84 lines
2.7 KiB
Go
84 lines
2.7 KiB
Go
/*
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package server
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
|
|
restclient "k8s.io/client-go/rest"
|
|
)
|
|
|
|
// LoopbackClientServerNameOverride is passed to the apiserver from the loopback client in order to
|
|
// select the loopback certificate via SNI if TLS is used.
|
|
const LoopbackClientServerNameOverride = "apiserver-loopback-client"
|
|
|
|
func (s *SecureServingInfo) NewLoopbackClientConfig(token string, loopbackCert []byte) (*restclient.Config, error) {
|
|
if s == nil || (s.Cert == nil && len(s.SNICerts) == 0) {
|
|
return nil, nil
|
|
}
|
|
|
|
host, port, err := LoopbackHostPort(s.BindAddress)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &restclient.Config{
|
|
// Increase QPS limits. The client is currently passed to all admission plugins,
|
|
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
|
|
// for more details. Once #22422 is fixed, we may want to remove it.
|
|
QPS: 50,
|
|
Burst: 100,
|
|
Host: "https://" + net.JoinHostPort(host, port),
|
|
BearerToken: token,
|
|
// override the ServerName to select our loopback certificate via SNI. This name is also
|
|
// used by the client to compare the returns server certificate against.
|
|
TLSClientConfig: restclient.TLSClientConfig{
|
|
ServerName: LoopbackClientServerNameOverride,
|
|
CAData: loopbackCert,
|
|
},
|
|
}, nil
|
|
}
|
|
|
|
// LoopbackHostPort returns the host and port loopback REST clients should use
|
|
// to contact the server.
|
|
func LoopbackHostPort(bindAddress string) (string, string, error) {
|
|
host, port, err := net.SplitHostPort(bindAddress)
|
|
if err != nil {
|
|
// should never happen
|
|
return "", "", fmt.Errorf("invalid server bind address: %q", bindAddress)
|
|
}
|
|
|
|
// Value is expected to be an IP or DNS name, not "0.0.0.0".
|
|
if host == "0.0.0.0" {
|
|
host = "localhost"
|
|
// Get ip of local interface, but fall back to "localhost".
|
|
// Note that "localhost" is resolved with the external nameserver first with Go's stdlib.
|
|
// So if localhost.<yoursearchdomain> resolves, we don't get a 127.0.0.1 as expected.
|
|
addrs, err := net.InterfaceAddrs()
|
|
if err == nil {
|
|
for _, address := range addrs {
|
|
if ipnet, ok := address.(*net.IPNet); ok && ipnet.IP.IsLoopback() {
|
|
host = ipnet.IP.String()
|
|
break
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return host, port, nil
|
|
}
|