associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+ "clients. If blank, all interfaces will be used (0.0.0.0).") - fs.IntVar(&s.ServingOptions.BindPort, "secure-port", s.ServingOptions.BindPort, ""+ + fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+ "The port on which to serve HTTPS with authentication and authorization. If 0, "+ "don't serve HTTPS at all.") @@ -131,13 +129,13 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { } func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) { - fs.IPVar(&s.ServingOptions.BindAddress, "public-address-override", s.ServingOptions.BindAddress, + fs.IPVar(&s.BindAddress, "public-address-override", s.BindAddress, "DEPRECATED: see --bind-address instead.") fs.MarkDeprecated("public-address-override", "see --bind-address instead.") } func (s *SecureServingOptions) ApplyTo(c *server.Config) error { - if s.ServingOptions.BindPort <= 0 { + if s.BindPort <= 0 { return nil } if err := s.applyServingInfoTo(c); err != nil { @@ -173,13 +171,13 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error { } func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { - if s.ServingOptions.BindPort <= 0 { + if s.BindPort <= 0 { return nil } secureServingInfo := &server.SecureServingInfo{ ServingInfo: server.ServingInfo{ - BindAddress: net.JoinHostPort(s.ServingOptions.BindAddress.String(), strconv.Itoa(s.ServingOptions.BindPort)), + BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)), }, } @@ -231,67 +229,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { } c.SecureServingInfo = secureServingInfo - c.ReadWritePort = s.ServingOptions.BindPort - - return nil -} - -func NewInsecureServingOptions() *ServingOptions { - return &ServingOptions{ - BindAddress: net.ParseIP("127.0.0.1"), - BindPort: 8080, - } -} - -func (s ServingOptions) Validate(portArg string) []error { - errors := []error{} - - if s.BindPort < 0 || s.BindPort > 65535 { - errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort)) - } - - return errors -} - -func (s *ServingOptions) DefaultExternalAddress() (net.IP, error) { - return utilnet.ChooseBindAddress(s.BindAddress) -} - -func (s *ServingOptions) AddFlags(fs *pflag.FlagSet) { - fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+ - "The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+ - "Defaults to localhost.") - - fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+ - "The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+ - "that firewall rules are set up such that this port is not reachable from outside of "+ - "the cluster and that port 443 on the cluster's public address is proxied to this "+ - "port. This is performed by nginx in the default setup.") -} - -func (s *ServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) { - fs.IPVar(&s.BindAddress, "address", s.BindAddress, - "DEPRECATED: see --insecure-bind-address instead.") - fs.MarkDeprecated("address", "see --insecure-bind-address instead.") - - fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.") - fs.MarkDeprecated("port", "see --insecure-port instead.") -} - -func (s *ServingOptions) ApplyTo(c *server.Config) error { - if s.BindPort <= 0 { - return nil - } - - c.InsecureServingInfo = &server.ServingInfo{ - BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)), - } - - var err error - privilegedLoopbackToken := uuid.NewRandom().String() - if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil { - return err - } + c.ReadWritePort = s.BindPort return nil } @@ -301,7 +239,7 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str return nil } keyCert := &s.ServerCert.CertKey - if s.ServingOptions.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 { + if s.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 { return nil } @@ -314,11 +252,11 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str } if !canReadCertAndKey { // add either the bind address or localhost to the valid alternates - bindIP := s.ServingOptions.BindAddress.String() + bindIP := s.BindAddress.String() if bindIP == "0.0.0.0" { alternateDNS = append(alternateDNS, "localhost") } else { - alternateIPs = append(alternateIPs, s.ServingOptions.BindAddress) + alternateIPs = append(alternateIPs, s.BindAddress) } if cert, key, err := certutil.GenerateSelfSignedCertKey(publicAddress, alternateIPs, alternateDNS); err != nil { diff --git a/pkg/server/options/serving_test.go b/pkg/server/options/serving_test.go index a13c618ed..d746a5c73 100644 --- a/pkg/server/options/serving_test.go +++ b/pkg/server/options/serving_test.go @@ -459,10 +459,8 @@ NextTest: config.EnableIndex = true secureOptions := &SecureServingOptions{ - ServingOptions: ServingOptions{ - BindAddress: net.ParseIP("127.0.0.1"), - BindPort: 6443, - }, + BindAddress: net.ParseIP("127.0.0.1"), + BindPort: 6443, ServerCert: GeneratableKeyCert{ CertKey: CertKey{ CertFile: serverCertBundleFile,