github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 05:57:25 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #23473 from AdoHe/kubelet_tls_overwrite

Browse Source 
Automatic merge from submit-queue

fix kubelet tls overwrite issue

@lavalamp apply the same thing to kubelet. @dchen1107 ptal.

<!-- Reviewable:start -->
---
This change is [<img src="http://reviewable.k8s.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](http://reviewable.k8s.io/reviews/kubernetes/kubernetes/23473)
<!-- Reviewable:end -->
This commit is contained in:
k8s-merge-robot 2016-06-17 23:20:03 -07:00 committed by GitHub
commit 076bf81b8b
3 changed files with 29 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/kubelet/app/server.go
View File

@ -410,11 +410,13 @@ func InitializeTLS(s *options.KubeletServer) (*server.TLSOptions, error) {
if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" { if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" {
s.TLSCertFile = path.Join(s.CertDirectory, "kubelet.crt") s.TLSCertFile = path.Join(s.CertDirectory, "kubelet.crt")
s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "kubelet.key") s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "kubelet.key")
if crypto.ShouldGenSelfSignedCerts(s.TLSCertFile, s.TLSPrivateKeyFile) {
if err := crypto.GenerateSelfSignedCert(nodeutil.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile, nil, nil); err != nil { if err := crypto.GenerateSelfSignedCert(nodeutil.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile, nil, nil); err != nil {
return nil, fmt.Errorf("unable to generate self signed cert: %v", err) return nil, fmt.Errorf("unable to generate self signed cert: %v", err)
} }
glog.V(4).Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile) glog.V(4).Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile)
} }
}
tlsOptions := &server.TLSOptions{ tlsOptions := &server.TLSOptions{
Config: &tls.Config{ Config: &tls.Config{
// Can't use SSLv3 because of POODLE and BEAST // Can't use SSLv3 because of POODLE and BEAST

24
pkg/genericapiserver/genericapiserver.go
View File

@ -696,7 +696,7 @@ func (s *GenericAPIServer) Run(options *options.ServerRunOptions) {
alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"} alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}
// It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless // It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless
// alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME") // alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME")
if shouldGenSelfSignedCerts(options.TLSCertFile, options.TLSPrivateKeyFile) { if crypto.ShouldGenSelfSignedCerts(options.TLSCertFile, options.TLSPrivateKeyFile) {
if err := crypto.GenerateSelfSignedCert(s.ClusterIP.String(), options.TLSCertFile, options.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil { if err := crypto.GenerateSelfSignedCert(s.ClusterIP.String(), options.TLSCertFile, options.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil {
glog.Errorf("Unable to generate self signed cert: %v", err) glog.Errorf("Unable to generate self signed cert: %v", err)
} else { } else {
@ -735,28 +735,6 @@ func (s *GenericAPIServer) Run(options *options.ServerRunOptions) {
glog.Fatal(http.ListenAndServe()) glog.Fatal(http.ListenAndServe())
} }
// If the file represented by path exists and
// readable, return true otherwise return false.
func canReadFile(path string) bool {
f, err := os.Open(path)
if err != nil {
return false
}
defer f.Close()
return true
}
func shouldGenSelfSignedCerts(certPath, keyPath string) bool {
if canReadFile(certPath) || canReadFile(keyPath) {
glog.Infof("using existing apiserver.crt and apiserver.key files")
return false
}
return true
}
// Exposes the given group version in API. // Exposes the given group version in API.
func (s *GenericAPIServer) InstallAPIGroup(apiGroupInfo *APIGroupInfo) error { func (s *GenericAPIServer) InstallAPIGroup(apiGroupInfo *APIGroupInfo) error {
apiPrefix := s.APIGroupPrefix apiPrefix := s.APIGroupPrefix

23
pkg/util/crypto/crypto.go
View File

@ -33,6 +33,29 @@ import (
"time" "time"
) )
// ShouldGenSelfSignedCerts returns false if the certificate or key files already exists,
// otherwise returns true.
func ShouldGenSelfSignedCerts(certPath, keyPath string) bool {
if canReadFile(certPath) || canReadFile(keyPath) {
return false
}
return true
}
// If the file represented by path exists and
// readable, returns true otherwise returns false.
func canReadFile(path string) bool {
f, err := os.Open(path)
if err != nil {
return false
}
defer f.Close()
return true
}
// GenerateSelfSignedCert creates a self-signed certificate and key for the given host. // GenerateSelfSignedCert creates a self-signed certificate and key for the given host.
// Host may be an IP or a DNS name // Host may be an IP or a DNS name
// You may also specify additional subject alt names (either ip or dns names) for the certificate // You may also specify additional subject alt names (either ip or dns names) for the certificate