Plumb tls and cert options into kubelet start

cmd/integration/integration.go

@@ -211,13 +211,13 @@ func startComponents(manifestURL string) (apiServerURL string) {
 	// Kubelet (localhost)
 	testRootDir := makeTempDirOrDie("kubelet_integ_1.")
 	glog.Infof("Using %s as root dir for kubelet #1", testRootDir)
-	kubeletapp.SimpleRunKubelet(cl, nil, &fakeDocker1, machineList[0], testRootDir, manifestURL, "127.0.0.1", 10250, api.NamespaceDefault, empty_dir.ProbeVolumePlugins())
+	kubeletapp.SimpleRunKubelet(cl, nil, &fakeDocker1, machineList[0], testRootDir, manifestURL, "127.0.0.1", 10250, api.NamespaceDefault, empty_dir.ProbeVolumePlugins(), nil)
 	// Kubelet (machine)
 	// Create a second kubelet so that the guestbook example's two redis slaves both
 	// have a place they can schedule.
 	testRootDir = makeTempDirOrDie("kubelet_integ_2.")
 	glog.Infof("Using %s as root dir for kubelet #2", testRootDir)
-	kubeletapp.SimpleRunKubelet(cl, nil, &fakeDocker2, machineList[1], testRootDir, "", "127.0.0.1", 10251, api.NamespaceDefault, empty_dir.ProbeVolumePlugins())
+	kubeletapp.SimpleRunKubelet(cl, nil, &fakeDocker2, machineList[1], testRootDir, "", "127.0.0.1", 10251, api.NamespaceDefault, empty_dir.ProbeVolumePlugins(), nil)
 
 	return apiServer.URL
 }

cmd/kubelet/app/server.go

@@ -255,7 +255,8 @@ func SimpleRunKubelet(client *client.Client,
 	hostname, rootDir, manifestURL, address string,
 	port uint,
 	masterServiceNamespace string,
-	volumePlugins []volume.Plugin) {
+	volumePlugins []volume.Plugin,
+	tlsOptions *kubelet.TLSOptions) {
 	kcfg := KubeletConfig{
 		KubeClient:             client,
 		EtcdClient:             etcdClient,
@@ -273,6 +274,7 @@ func SimpleRunKubelet(client *client.Client,
 		MaxContainerCount:       5,
 		MasterServiceNamespace:  masterServiceNamespace,
 		VolumePlugins:           volumePlugins,
+		TLSOptions:              tlsOptions,
 	}
 	RunKubelet(&kcfg)
 }
@@ -318,7 +320,7 @@ func startKubelet(k *kubelet.Kubelet, podCfg *config.PodConfig, kc *KubeletConfi
 	// start the kubelet server
 	if kc.EnableServer {
 		go util.Forever(func() {
-			kubelet.ListenAndServeKubeletServer(k, net.IP(kc.Address), kc.Port, kc.EnableDebuggingHandlers)
+			kubelet.ListenAndServeKubeletServer(k, net.IP(kc.Address), kc.Port, kc.TLSOptions, kc.EnableDebuggingHandlers)
 		}, 0)
 	}
 }
@@ -381,6 +383,7 @@ type KubeletConfig struct {
 	VolumePlugins                  []volume.Plugin
 	StreamingConnectionIdleTimeout time.Duration
 	Recorder                       record.EventRecorder
+	TLSOptions                     *kubelet.TLSOptions
 }
 
 func createAndInitKubelet(kc *KubeletConfig, pc *config.PodConfig) (*kubelet.Kubelet, error) {

cmd/kubernetes/kubernetes.go

@@ -144,7 +144,7 @@ func startComponents(etcdClient tools.EtcdClient, cl *client.Client, addr net.IP
 	runControllerManager(machineList, cl, *nodeMilliCPU, *nodeMemory)
 
 	dockerClient := dockertools.ConnectToDockerOrDie(*dockerEndpoint)
-	kubeletapp.SimpleRunKubelet(cl, nil, dockerClient, machineList[0], "/tmp/kubernetes", "", "127.0.0.1", 10250, *masterServiceNamespace, kubeletapp.ProbeVolumePlugins())
+	kubeletapp.SimpleRunKubelet(cl, nil, dockerClient, machineList[0], "/tmp/kubernetes", "", "127.0.0.1", 10250, *masterServiceNamespace, kubeletapp.ProbeVolumePlugins(), nil)
 }
 
 func newApiClient(addr net.IP, port int) *client.Client {

pkg/kubelet/server.go

@@ -17,6 +17,7 @@ limitations under the License.
 package kubelet
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -48,8 +49,14 @@ type Server struct {
 	mux  *http.ServeMux
 }
 
+type TLSOptions struct {
+	Config   *tls.Config
+	CertFile string
+	KeyFile  string
+}
+
 // ListenAndServeKubeletServer initializes a server to respond to HTTP network requests on the Kubelet.
-func ListenAndServeKubeletServer(host HostInterface, address net.IP, port uint, enableDebuggingHandlers bool) {
+func ListenAndServeKubeletServer(host HostInterface, address net.IP, port uint, tlsOptions *TLSOptions, enableDebuggingHandlers bool) {
 	glog.V(1).Infof("Starting to listen on %s:%d", address, port)
 	handler := NewServer(host, enableDebuggingHandlers)
 	s := &http.Server{
@@ -59,7 +66,12 @@ func ListenAndServeKubeletServer(host HostInterface, address net.IP, port uint,
 		WriteTimeout:   5 * time.Minute,
 		MaxHeaderBytes: 1 << 20,
 	}
-	glog.Fatal(s.ListenAndServe())
+	if tlsOptions != nil {
+		s.TLSConfig = tlsOptions.Config
+		glog.Fatal(s.ListenAndServeTLS(tlsOptions.CertFile, tlsOptions.KeyFile))
+	} else {
+		glog.Fatal(s.ListenAndServe())
+	}
 }
 
 // HostInterface contains all the kubelet methods required by the server.