mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Merge pull request #41079 from deads2k/apiserver-06-auto-loopback
Automatic merge from submit-queue auto-create the loopback token Users of the apiserver library have no need to specify particular loopback tokens, we can autogenerate and provision them. @kubernetes/sig-api-machinery-misc @sttts
This commit is contained in:
Kubernetes Submit Queue
GitHub
commit
1e0e961bcd
@ -17,7 +17,6 @@ go_library(
|
|||||||
"//pkg/api:go_default_library",
|
"//pkg/api:go_default_library",
|
||||||
"//pkg/client/clientset_generated/clientset:go_default_library",
|
"//pkg/client/clientset_generated/clientset:go_default_library",
|
||||||
"//pkg/kubectl/cmd/util:go_default_library",
|
"//pkg/kubectl/cmd/util:go_default_library",
|
||||||
"//vendor:github.com/pborman/uuid",
|
|
||||||
"//vendor:github.com/spf13/cobra",
|
"//vendor:github.com/spf13/cobra",
|
||||||
"//vendor:k8s.io/apimachinery/pkg/util/sets",
|
"//vendor:k8s.io/apimachinery/pkg/util/sets",
|
||||||
"//vendor:k8s.io/apimachinery/pkg/util/wait",
|
"//vendor:k8s.io/apimachinery/pkg/util/wait",
|
||||||
|
|||||||
@ -21,7 +21,6 @@ import (
|
|||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
|
||||||
"github.com/pborman/uuid"
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
@ -105,12 +104,6 @@ func (o AggregatorOptions) RunAggregator() error {
|
|||||||
sets.NewString("attach", "exec", "proxy", "log", "portforward"),
|
sets.NewString("attach", "exec", "proxy", "log", "portforward"),
|
||||||
)
|
)
|
||||||
|
|
||||||
var err error
|
|
||||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
|
||||||
if serverConfig.LoopbackClientConfig, err = serverConfig.SecureServingInfo.NewSelfClientConfig(privilegedLoopbackToken); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
kubeconfig, err := restclient.InClusterConfig()
|
kubeconfig, err := restclient.InClusterConfig()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|||||||
@ -53,7 +53,6 @@ go_library(
|
|||||||
"//plugin/pkg/admission/storageclass/default:go_default_library",
|
"//plugin/pkg/admission/storageclass/default:go_default_library",
|
||||||
"//vendor:github.com/go-openapi/spec",
|
"//vendor:github.com/go-openapi/spec",
|
||||||
"//vendor:github.com/golang/glog",
|
"//vendor:github.com/golang/glog",
|
||||||
"//vendor:github.com/pborman/uuid",
|
|
||||||
"//vendor:github.com/spf13/cobra",
|
"//vendor:github.com/spf13/cobra",
|
||||||
"//vendor:github.com/spf13/pflag",
|
"//vendor:github.com/spf13/pflag",
|
||||||
"//vendor:k8s.io/apimachinery/pkg/openapi",
|
"//vendor:k8s.io/apimachinery/pkg/openapi",
|
||||||
|
|||||||
@ -32,7 +32,6 @@ import (
|
|||||||
|
|
||||||
"github.com/go-openapi/spec"
|
"github.com/go-openapi/spec"
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
"github.com/pborman/uuid"
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
"github.com/spf13/pflag"
|
"github.com/spf13/pflag"
|
||||||
|
|
||||||
@ -258,12 +257,7 @@ func Run(s *options.ServerRunOptions) error {
|
|||||||
return fmt.Errorf("invalid Authentication Config: %v", err)
|
return fmt.Errorf("invalid Authentication Config: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
client, err := internalclientset.NewForConfig(genericConfig.LoopbackClientConfig)
|
||||||
selfClientConfig, err := genericapiserver.NewSelfClientConfig(genericConfig.SecureServingInfo, genericConfig.InsecureServingInfo, privilegedLoopbackToken)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to create clientset: %v", err)
|
|
||||||
}
|
|
||||||
client, err := internalclientset.NewForConfig(selfClientConfig)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
kubeAPIVersions := os.Getenv("KUBE_API_VERSIONS")
|
kubeAPIVersions := os.Getenv("KUBE_API_VERSIONS")
|
||||||
if len(kubeAPIVersions) == 0 {
|
if len(kubeAPIVersions) == 0 {
|
||||||
@ -301,7 +295,6 @@ func Run(s *options.ServerRunOptions) error {
|
|||||||
kubeVersion := version.Get()
|
kubeVersion := version.Get()
|
||||||
|
|
||||||
genericConfig.Version = &kubeVersion
|
genericConfig.Version = &kubeVersion
|
||||||
genericConfig.LoopbackClientConfig = selfClientConfig
|
|
||||||
genericConfig.Authenticator = apiAuthenticator
|
genericConfig.Authenticator = apiAuthenticator
|
||||||
genericConfig.Authorizer = apiAuthorizer
|
genericConfig.Authorizer = apiAuthorizer
|
||||||
genericConfig.AdmissionControl = admissionController
|
genericConfig.AdmissionControl = admissionController
|
||||||
|
|||||||
@ -61,7 +61,6 @@ go_library(
|
|||||||
"//plugin/pkg/admission/namespace/lifecycle:go_default_library",
|
"//plugin/pkg/admission/namespace/lifecycle:go_default_library",
|
||||||
"//vendor:github.com/go-openapi/spec",
|
"//vendor:github.com/go-openapi/spec",
|
||||||
"//vendor:github.com/golang/glog",
|
"//vendor:github.com/golang/glog",
|
||||||
"//vendor:github.com/pborman/uuid",
|
|
||||||
"//vendor:github.com/spf13/cobra",
|
"//vendor:github.com/spf13/cobra",
|
||||||
"//vendor:github.com/spf13/pflag",
|
"//vendor:github.com/spf13/pflag",
|
||||||
"//vendor:k8s.io/apimachinery/pkg/openapi",
|
"//vendor:k8s.io/apimachinery/pkg/openapi",
|
||||||
|
|||||||
@ -26,7 +26,6 @@ import (
|
|||||||
|
|
||||||
"github.com/go-openapi/spec"
|
"github.com/go-openapi/spec"
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
"github.com/pborman/uuid"
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
"github.com/spf13/pflag"
|
"github.com/spf13/pflag"
|
||||||
|
|
||||||
@ -152,12 +151,7 @@ func Run(s *options.ServerRunOptions) error {
|
|||||||
return fmt.Errorf("invalid Authentication Config: %v", err)
|
return fmt.Errorf("invalid Authentication Config: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
client, err := internalclientset.NewForConfig(genericConfig.LoopbackClientConfig)
|
||||||
selfClientConfig, err := genericapiserver.NewSelfClientConfig(genericConfig.SecureServingInfo, genericConfig.InsecureServingInfo, privilegedLoopbackToken)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to create clientset: %v", err)
|
|
||||||
}
|
|
||||||
client, err := internalclientset.NewForConfig(selfClientConfig)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to create clientset: %v", err)
|
return fmt.Errorf("failed to create clientset: %v", err)
|
||||||
}
|
}
|
||||||
@ -182,7 +176,6 @@ func Run(s *options.ServerRunOptions) error {
|
|||||||
|
|
||||||
kubeVersion := version.Get()
|
kubeVersion := version.Get()
|
||||||
genericConfig.Version = &kubeVersion
|
genericConfig.Version = &kubeVersion
|
||||||
genericConfig.LoopbackClientConfig = selfClientConfig
|
|
||||||
genericConfig.Authenticator = apiAuthenticator
|
genericConfig.Authenticator = apiAuthenticator
|
||||||
genericConfig.Authorizer = apiAuthorizer
|
genericConfig.Authorizer = apiAuthorizer
|
||||||
genericConfig.AdmissionControl = admissionController
|
genericConfig.AdmissionControl = admissionController
|
||||||
|
|||||||
@ -371,6 +371,9 @@ func (c completedConfig) New() (*GenericAPIServer, error) {
|
|||||||
if c.Serializer == nil {
|
if c.Serializer == nil {
|
||||||
return nil, fmt.Errorf("Genericapiserver.New() called with config.Serializer == nil")
|
return nil, fmt.Errorf("Genericapiserver.New() called with config.Serializer == nil")
|
||||||
}
|
}
|
||||||
|
if c.LoopbackClientConfig == nil {
|
||||||
|
return nil, fmt.Errorf("Genericapiserver.New() called with config.LoopbackClientConfig == nil")
|
||||||
|
}
|
||||||
|
|
||||||
s := &GenericAPIServer{
|
s := &GenericAPIServer{
|
||||||
discoveryAddresses: c.DiscoveryAddresses,
|
discoveryAddresses: c.DiscoveryAddresses,
|
||||||
|
|||||||
@ -20,36 +20,12 @@ import (
|
|||||||
"bytes"
|
"bytes"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"errors"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
|
|
||||||
restclient "k8s.io/client-go/rest"
|
restclient "k8s.io/client-go/rest"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// NewSelfClientConfig returns a clientconfig which can be used to talk to this apiserver.
|
|
||||||
func NewSelfClientConfig(secureServingInfo *SecureServingInfo, insecureServingInfo *ServingInfo, token string) (*restclient.Config, error) {
|
|
||||||
cfg, err := secureServingInfo.NewSelfClientConfig(token)
|
|
||||||
if cfg != nil && err == nil {
|
|
||||||
return cfg, nil
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
if insecureServingInfo == nil {
|
|
||||||
// be fatal if insecure port is not available
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
glog.Warningf("Failed to create secure local client, falling back to insecure local connection: %v", err)
|
|
||||||
}
|
|
||||||
if cfg, err := insecureServingInfo.NewSelfClientConfig(token); err != nil || cfg != nil {
|
|
||||||
return cfg, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil, errors.New("Unable to set url for apiserver local client")
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *SecureServingInfo) NewSelfClientConfig(token string) (*restclient.Config, error) {
|
func (s *SecureServingInfo) NewSelfClientConfig(token string) (*restclient.Config, error) {
|
||||||
if s == nil || (s.Cert == nil && len(s.SNICerts) == 0) {
|
if s == nil || (s.Cert == nil && len(s.SNICerts) == 0) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
|
|||||||
@ -46,10 +46,11 @@ import (
|
|||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||||
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
||||||
|
"k8s.io/apiserver/pkg/registry/rest"
|
||||||
etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing"
|
etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing"
|
||||||
"k8s.io/client-go/pkg/api"
|
"k8s.io/client-go/pkg/api"
|
||||||
|
restclient "k8s.io/client-go/rest"
|
||||||
openapigen "k8s.io/kubernetes/pkg/generated/openapi"
|
openapigen "k8s.io/kubernetes/pkg/generated/openapi"
|
||||||
"k8s.io/apiserver/pkg/registry/rest"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -85,6 +86,7 @@ func setUp(t *testing.T) (*etcdtesting.EtcdTestServer, Config, *assert.Assertion
|
|||||||
config.PublicAddress = net.ParseIP("192.168.10.4")
|
config.PublicAddress = net.ParseIP("192.168.10.4")
|
||||||
config.RequestContextMapper = genericapirequest.NewRequestContextMapper()
|
config.RequestContextMapper = genericapirequest.NewRequestContextMapper()
|
||||||
config.LegacyAPIGroupPrefixes = sets.NewString("/api")
|
config.LegacyAPIGroupPrefixes = sets.NewString("/api")
|
||||||
|
config.LoopbackClientConfig = &restclient.Config{}
|
||||||
|
|
||||||
config.OpenAPIConfig = DefaultOpenAPIConfig(openapigen.GetOpenAPIDefinitions, api.Scheme)
|
config.OpenAPIConfig = DefaultOpenAPIConfig(openapigen.GetOpenAPIDefinitions, api.Scheme)
|
||||||
config.OpenAPIConfig.Info = &spec.Info{
|
config.OpenAPIConfig.Info = &spec.Info{
|
||||||
|
|||||||
@ -26,6 +26,7 @@ import (
|
|||||||
"strconv"
|
"strconv"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
|
"github.com/pborman/uuid"
|
||||||
"github.com/spf13/pflag"
|
"github.com/spf13/pflag"
|
||||||
|
|
||||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||||
@ -139,6 +140,30 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
|
|||||||
if s.ServingOptions.BindPort <= 0 {
|
if s.ServingOptions.BindPort <= 0 {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
if err := s.applyServingInfoTo(c); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
loopbackClientConfig, err := c.SecureServingInfo.NewSelfClientConfig(uuid.NewRandom().String())
|
||||||
|
switch {
|
||||||
|
// if we failed and there's no fallback loopback client config, we need to fail
|
||||||
|
case err != nil && c.LoopbackClientConfig == nil:
|
||||||
|
return err
|
||||||
|
|
||||||
|
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
|
||||||
|
case err != nil && c.LoopbackClientConfig != nil:
|
||||||
|
|
||||||
|
default:
|
||||||
|
c.LoopbackClientConfig = loopbackClientConfig
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
|
||||||
|
if s.ServingOptions.BindPort <= 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
secureServingInfo := &server.SecureServingInfo{
|
secureServingInfo := &server.SecureServingInfo{
|
||||||
ServingInfo: server.ServingInfo{
|
ServingInfo: server.ServingInfo{
|
||||||
@ -250,6 +275,12 @@ func (s *ServingOptions) ApplyTo(c *server.Config) error {
|
|||||||
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var err error
|
||||||
|
privilegedLoopbackToken := uuid.NewRandom().String()
|
||||||
|
if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewSelfClientConfig(privilegedLoopbackToken); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -36,6 +36,7 @@ import (
|
|||||||
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
||||||
. "k8s.io/apiserver/pkg/server"
|
. "k8s.io/apiserver/pkg/server"
|
||||||
utilflag "k8s.io/apiserver/pkg/util/flag"
|
utilflag "k8s.io/apiserver/pkg/util/flag"
|
||||||
|
restclient "k8s.io/client-go/rest"
|
||||||
utilcert "k8s.io/client-go/util/cert"
|
utilcert "k8s.io/client-go/util/cert"
|
||||||
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
||||||
)
|
)
|
||||||
@ -493,6 +494,7 @@ NextTest:
|
|||||||
},
|
},
|
||||||
SNICertKeys: namedCertKeys,
|
SNICertKeys: namedCertKeys,
|
||||||
}
|
}
|
||||||
|
config.LoopbackClientConfig = &restclient.Config{}
|
||||||
if err := secureOptions.ApplyTo(&config); err != nil {
|
if err := secureOptions.ApplyTo(&config); err != nil {
|
||||||
t.Errorf("%q - failed applying the SecureServingOptions: %v", title, err)
|
t.Errorf("%q - failed applying the SecureServingOptions: %v", title, err)
|
||||||
continue NextTest
|
continue NextTest
|
||||||
|
|||||||
@ -20,7 +20,6 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
|
||||||
"github.com/pborman/uuid"
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
|
|
||||||
genericapiserver "k8s.io/apiserver/pkg/server"
|
genericapiserver "k8s.io/apiserver/pkg/server"
|
||||||
@ -96,12 +95,6 @@ func (o WardleServerOptions) Config() (*apiserver.Config, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
var err error
|
|
||||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
|
||||||
if serverConfig.LoopbackClientConfig, err = serverConfig.SecureServingInfo.NewSelfClientConfig(privilegedLoopbackToken); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
config := &apiserver.Config{
|
config := &apiserver.Config{
|
||||||
GenericConfig: serverConfig,
|
GenericConfig: serverConfig,
|
||||||
}
|
}
|
||||||
|
|||||||
4
vendor/BUILD
vendored
4
vendor/BUILD
vendored
@ -14128,6 +14128,7 @@ go_library(
|
|||||||
tags = ["automanaged"],
|
tags = ["automanaged"],
|
||||||
deps = [
|
deps = [
|
||||||
"//vendor:github.com/golang/glog",
|
"//vendor:github.com/golang/glog",
|
||||||
|
"//vendor:github.com/pborman/uuid",
|
||||||
"//vendor:github.com/spf13/pflag",
|
"//vendor:github.com/spf13/pflag",
|
||||||
"//vendor:gopkg.in/natefinch/lumberjack.v2",
|
"//vendor:gopkg.in/natefinch/lumberjack.v2",
|
||||||
"//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
|
"//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
|
||||||
@ -14836,6 +14837,7 @@ go_test(
|
|||||||
"//vendor:k8s.io/apiserver/pkg/storage/etcd/testing",
|
"//vendor:k8s.io/apiserver/pkg/storage/etcd/testing",
|
||||||
"//vendor:k8s.io/apiserver/pkg/storage/storagebackend",
|
"//vendor:k8s.io/apiserver/pkg/storage/storagebackend",
|
||||||
"//vendor:k8s.io/client-go/pkg/api",
|
"//vendor:k8s.io/client-go/pkg/api",
|
||||||
|
"//vendor:k8s.io/client-go/rest",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -15303,6 +15305,7 @@ go_test(
|
|||||||
"//vendor:k8s.io/apiserver/pkg/endpoints/request",
|
"//vendor:k8s.io/apiserver/pkg/endpoints/request",
|
||||||
"//vendor:k8s.io/apiserver/pkg/server",
|
"//vendor:k8s.io/apiserver/pkg/server",
|
||||||
"//vendor:k8s.io/apiserver/pkg/util/flag",
|
"//vendor:k8s.io/apiserver/pkg/util/flag",
|
||||||
|
"//vendor:k8s.io/client-go/rest",
|
||||||
"//vendor:k8s.io/client-go/util/cert",
|
"//vendor:k8s.io/client-go/util/cert",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
@ -15399,7 +15402,6 @@ go_library(
|
|||||||
srcs = ["k8s.io/sample-apiserver/pkg/cmd/server/start.go"],
|
srcs = ["k8s.io/sample-apiserver/pkg/cmd/server/start.go"],
|
||||||
tags = ["automanaged"],
|
tags = ["automanaged"],
|
||||||
deps = [
|
deps = [
|
||||||
"//vendor:github.com/pborman/uuid",
|
|
||||||
"//vendor:github.com/spf13/cobra",
|
"//vendor:github.com/spf13/cobra",
|
||||||
"//vendor:k8s.io/apiserver/pkg/server",
|
"//vendor:k8s.io/apiserver/pkg/server",
|
||||||
"//vendor:k8s.io/apiserver/pkg/server/options",
|
"//vendor:k8s.io/apiserver/pkg/server/options",
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user