github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 09:22:44 +00:00
Code Issues Projects Releases Wiki Activity

Possible cipher suites values and tls versions in help for apiserver and kubelet

Browse Source
This commit is contained in:
Victor Garcia 2018-01-24 22:51:27 -05:00
parent 57b8fda91b
commit 3dfa22e3fd
4 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/kubelet/app/options/options.go
View File

@ -487,13 +487,16 @@ func AddKubeletConfigFlags(mainfs *pflag.FlagSet, c *kubeletconfig.KubeletConfig
"If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key "+ "If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key "+
"are generated for the public address and saved to the directory passed to --cert-dir.") "are generated for the public address and saved to the directory passed to --cert-dir.")
fs.StringVar(&c.TLSPrivateKeyFile, "tls-private-key-file", c.TLSPrivateKeyFile, "File containing x509 private key matching --tls-cert-file.") fs.StringVar(&c.TLSPrivateKeyFile, "tls-private-key-file", c.TLSPrivateKeyFile, "File containing x509 private key matching --tls-cert-file.")
tlsCipherPossibleValues := flag.TLSCipherPossibleValues()
fs.StringSliceVar(&c.TLSCipherSuites, "tls-cipher-suites", c.TLSCipherSuites, fs.StringSliceVar(&c.TLSCipherSuites, "tls-cipher-suites", c.TLSCipherSuites,
"Comma-separated list of cipher suites for the server. "+ "Comma-separated list of cipher suites for the server. "+
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+ "If omitted, the default Go cipher suites will be used. "+
"If omitted, the default Go cipher suites will be used") "Possible values: "+strings.Join(tlsCipherPossibleValues, ","))
tlsPossibleVersions := flag.TLSPossibleVersions()
fs.StringVar(&c.TLSMinVersion, "tls-min-version", c.TLSMinVersion, fs.StringVar(&c.TLSMinVersion, "tls-min-version", c.TLSMinVersion,
"Minimum TLS version supported. "+ "Minimum TLS version supported. "+
"Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.") "Possible values: "+strings.Join(tlsPossibleVersions, ", "))
fs.BoolVar(&c.RotateCertificates, "rotate-certificates", c.RotateCertificates, "<Warning: Beta feature> Auto rotate the kubelet client certificates by requesting new certificates from the kube-apiserver when the certificate expiration approaches.") fs.BoolVar(&c.RotateCertificates, "rotate-certificates", c.RotateCertificates, "<Warning: Beta feature> Auto rotate the kubelet client certificates by requesting new certificates from the kube-apiserver when the certificate expiration approaches.")
fs.Int32Var(&c.RegistryPullQPS, "registry-qps", c.RegistryPullQPS, "If > 0, limit registry pull QPS to this value. If 0, unlimited.") fs.Int32Var(&c.RegistryPullQPS, "registry-qps", c.RegistryPullQPS, "If > 0, limit registry pull QPS to this value. If 0, unlimited.")

9
staging/src/k8s.io/apiserver/pkg/server/options/serving.go
View File

@ -22,6 +22,7 @@ import (
"net" "net"
"path" "path"
"strconv" "strconv"
"strings"
"github.com/golang/glog" "github.com/golang/glog"
"github.com/spf13/pflag" "github.com/spf13/pflag"
@ -134,14 +135,16 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.ServerCert.CertKey.KeyFile, "tls-private-key-file", s.ServerCert.CertKey.KeyFile, fs.StringVar(&s.ServerCert.CertKey.KeyFile, "tls-private-key-file", s.ServerCert.CertKey.KeyFile,
"File containing the default x509 private key matching --tls-cert-file.") "File containing the default x509 private key matching --tls-cert-file.")
tlsCipherPossibleValues := utilflag.TLSCipherPossibleValues()
fs.StringSliceVar(&s.CipherSuites, "tls-cipher-suites", s.CipherSuites, fs.StringSliceVar(&s.CipherSuites, "tls-cipher-suites", s.CipherSuites,
"Comma-separated list of cipher suites for the server. "+ "Comma-separated list of cipher suites for the server. "+
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+ "If omitted, the default Go cipher suites will be use. "+
"If omitted, the default Go cipher suites will be used") "Possible values: "+strings.Join(tlsCipherPossibleValues, ","))
tlsPossibleVersions := utilflag.TLSPossibleVersions()
fs.StringVar(&s.MinTLSVersion, "tls-min-version", s.MinTLSVersion, fs.StringVar(&s.MinTLSVersion, "tls-min-version", s.MinTLSVersion,
"Minimum TLS version supported. "+ "Minimum TLS version supported. "+
"Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.") "Possible values: "+strings.Join(tlsPossibleVersions, ", "))
fs.Var(utilflag.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+ fs.Var(utilflag.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+
"A pair of x509 certificate and private key file paths, optionally suffixed with a list of "+ "A pair of x509 certificate and private key file paths, optionally suffixed with a list of "+

1
staging/src/k8s.io/apiserver/pkg/util/flag/BUILD
View File

@ -40,6 +40,7 @@ go_library(
deps = [ deps = [
"//vendor/github.com/golang/glog:go_default_library", "//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/spf13/pflag:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
], ],
) )

18
staging/src/k8s.io/apiserver/pkg/util/flag/ciphersuites_flag.go
View File

@ -19,6 +19,8 @@ package flag
import ( import (
"crypto/tls" "crypto/tls"
"fmt" "fmt"
"k8s.io/apimachinery/pkg/util/sets"
) )
// ciphers maps strings into tls package cipher constants in // ciphers maps strings into tls package cipher constants in
@ -48,6 +50,14 @@ var ciphers = map[string]uint16{
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
} }
func TLSCipherPossibleValues() []string {
cipherKeys := sets.NewString()
for key := range ciphers {
cipherKeys.Insert(key)
}
return cipherKeys.List()
}
func TLSCipherSuites(cipherNames []string) ([]uint16, error) { func TLSCipherSuites(cipherNames []string) ([]uint16, error) {
if len(cipherNames) == 0 { if len(cipherNames) == 0 {
return nil, nil return nil, nil
@ -69,6 +79,14 @@ var versions = map[string]uint16{
"VersionTLS12": tls.VersionTLS12, "VersionTLS12": tls.VersionTLS12,
} }
func TLSPossibleVersions() []string {
versionsKeys := sets.NewString()
for key := range versions {
versionsKeys.Insert(key)
}
return versionsKeys.List()
}
func TLSVersion(versionName string) (uint16, error) { func TLSVersion(versionName string) (uint16, error) {
if len(versionName) == 0 { if len(versionName) == 0 {
return DefaultTLSVersion(), nil return DefaultTLSVersion(), nil