diff --git a/cmd/kube-apiserver/app/BUILD b/cmd/kube-apiserver/app/BUILD index 080350d652d..a7249a22f07 100644 --- a/cmd/kube-apiserver/app/BUILD +++ b/cmd/kube-apiserver/app/BUILD @@ -36,10 +36,12 @@ go_library( "//pkg/generated/openapi:go_default_library", "//pkg/genericapiserver:go_default_library", "//pkg/genericapiserver/authorizer:go_default_library", + "//pkg/genericapiserver/options:go_default_library", "//pkg/master:go_default_library", "//pkg/registry/cachesize:go_default_library", "//pkg/runtime/schema:go_default_library", "//pkg/serviceaccount:go_default_library", + "//pkg/util/errors:go_default_library", "//pkg/util/net:go_default_library", "//pkg/util/wait:go_default_library", "//pkg/version:go_default_library", diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index 78ae941b768..75421efcac3 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -50,6 +50,7 @@ import ( generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi" "k8s.io/kubernetes/pkg/genericapiserver" "k8s.io/kubernetes/pkg/genericapiserver/authorizer" + genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options" "k8s.io/kubernetes/pkg/master" "k8s.io/kubernetes/pkg/registry/cachesize" "k8s.io/kubernetes/pkg/runtime/schema" @@ -202,9 +203,9 @@ func Run(s *options.ServerRunOptions) error { } // Default to the private server key for service account token signing - if len(s.ServiceAccountKeyFiles) == 0 && s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile != "" { - if authenticator.IsValidServiceAccountKeyFile(s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile) { - s.ServiceAccountKeyFiles = []string{s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile} + if len(s.ServiceAccountKeyFiles) == 0 && s.GenericServerRunOptions.SecureServing.ServerCert.CertKey.KeyFile != "" { + if authenticator.IsValidServiceAccountKeyFile(s.GenericServerRunOptions.SecureServing.ServerCert.CertKey.KeyFile) { + s.ServiceAccountKeyFiles = []string{s.GenericServerRunOptions.SecureServing.ServerCert.CertKey.KeyFile} } else { glog.Warning("No TLS key provided, service account token authentication disabled") } @@ -225,7 +226,7 @@ func Run(s *options.ServerRunOptions) error { Anonymous: s.GenericServerRunOptions.AnonymousAuth, AnyToken: s.GenericServerRunOptions.EnableAnyToken, BasicAuthFile: s.GenericServerRunOptions.BasicAuthFile, - ClientCAFile: s.GenericServerRunOptions.SecureServingOptions.ClientCA, + ClientCAFile: s.GenericServerRunOptions.SecureServing.ClientCA, TokenAuthFile: s.GenericServerRunOptions.TokenAuthFile, OIDCIssuerURL: s.GenericServerRunOptions.OIDCIssuerURL, OIDCClientID: s.GenericServerRunOptions.OIDCClientID, @@ -247,7 +248,7 @@ func Run(s *options.ServerRunOptions) error { } privilegedLoopbackToken := uuid.NewRandom().String() - selfClientConfig, err := s.GenericServerRunOptions.NewSelfClientConfig(privilegedLoopbackToken) + selfClientConfig, err := genericoptions.NewSelfClientConfig(s.GenericServerRunOptions.SecureServing, s.GenericServerRunOptions.InsecureServing, privilegedLoopbackToken) if err != nil { glog.Fatalf("Failed to create clientset: %v", err) } diff --git a/examples/apiserver/apiserver.go b/examples/apiserver/apiserver.go index 8580fe520a3..71f12a06913 100644 --- a/examples/apiserver/apiserver.go +++ b/examples/apiserver/apiserver.go @@ -56,8 +56,8 @@ func newStorageFactory() genericapiserver.StorageFactory { } func NewServerRunOptions() *genericoptions.ServerRunOptions { - serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions().WithSecureServingOptions() - serverOptions.InsecurePort = InsecurePort + serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions().WithSecureServingOptions().WithInsecureServingOptions() + serverOptions.InsecureServing.BindPort = InsecurePort return serverOptions } diff --git a/federation/cmd/federation-apiserver/app/BUILD b/federation/cmd/federation-apiserver/app/BUILD index 8830677025a..75c7fe1160e 100644 --- a/federation/cmd/federation-apiserver/app/BUILD +++ b/federation/cmd/federation-apiserver/app/BUILD @@ -43,6 +43,7 @@ go_library( "//pkg/generated/openapi:go_default_library", "//pkg/genericapiserver:go_default_library", "//pkg/genericapiserver/authorizer:go_default_library", + "//pkg/genericapiserver/options:go_default_library", "//pkg/registry/cachesize:go_default_library", "//pkg/registry/core/configmap/etcd:go_default_library", "//pkg/registry/core/event/etcd:go_default_library", diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go index fcdac6f7ef0..21b58340b08 100644 --- a/federation/cmd/federation-apiserver/app/server.go +++ b/federation/cmd/federation-apiserver/app/server.go @@ -38,6 +38,7 @@ import ( "k8s.io/kubernetes/pkg/generated/openapi" "k8s.io/kubernetes/pkg/genericapiserver" "k8s.io/kubernetes/pkg/genericapiserver/authorizer" + genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options" "k8s.io/kubernetes/pkg/registry/cachesize" "k8s.io/kubernetes/pkg/registry/generic" "k8s.io/kubernetes/pkg/registry/generic/registry" @@ -121,7 +122,7 @@ func Run(s *options.ServerRunOptions) error { Anonymous: s.GenericServerRunOptions.AnonymousAuth, AnyToken: s.GenericServerRunOptions.EnableAnyToken, BasicAuthFile: s.GenericServerRunOptions.BasicAuthFile, - ClientCAFile: s.GenericServerRunOptions.SecureServingOptions.ClientCA, + ClientCAFile: s.GenericServerRunOptions.SecureServing.ClientCA, TokenAuthFile: s.GenericServerRunOptions.TokenAuthFile, OIDCIssuerURL: s.GenericServerRunOptions.OIDCIssuerURL, OIDCClientID: s.GenericServerRunOptions.OIDCClientID, @@ -136,7 +137,7 @@ func Run(s *options.ServerRunOptions) error { } privilegedLoopbackToken := uuid.NewRandom().String() - selfClientConfig, err := s.GenericServerRunOptions.NewSelfClientConfig(privilegedLoopbackToken) + selfClientConfig, err := genericoptions.NewSelfClientConfig(s.GenericServerRunOptions.SecureServing, s.GenericServerRunOptions.InsecureServing, privilegedLoopbackToken) if err != nil { glog.Fatalf("Failed to create clientset: %v", err) } diff --git a/pkg/genericapiserver/config.go b/pkg/genericapiserver/config.go index c661030d62c..e7a1958cd90 100644 --- a/pkg/genericapiserver/config.go +++ b/pkg/genericapiserver/config.go @@ -226,7 +226,6 @@ func NewConfig() *Config { defaultOptions := options.NewServerRunOptions() // unset fields that can be overridden to avoid setting values so that we won't end up with lingering values. // TODO we probably want to run the defaults the other way. A default here drives it in the CLI flags - defaultOptions.InsecurePort = 0 defaultOptions.AuditLogPath = "" return config.ApplyOptions(defaultOptions) } @@ -242,28 +241,28 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config { } } - if options.SecureServingOptions != nil && options.SecureServingOptions.ServingOptions.BindPort > 0 { + if options.SecureServing != nil && options.SecureServing.ServingOptions.BindPort > 0 { secureServingInfo := &SecureServingInfo{ ServingInfo: ServingInfo{ - BindAddress: net.JoinHostPort(options.SecureServingOptions.ServingOptions.BindAddress.String(), strconv.Itoa(options.SecureServingOptions.ServingOptions.BindPort)), + BindAddress: net.JoinHostPort(options.SecureServing.ServingOptions.BindAddress.String(), strconv.Itoa(options.SecureServing.ServingOptions.BindPort)), }, ServerCert: GeneratableKeyCert{ CertKey: CertKey{ - CertFile: options.SecureServingOptions.ServerCert.CertKey.CertFile, - KeyFile: options.SecureServingOptions.ServerCert.CertKey.KeyFile, + CertFile: options.SecureServing.ServerCert.CertKey.CertFile, + KeyFile: options.SecureServing.ServerCert.CertKey.KeyFile, }, }, SNICerts: []NamedCertKey{}, - ClientCA: options.SecureServingOptions.ClientCA, + ClientCA: options.SecureServing.ClientCA, } - if options.SecureServingOptions.ServerCert.CertKey.CertFile == "" && options.SecureServingOptions.ServerCert.CertKey.KeyFile == "" { + if options.SecureServing.ServerCert.CertKey.CertFile == "" && options.SecureServing.ServerCert.CertKey.KeyFile == "" { secureServingInfo.ServerCert.Generate = true - secureServingInfo.ServerCert.CertFile = path.Join(options.SecureServingOptions.ServerCert.CertDirectory, options.SecureServingOptions.ServerCert.PairName+".crt") - secureServingInfo.ServerCert.KeyFile = path.Join(options.SecureServingOptions.ServerCert.CertDirectory, options.SecureServingOptions.ServerCert.PairName+".key") + secureServingInfo.ServerCert.CertFile = path.Join(options.SecureServing.ServerCert.CertDirectory, options.SecureServing.ServerCert.PairName+".crt") + secureServingInfo.ServerCert.KeyFile = path.Join(options.SecureServing.ServerCert.CertDirectory, options.SecureServing.ServerCert.PairName+".key") } secureServingInfo.SNICerts = nil - for _, nkc := range options.SecureServingOptions.SNICertKeys { + for _, nkc := range options.SecureServing.SNICertKeys { secureServingInfo.SNICerts = append(secureServingInfo.SNICerts, NamedCertKey{ CertKey: CertKey{ KeyFile: nkc.KeyFile, @@ -274,12 +273,12 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config { } c.SecureServingInfo = secureServingInfo - c.ReadWritePort = options.SecureServingOptions.ServingOptions.BindPort + c.ReadWritePort = options.SecureServing.ServingOptions.BindPort } - if options.InsecurePort > 0 { + if options.InsecureServing != nil && options.InsecureServing.BindPort > 0 { insecureServingInfo := &ServingInfo{ - BindAddress: net.JoinHostPort(options.InsecureBindAddress.String(), strconv.Itoa(options.InsecurePort)), + BindAddress: net.JoinHostPort(options.InsecureServing.BindAddress.String(), strconv.Itoa(options.InsecureServing.BindPort)), } c.InsecureServingInfo = insecureServingInfo } @@ -487,8 +486,8 @@ func DefaultAndValidateRunOptions(options *options.ServerRunOptions) { // If advertise-address is not specified, use bind-address. If bind-address // is not usable (unset, 0.0.0.0, or loopback), we will use the host's default // interface as valid public addr for master (see: util/net#ValidPublicAddrForMaster) - if options.SecureServingOptions != nil && (options.AdvertiseAddress == nil || options.AdvertiseAddress.IsUnspecified()) { - hostIP, err := utilnet.ChooseBindAddress(options.SecureServingOptions.ServingOptions.BindAddress) + if options.SecureServing != nil && (options.AdvertiseAddress == nil || options.AdvertiseAddress.IsUnspecified()) { + hostIP, err := utilnet.ChooseBindAddress(options.SecureServing.ServingOptions.BindAddress) if err != nil { glog.Fatalf("Unable to find suitable network address.error='%v' . "+ "Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err) diff --git a/pkg/genericapiserver/options/BUILD b/pkg/genericapiserver/options/BUILD index 81339e7e6d4..28f47608f97 100644 --- a/pkg/genericapiserver/options/BUILD +++ b/pkg/genericapiserver/options/BUILD @@ -17,6 +17,7 @@ go_library( "doc.go", "etcd_options.go", "server_run_options.go", + "serving_options.go", ], tags = ["automanaged"], deps = [ diff --git a/pkg/genericapiserver/options/server_run_options.go b/pkg/genericapiserver/options/server_run_options.go index b67d6d73daa..620b5af8df4 100644 --- a/pkg/genericapiserver/options/server_run_options.go +++ b/pkg/genericapiserver/options/server_run_options.go @@ -17,9 +17,7 @@ limitations under the License. package options import ( - "errors" "net" - "strconv" "strings" "time" @@ -27,7 +25,6 @@ import ( "k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/apimachinery/registered" clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" - "k8s.io/kubernetes/pkg/client/restclient" "k8s.io/kubernetes/pkg/runtime/schema" "k8s.io/kubernetes/pkg/util/config" utilnet "k8s.io/kubernetes/pkg/util/net" @@ -54,8 +51,9 @@ var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABA // ServerRunOptions contains the options while running a generic api server. type ServerRunOptions struct { - Etcd *EtcdOptions - SecureServingOptions *SecureServingOptions + Etcd *EtcdOptions + SecureServing *SecureServingOptions + InsecureServing *ServingOptions AdmissionControl string AdmissionControlConfigFile string @@ -86,8 +84,6 @@ type ServerRunOptions struct { EnableSwaggerUI bool EnableWatchCache bool ExternalHost string - InsecureBindAddress net.IP - InsecurePort int KeystoneURL string KeystoneCAFile string KubernetesServiceNodePort int @@ -133,8 +129,6 @@ func NewServerRunOptions() *ServerRunOptions { EnableProfiling: true, EnableContentionProfiling: false, EnableWatchCache: true, - InsecureBindAddress: net.ParseIP("127.0.0.1"), - InsecurePort: 8080, LongRunningRequestRE: DefaultLongRunningRequestRE, MasterCount: 1, MasterServiceNamespace: api.NamespaceDefault, @@ -150,8 +144,14 @@ func (o *ServerRunOptions) WithEtcdOptions() *ServerRunOptions { o.Etcd = NewDefaultEtcdOptions() return o } + func (o *ServerRunOptions) WithSecureServingOptions() *ServerRunOptions { - o.SecureServingOptions = NewDefaultSecureServingOptions() + o.SecureServing = NewDefaultSecureServingOptions() + return o +} + +func (o *ServerRunOptions) WithInsecureServingOptions() *ServerRunOptions { + o.InsecureServing = NewDefaultInsecureServingOptions() return o } @@ -203,42 +203,13 @@ func mergeGroupVersionIntoMap(gvList string, dest map[string]schema.GroupVersion // Returns a clientset which can be used to talk to this apiserver. func (s *ServerRunOptions) NewSelfClient(token string) (clientset.Interface, error) { - clientConfig, err := s.NewSelfClientConfig(token) + clientConfig, err := NewSelfClientConfig(s.SecureServing, s.InsecureServing, token) if err != nil { return nil, err } return clientset.NewForConfig(clientConfig) } -// Returns a clientconfig which can be used to talk to this apiserver. -func (s *ServerRunOptions) NewSelfClientConfig(token string) (*restclient.Config, error) { - clientConfig := &restclient.Config{ - // Increase QPS limits. The client is currently passed to all admission plugins, - // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 - // for more details. Once #22422 is fixed, we may want to remove it. - QPS: 50, - Burst: 100, - } - - // Use secure port if the ServerCA is specified - if s.SecureServingOptions != nil && s.SecureServingOptions.ServingOptions.BindPort > 0 && len(s.SecureServingOptions.ServerCA) > 0 { - host := s.SecureServingOptions.ServingOptions.BindAddress.String() - if host == "0.0.0.0" { - host = "localhost" - } - clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.SecureServingOptions.ServingOptions.BindPort)) - clientConfig.CAFile = s.SecureServingOptions.ServerCA - clientConfig.BearerToken = token - - } else if s.InsecurePort > 0 { - clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort)) - } else { - return nil, errors.New("Unable to set url for apiserver local client") - } - - return clientConfig, nil -} - // AddFlags adds flags for a specific APIServer to the specified FlagSet func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { // Note: the weird ""+ in below lines seems to be the only way to get gofmt to @@ -337,22 +308,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { fs.StringVar(&s.ExternalHost, "external-hostname", s.ExternalHost, "The hostname to use when generating externalized URLs for this master (e.g. Swagger API Docs).") - fs.IPVar(&s.InsecureBindAddress, "insecure-bind-address", s.InsecureBindAddress, ""+ - "The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+ - "Defaults to localhost.") - fs.IPVar(&s.InsecureBindAddress, "address", s.InsecureBindAddress, - "DEPRECATED: see --insecure-bind-address instead.") - fs.MarkDeprecated("address", "see --insecure-bind-address instead.") - - fs.IntVar(&s.InsecurePort, "insecure-port", s.InsecurePort, ""+ - "The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+ - "that firewall rules are set up such that this port is not reachable from outside of "+ - "the cluster and that port 443 on the cluster's public address is proxied to this "+ - "port. This is performed by nginx in the default setup.") - - fs.IntVar(&s.InsecurePort, "port", s.InsecurePort, "DEPRECATED: see --insecure-port instead.") - fs.MarkDeprecated("port", "see --insecure-port instead.") - fs.StringVar(&s.KeystoneURL, "experimental-keystone-url", s.KeystoneURL, "If passed, activates the keystone authentication plugin.") diff --git a/pkg/genericapiserver/options/serving_options.go b/pkg/genericapiserver/options/serving_options.go index 1bfb60ab064..1bf66efcb29 100644 --- a/pkg/genericapiserver/options/serving_options.go +++ b/pkg/genericapiserver/options/serving_options.go @@ -17,11 +17,14 @@ limitations under the License. package options import ( + "errors" "fmt" "net" + "strconv" "github.com/spf13/pflag" + "k8s.io/kubernetes/pkg/client/restclient" "k8s.io/kubernetes/pkg/util/config" ) @@ -76,6 +79,30 @@ func NewDefaultSecureServingOptions() *SecureServingOptions { } } +func (s *SecureServingOptions) NewSelfClientConfig(token string) *restclient.Config { + if s == nil || s.ServingOptions.BindPort <= 0 && len(s.ServerCA) == 0 { + return nil + } + clientConfig := &restclient.Config{ + // Increase QPS limits. The client is currently passed to all admission plugins, + // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 + // for more details. Once #22422 is fixed, we may want to remove it. + QPS: 50, + Burst: 100, + } + + // Use secure port if the ServerCA is specified + host := s.ServingOptions.BindAddress.String() + if host == "0.0.0.0" { + host = "localhost" + } + clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.ServingOptions.BindPort)) + clientConfig.CAFile = s.ServerCA + clientConfig.BearerToken = token + + return clientConfig +} + func (s *SecureServingOptions) Validate() []error { errors := []error{} if s == nil { @@ -86,16 +113,6 @@ func (s *SecureServingOptions) Validate() []error { return errors } -func (s ServingOptions) Validate(portArg string) []error { - errors := []error{} - - if s.BindPort < 0 || s.BindPort > 65535 { - errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort)) - } - - return errors -} - func (s *SecureServingOptions) AddSecureServingFlags(fs *pflag.FlagSet) { fs.IPVar(&s.ServingOptions.BindAddress, "bind-address", s.ServingOptions.BindAddress, ""+ "The IP address on which to listen for the --secure-port port. The "+ @@ -145,3 +162,70 @@ func (s *SecureServingOptions) AddDeprecatedSecureServingFlags(fs *pflag.FlagSet fs.MarkDeprecated("public-address-override", "see --bind-address instead.") } + +func NewDefaultInsecureServingOptions() *ServingOptions { + return &ServingOptions{ + BindAddress: net.ParseIP("127.0.0.1"), + BindPort: 8080, + } +} + +func (s ServingOptions) Validate(portArg string) []error { + errors := []error{} + + if s.BindPort < 0 || s.BindPort > 65535 { + errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort)) + } + + return errors +} + +func (s *ServingOptions) NewSelfClientConfig(token string) *restclient.Config { + if s == nil || s.BindPort <= 0 { + return nil + } + clientConfig := &restclient.Config{ + // Increase QPS limits. The client is currently passed to all admission plugins, + // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 + // for more details. Once #22422 is fixed, we may want to remove it. + QPS: 50, + Burst: 100, + } + + clientConfig.Host = net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)) + + return clientConfig +} + +func (s *ServingOptions) AddInsecureServingFlags(fs *pflag.FlagSet) { + fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+ + "The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+ + "Defaults to localhost.") + + fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+ + "The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+ + "that firewall rules are set up such that this port is not reachable from outside of "+ + "the cluster and that port 443 on the cluster's public address is proxied to this "+ + "port. This is performed by nginx in the default setup.") +} + +func (s *ServingOptions) AddDeprecatedInsecureServingFlags(fs *pflag.FlagSet) { + fs.IPVar(&s.BindAddress, "address", s.BindAddress, + "DEPRECATED: see --insecure-bind-address instead.") + fs.MarkDeprecated("address", "see --insecure-bind-address instead.") + + fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.") + fs.MarkDeprecated("port", "see --insecure-port instead.") +} + +// Returns a clientconfig which can be used to talk to this apiserver. +func NewSelfClientConfig(secureServingOptions *SecureServingOptions, insecureServingOptions *ServingOptions, token string) (*restclient.Config, error) { + if cfg := secureServingOptions.NewSelfClientConfig(token); cfg != nil { + return cfg, nil + } + if cfg := insecureServingOptions.NewSelfClientConfig(token); cfg != nil { + return cfg, nil + } + + return nil, errors.New("Unable to set url for apiserver local client") +} diff --git a/pkg/genericapiserver/validation/universal_validation.go b/pkg/genericapiserver/validation/universal_validation.go index 4821db9bc38..088fe50422d 100644 --- a/pkg/genericapiserver/validation/universal_validation.go +++ b/pkg/genericapiserver/validation/universal_validation.go @@ -51,17 +51,16 @@ func verifyServiceNodePort(options *options.ServerRunOptions) []error { func verifySecureAndInsecurePort(options *options.ServerRunOptions) []error { errors := []error{} - errors = append(errors, options.SecureServingOptions.Validate()...) + errors = append(errors, options.SecureServing.Validate()...) + errors = append(errors, options.InsecureServing.Validate("insecure-port")...) - if options.InsecurePort < 0 || options.InsecurePort > 65535 { - errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure port.", options.InsecurePort)) - } - - if (options.SecureServingOptions == nil || options.SecureServingOptions.ServingOptions.BindPort == 0) && options.InsecurePort == 0 { + if (options.SecureServing == nil || options.SecureServing.ServingOptions.BindPort == 0) && + (options.InsecureServing == nil || options.InsecureServing.BindPort == 0) { glog.Fatalf("--secure-port and --insecure-port cannot be turned off at the same time.") } - if options.SecureServingOptions != nil && options.SecureServingOptions.ServingOptions.BindPort == options.InsecurePort { + if options.SecureServing != nil && options.InsecureServing != nil && + options.SecureServing.ServingOptions.BindPort == options.InsecureServing.BindPort { errors = append(errors, fmt.Errorf("--secure-port and --insecure-port cannot use the same port.")) } return errors diff --git a/test/integration/examples/apiserver_test.go b/test/integration/examples/apiserver_test.go index 4b9a33c9bd2..21ebffa89f8 100644 --- a/test/integration/examples/apiserver_test.go +++ b/test/integration/examples/apiserver_test.go @@ -63,8 +63,8 @@ func TestRunSecureServer(t *testing.T) { stopCh := make(chan struct{}) go func() { options := apiserver.NewServerRunOptions() - options.InsecurePort = 0 - options.SecureServingOptions.ServingOptions.BindPort = apiserver.SecurePort + options.InsecureServing.BindPort = 0 + options.SecureServing.ServingOptions.BindPort = apiserver.SecurePort if err := apiserver.Run(options, stopCh); err != nil { t.Fatalf("Error in bringing up the server: %v", err) }