github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 22:17:14 +00:00
Code Issues Projects Releases Wiki Activity

New command line flag - Set CA file for apiserver in-process client

Browse Source
This commit is contained in:
Davanum Srinivas 2016-09-20 18:13:25 -04:00
parent 25d4a70827
commit 364dd1a752
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hack/verify-flags/known-flags.txt
View File

@ -504,6 +504,7 @@ tcp-services
terminated-pod-gc-threshold terminated-pod-gc-threshold
test-flags test-flags
test-timeout test-timeout
tls-ca-file
tls-cert-file tls-cert-file
tls-private-key-file tls-private-key-file
to-version to-version

14
pkg/genericapiserver/options/server_run_options.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package options package options
import ( import (
"errors"
"net" "net"
"strconv" "strconv"
"strings" "strings"
@ -114,6 +115,7 @@ type ServerRunOptions struct {
// for testing). This is not actually exposed as a flag. // for testing). This is not actually exposed as a flag.
DefaultStorageVersions string DefaultStorageVersions string
TargetRAMMB int TargetRAMMB int
TLSCAFile string
TLSCertFile string TLSCertFile string
TLSPrivateKeyFile string TLSPrivateKeyFile string
TokenAuthFile string TokenAuthFile string
@ -213,12 +215,14 @@ func (s *ServerRunOptions) NewSelfClient(token string) (clientset.Interface, err
QPS: 50, QPS: 50,
Burst: 100, Burst: 100,
} }
if s.SecurePort > 0 { if s.SecurePort > 0 && len(s.TLSCAFile) > 0 {
clientConfig.Host = "https://" + net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.SecurePort)) clientConfig.Host = "https://" + net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.SecurePort))
clientConfig.Insecure = true clientConfig.CAFile = s.TLSCAFile
clientConfig.BearerToken = token clientConfig.BearerToken = token
} else { } else if s.InsecurePort > 0 {
clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort)) clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
} else {
return nil, errors.New("Unable to set url for apiserver local client")
} }
return clientset.NewForConfig(clientConfig) return clientset.NewForConfig(clientConfig)
@ -445,6 +449,10 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
"It defaults to a list of preferred versions of all registered groups, "+ "It defaults to a list of preferred versions of all registered groups, "+
"which is derived from the KUBE_API_VERSIONS environment variable.") "which is derived from the KUBE_API_VERSIONS environment variable.")
fs.StringVar(&s.TLSCAFile, "tls-ca-file", s.TLSCAFile, "If set, this "+
"certificate authority will used for secure access from Admission "+
"Controllers. This must be a valid PEM-encoded CA bundle.")
fs.StringVar(&s.TLSCertFile, "tls-cert-file", s.TLSCertFile, ""+ fs.StringVar(&s.TLSCertFile, "tls-cert-file", s.TLSCertFile, ""+
"File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated "+ "File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
"after server cert). If HTTPS serving is enabled, and --tls-cert-file and "+ "after server cert). If HTTPS serving is enabled, and --tls-cert-file and "+