mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
New command line flag - Set CA file for apiserver in-process client
This commit is contained in:
parent
25d4a70827
commit
364dd1a752
@ -504,6 +504,7 @@ tcp-services
|
|||||||
terminated-pod-gc-threshold
|
terminated-pod-gc-threshold
|
||||||
test-flags
|
test-flags
|
||||||
test-timeout
|
test-timeout
|
||||||
|
tls-ca-file
|
||||||
tls-cert-file
|
tls-cert-file
|
||||||
tls-private-key-file
|
tls-private-key-file
|
||||||
to-version
|
to-version
|
||||||
|
@ -17,6 +17,7 @@ limitations under the License.
|
|||||||
package options
|
package options
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"errors"
|
||||||
"net"
|
"net"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
@ -114,6 +115,7 @@ type ServerRunOptions struct {
|
|||||||
// for testing). This is not actually exposed as a flag.
|
// for testing). This is not actually exposed as a flag.
|
||||||
DefaultStorageVersions string
|
DefaultStorageVersions string
|
||||||
TargetRAMMB int
|
TargetRAMMB int
|
||||||
|
TLSCAFile string
|
||||||
TLSCertFile string
|
TLSCertFile string
|
||||||
TLSPrivateKeyFile string
|
TLSPrivateKeyFile string
|
||||||
TokenAuthFile string
|
TokenAuthFile string
|
||||||
@ -213,12 +215,14 @@ func (s *ServerRunOptions) NewSelfClient(token string) (clientset.Interface, err
|
|||||||
QPS: 50,
|
QPS: 50,
|
||||||
Burst: 100,
|
Burst: 100,
|
||||||
}
|
}
|
||||||
if s.SecurePort > 0 {
|
if s.SecurePort > 0 && len(s.TLSCAFile) > 0 {
|
||||||
clientConfig.Host = "https://" + net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.SecurePort))
|
clientConfig.Host = "https://" + net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.SecurePort))
|
||||||
clientConfig.Insecure = true
|
clientConfig.CAFile = s.TLSCAFile
|
||||||
clientConfig.BearerToken = token
|
clientConfig.BearerToken = token
|
||||||
} else {
|
} else if s.InsecurePort > 0 {
|
||||||
clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
|
clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
|
||||||
|
} else {
|
||||||
|
return nil, errors.New("Unable to set url for apiserver local client")
|
||||||
}
|
}
|
||||||
|
|
||||||
return clientset.NewForConfig(clientConfig)
|
return clientset.NewForConfig(clientConfig)
|
||||||
@ -445,6 +449,10 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
|
|||||||
"It defaults to a list of preferred versions of all registered groups, "+
|
"It defaults to a list of preferred versions of all registered groups, "+
|
||||||
"which is derived from the KUBE_API_VERSIONS environment variable.")
|
"which is derived from the KUBE_API_VERSIONS environment variable.")
|
||||||
|
|
||||||
|
fs.StringVar(&s.TLSCAFile, "tls-ca-file", s.TLSCAFile, "If set, this "+
|
||||||
|
"certificate authority will used for secure access from Admission "+
|
||||||
|
"Controllers. This must be a valid PEM-encoded CA bundle.")
|
||||||
|
|
||||||
fs.StringVar(&s.TLSCertFile, "tls-cert-file", s.TLSCertFile, ""+
|
fs.StringVar(&s.TLSCertFile, "tls-cert-file", s.TLSCertFile, ""+
|
||||||
"File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
|
"File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
|
||||||
"after server cert). If HTTPS serving is enabled, and --tls-cert-file and "+
|
"after server cert). If HTTPS serving is enabled, and --tls-cert-file and "+
|
||||||
|
Loading…
Reference in New Issue
Block a user