79 lines
2.5 KiB
Go
79 lines
2.5 KiB
Go
/*
|
|
Copyright 2018 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package options
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"fmt"
|
|
|
|
"github.com/pborman/uuid"
|
|
|
|
"k8s.io/apiserver/pkg/server"
|
|
"k8s.io/client-go/rest"
|
|
certutil "k8s.io/client-go/util/cert"
|
|
)
|
|
|
|
type SecureServingOptionsWithLoopback struct {
|
|
*SecureServingOptions
|
|
}
|
|
|
|
func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback {
|
|
return &SecureServingOptionsWithLoopback{o}
|
|
}
|
|
|
|
// ApplyTo fills up serving information in the server configuration.
|
|
func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.SecureServingInfo, loopbackClientConfig **rest.Config) error {
|
|
if s == nil || s.SecureServingOptions == nil || secureServingInfo == nil {
|
|
return nil
|
|
}
|
|
|
|
if err := s.SecureServingOptions.ApplyTo(secureServingInfo); err != nil {
|
|
return err
|
|
}
|
|
|
|
if *secureServingInfo == nil || loopbackClientConfig == nil {
|
|
return nil
|
|
}
|
|
|
|
// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
|
|
// let the server return it when the loopback client connects.
|
|
certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
|
|
}
|
|
tlsCert, err := tls.X509KeyPair(certPem, keyPem)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
|
|
}
|
|
|
|
secureLoopbackClientConfig, err := (*secureServingInfo).NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
|
|
switch {
|
|
// if we failed and there's no fallback loopback client config, we need to fail
|
|
case err != nil && secureLoopbackClientConfig == nil:
|
|
return err
|
|
|
|
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
|
|
case err != nil && secureLoopbackClientConfig != nil:
|
|
|
|
default:
|
|
*loopbackClientConfig = secureLoopbackClientConfig
|
|
(*secureServingInfo).SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
|
|
}
|
|
|
|
return nil
|
|
}
|