mirror of https://github.com/kubernetes/kops.git
105 lines
3.0 KiB
Go
105 lines
3.0 KiB
Go
/*
|
|
Copyright 2018 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package nodeauthorizer
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"time"
|
|
|
|
"k8s.io/kops/pkg/apis/kops"
|
|
"k8s.io/kops/pkg/model/components"
|
|
"k8s.io/kops/upup/pkg/fi/loader"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
// OptionsBuilder fills in the default options for the node-authorizer
|
|
type OptionsBuilder struct {
|
|
Context *components.OptionsContext
|
|
}
|
|
|
|
var _ loader.OptionsBuilder = &OptionsBuilder{}
|
|
|
|
var (
|
|
// DefaultPort is the default port to listen on
|
|
DefaultPort = 10443
|
|
// DefaultTimeout is the max time we are willing to wait before erroring
|
|
DefaultTimeout = &metav1.Duration{Duration: 20 * time.Second}
|
|
// DefaultTokenTTL is the default expiration on a bootstrap token
|
|
DefaultTokenTTL = &metav1.Duration{Duration: 5 * time.Minute}
|
|
)
|
|
|
|
// BuildOptions generates the configurations used to create node authorizer
|
|
func (b *OptionsBuilder) BuildOptions(o interface{}) error {
|
|
cs, ok := o.(*kops.ClusterSpec)
|
|
if !ok {
|
|
return errors.New("expected a ClusterSpec object")
|
|
}
|
|
|
|
if cs.NodeAuthorization != nil {
|
|
na := cs.NodeAuthorization
|
|
// NodeAuthorizerSpec
|
|
if na.NodeAuthorizer != nil {
|
|
if na.NodeAuthorizer.Authorizer == "" {
|
|
switch kops.CloudProviderID(cs.CloudProvider) {
|
|
case kops.CloudProviderAWS:
|
|
na.NodeAuthorizer.Authorizer = "aws"
|
|
default:
|
|
na.NodeAuthorizer.Authorizer = "alwaysallow"
|
|
}
|
|
}
|
|
if na.NodeAuthorizer.Image == "" {
|
|
na.NodeAuthorizer.Image = GetNodeAuthorizerImage()
|
|
}
|
|
if na.NodeAuthorizer.Port == 0 {
|
|
na.NodeAuthorizer.Port = DefaultPort
|
|
}
|
|
if na.NodeAuthorizer.Timeout == nil {
|
|
na.NodeAuthorizer.Timeout = DefaultTimeout
|
|
}
|
|
if na.NodeAuthorizer.TokenTTL == nil {
|
|
na.NodeAuthorizer.TokenTTL = DefaultTokenTTL
|
|
}
|
|
if na.NodeAuthorizer.NodeURL == "" {
|
|
na.NodeAuthorizer.NodeURL = fmt.Sprintf("https://node-authorizer-internal.%s:%d", b.Context.ClusterName, na.NodeAuthorizer.Port)
|
|
}
|
|
if na.NodeAuthorizer.Features == nil {
|
|
features := []string{"verify-registration", "verify-ip"}
|
|
|
|
switch kops.CloudProviderID(cs.CloudProvider) {
|
|
case kops.CloudProviderAWS:
|
|
features = append(features, "verify-signature")
|
|
}
|
|
na.NodeAuthorizer.Features = &features
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetNodeAuthorizerImage returns the image to use for the node-authorizer
|
|
func GetNodeAuthorizerImage() string {
|
|
if v := os.Getenv("NODE_AUTHORIZER_IMAGE"); v != "" {
|
|
return v
|
|
}
|
|
|
|
return "quay.io/gambol99/node-authorizer:v0.0.3@sha256:4404af05793411563f6e2f26e3b07fc8640852b0b1cabe5eb31a6451df66488d"
|
|
}
|