diff --git a/cmd/kube-apiserver/app/testing/testserver.go b/cmd/kube-apiserver/app/testing/testserver.go index 40dd4b8ca20..8d54435090a 100644 --- a/cmd/kube-apiserver/app/testing/testserver.go +++ b/cmd/kube-apiserver/app/testing/testserver.go @@ -47,6 +47,9 @@ type TearDownFunc func() type TestServerInstanceOptions struct { // DisableStorageCleanup Disable the automatic storage cleanup DisableStorageCleanup bool + + // Enable cert-auth for the kube-apiserver + EnableCertAuth bool } // TestServer return values supplied by kube-test-ApiServer @@ -68,6 +71,7 @@ type Logger interface { func NewDefaultTestServerOptions() *TestServerInstanceOptions { return &TestServerInstanceOptions{ DisableStorageCleanup: false, + EnableCertAuth: true, } } @@ -124,33 +128,36 @@ func StartTestServer(t Logger, instanceOptions *TestServerInstanceOptions, custo } s.SecureServing.ServerCert.CertDirectory = result.TmpDir - // create optional certificates for aggregation and client-cert auth - proxySigningKey, err := testutil.NewPrivateKey() - if err != nil { - return result, err + if instanceOptions.EnableCertAuth { + // create certificates for aggregation and client-cert auth + proxySigningKey, err := testutil.NewPrivateKey() + if err != nil { + return result, err + } + proxySigningCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "front-proxy-ca"}, proxySigningKey) + if err != nil { + return result, err + } + proxyCACertFile := path.Join(s.SecureServing.ServerCert.CertDirectory, "proxy-ca.crt") + if err := ioutil.WriteFile(proxyCACertFile, testutil.EncodeCertPEM(proxySigningCert), 0644); err != nil { + return result, err + } + s.Authentication.RequestHeader.ClientCAFile = proxyCACertFile + clientSigningKey, err := testutil.NewPrivateKey() + if err != nil { + return result, err + } + clientSigningCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "client-ca"}, clientSigningKey) + if err != nil { + return result, err + } + clientCACertFile := path.Join(s.SecureServing.ServerCert.CertDirectory, "client-ca.crt") + if err := ioutil.WriteFile(clientCACertFile, testutil.EncodeCertPEM(clientSigningCert), 0644); err != nil { + return result, err + } + s.Authentication.ClientCert.ClientCA = clientCACertFile } - proxySigningCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "front-proxy-ca"}, proxySigningKey) - if err != nil { - return result, err - } - proxyCACertFile := path.Join(s.SecureServing.ServerCert.CertDirectory, "proxy-ca.crt") - if err := ioutil.WriteFile(proxyCACertFile, testutil.EncodeCertPEM(proxySigningCert), 0644); err != nil { - return result, err - } - s.Authentication.RequestHeader.ClientCAFile = proxyCACertFile - clientSigningKey, err := testutil.NewPrivateKey() - if err != nil { - return result, err - } - clientSigningCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "client-ca"}, clientSigningKey) - if err != nil { - return result, err - } - clientCACertFile := path.Join(s.SecureServing.ServerCert.CertDirectory, "client-ca.crt") - if err := ioutil.WriteFile(clientCACertFile, testutil.EncodeCertPEM(clientSigningCert), 0644); err != nil { - return result, err - } - s.Authentication.ClientCert.ClientCA = clientCACertFile + s.SecureServing.ExternalAddress = s.SecureServing.Listener.Addr().(*net.TCPAddr).IP // use listener addr although it is a loopback device _, thisFile, _, ok := runtime.Caller(0) diff --git a/test/integration/examples/apiserver_test.go b/test/integration/examples/apiserver_test.go index 85a62cd730b..e858834a630 100644 --- a/test/integration/examples/apiserver_test.go +++ b/test/integration/examples/apiserver_test.go @@ -58,7 +58,7 @@ func TestAggregatedAPIServer(t *testing.T) { stopCh := make(chan struct{}) defer close(stopCh) - testServer := kastesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd()) + testServer := kastesting.StartTestServerOrDie(t, &kastesting.TestServerInstanceOptions{EnableCertAuth: true}, nil, framework.SharedEtcd()) defer testServer.TearDownFn() kubeClientConfig := rest.CopyConfig(testServer.ClientConfig) // force json because everything speaks it