Add a third port which has HTTPS and auth(n,z)

It is disabled by default. Document all the various and sundry (3) ports.
2025-09-15 14:14:39 +00:00 · 2014-11-05 16:05:06 -08:00
parent 6c70227a2e
commit 53f9d42ed3
2 changed files with 103 additions and 3 deletions
--- a/cmd/apiserver/apiserver.go
+++ b/cmd/apiserver/apiserver.go
@@ -57,15 +57,18 @@ var (
 		"The port from which to serve read-only resources. If 0, don't serve on a "+
 		"read-only address. It is assumed that firewall rules are set up such that "+
 		"this port is not reachable from outside of the cluster.")
+	securePort              = flag.Int("secure_port", 0, "The port from which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS ")
+	tlsCertFile             = flag.String("tls_cert_file", "", "File containing x509 Certificate for HTTPS.  (CA cert, if any, concatenated after server cert).")
+	tlsPrivateKeyFile       = flag.String("tls_private_key_file", "", "File containing x509 private key matching --tls_cert_file.")
 	apiPrefix               = flag.String("api_prefix", "/api", "The prefix for API requests on the server. Default '/api'.")
 	storageVersion          = flag.String("storage_version", "", "The version to store resources with. Defaults to server preferred")
 	cloudProvider           = flag.String("cloud_provider", "", "The provider for cloud services.  Empty string for no provider.")
 	cloudConfigFile         = flag.String("cloud_config", "", "The path to the cloud provider configuration file.  Empty string for no configuration file.")
 	healthCheckMinions      = flag.Bool("health_check_minions", true, "If true, health check minions and filter unhealthy ones. Default true.")
 	eventTTL                = flag.Duration("event_ttl", 48*time.Hour, "Amount of time to retain events. Default 2 days.")
-	tokenAuthFile           = flag.String("token_auth_file", "", "If set, the file that will be used to secure the API server via token authentication.")
-	authorizationMode       = flag.String("authorization_mode", "AlwaysAllow", "Selects how to do authorization.  One of: "+strings.Join(apiserver.AuthorizationModeChoices, ","))
-	authorizationPolicyFile = flag.String("authorization_policy_file", "", "File with authorization policy in csv format, used with --authorization_mode=ABAC.")
+	tokenAuthFile           = flag.String("token_auth_file", "", "If set, the file that will be used to secure the secure port of the API server via token authentication.")
+	authorizationMode       = flag.String("authorization_mode", "AlwaysAllow", "Selects how to do authorization on the secure port.  One of: "+strings.Join(apiserver.AuthorizationModeChoices, ","))
+	authorizationPolicyFile = flag.String("authorization_policy_file", "", "File with authorization policy in csv format, used with --authorization_mode=ABAC, on the secure port.")
 	etcdServerList          util.StringList
 	etcdConfigFile          = flag.String("etcd_config", "", "The config file for the etcd client. Mutually exclusive with -etcd_servers.")
 	corsAllowedOriginList   util.StringList
@@ -172,10 +175,15 @@ func main() {
 	}
 	m := master.New(config)

+	// We serve on 3 ports.  See docs/reaching_the_api.md
 	roLocation := ""
 	if *readOnlyPort != 0 {
 		roLocation = net.JoinHostPort(config.PublicAddress, strconv.Itoa(config.ReadOnlyPort))
 	}
+	secureLocation := ""
+	if *securePort != 0 {
+		secureLocation = net.JoinHostPort(config.PublicAddress, strconv.Itoa(*securePort))
+	}
 	rwLocation := net.JoinHostPort(address.String(), strconv.Itoa(int(*port)))

 	// See the flag commentary to understand our assumptions when opening the read-only and read-write ports.
@@ -190,6 +198,7 @@ func main() {
 			WriteTimeout:   5 * time.Minute,
 			MaxHeaderBytes: 1 << 20,
 		}
+		glog.Infof("Serving read-only insecurely on %s", roLocation)
 		go func() {
 			defer util.HandleCrash()
 			for {
@@ -201,6 +210,26 @@ func main() {
 		}()
 	}

+	if secureLocation != "" {
+		secureServer := &http.Server{
+			Addr:           secureLocation,
+			Handler:        apiserver.RecoverPanics(m.Handler),
+			ReadTimeout:    5 * time.Minute,
+			WriteTimeout:   5 * time.Minute,
+			MaxHeaderBytes: 1 << 20,
+		}
+		glog.Infof("Serving securely on %s", secureLocation)
+		go func() {
+			defer util.HandleCrash()
+			for {
+				if err := secureServer.ListenAndServeTLS(*tlsCertFile, *tlsPrivateKeyFile); err != nil {
+					glog.Errorf("Unable to listen for secure (%v); will try again.", err)
+				}
+				time.Sleep(15 * time.Second)
+			}
+		}()
+	}
+
 	s := &http.Server{
 		Addr:           rwLocation,
 		Handler:        apiserver.RecoverPanics(m.InsecureHandler),
@@ -208,5 +237,6 @@ func main() {
 		WriteTimeout:   5 * time.Minute,
 		MaxHeaderBytes: 1 << 20,
 	}
+	glog.Infof("Serving insecurely on %s", rwLocation)
 	glog.Fatal(s.ListenAndServe())
 }