New command line flag - Set CA file for apiserver in-process client

2025-07-22 11:21:47 +00:00 · 2016-09-20 18:13:25 -04:00 · 2016-09-20 18:13:25 -04:00 · 364dd1a752
commit 364dd1a752
parent 25d4a70827
2 changed files with 12 additions and 3 deletions
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@ -504,6 +504,7 @@ tcp-services
 terminated-pod-gc-threshold
 test-flags
 test-timeout
+tls-ca-file
 tls-cert-file
 tls-private-key-file
 to-version
--- a/pkg/genericapiserver/options/server_run_options.go
+++ b/pkg/genericapiserver/options/server_run_options.go
@ -17,6 +17,7 @@ limitations under the License.
 package options

 import (
+	"errors"
 	"net"
 	"strconv"
 	"strings"
@ -114,6 +115,7 @@ type ServerRunOptions struct {
 	// for testing). This is not actually exposed as a flag.
 	DefaultStorageVersions string
 	TargetRAMMB            int
+	TLSCAFile              string
 	TLSCertFile            string
 	TLSPrivateKeyFile      string
 	TokenAuthFile          string
@ -213,12 +215,14 @@ func (s *ServerRunOptions) NewSelfClient(token string) (clientset.Interface, err
 		QPS:   50,
 		Burst: 100,
 	}
-	if s.SecurePort > 0 {
+	if s.SecurePort > 0 && len(s.TLSCAFile) > 0 {
 		clientConfig.Host = "https://" + net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.SecurePort))
-		clientConfig.Insecure = true
+		clientConfig.CAFile = s.TLSCAFile
 		clientConfig.BearerToken = token
-	} else {
+	} else if s.InsecurePort > 0 {
 		clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
+	} else {
+		return nil, errors.New("Unable to set url for apiserver local client")
 	}

 	return clientset.NewForConfig(clientConfig)
@ -445,6 +449,10 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 		"It defaults to a list of preferred versions of all registered groups, "+
 		"which is derived from the KUBE_API_VERSIONS environment variable.")

+	fs.StringVar(&s.TLSCAFile, "tls-ca-file", s.TLSCAFile, "If set, this "+
+		"certificate authority will used for secure access from Admission "+
+		"Controllers. This must be a valid PEM-encoded CA bundle.")
+
 	fs.StringVar(&s.TLSCertFile, "tls-cert-file", s.TLSCertFile, ""+
 		"File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
 		"after server cert). If HTTPS serving is enabled, and --tls-cert-file and "+