From 5760fe1957e9ee62fbe114e8eb71f5125d0ab450 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Tue, 23 Jun 2015 20:54:19 -0700 Subject: [PATCH] use ca.crt as client certificate authority for inClusterConfig --- pkg/client/helper.go | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/pkg/client/helper.go b/pkg/client/helper.go index 36508a25fa3..cb658838a8c 100644 --- a/pkg/client/helper.go +++ b/pkg/client/helper.go @@ -29,6 +29,7 @@ import ( "strings" "time" + "github.com/GoogleCloudPlatform/kubernetes/pkg/api" "github.com/GoogleCloudPlatform/kubernetes/pkg/api/latest" "github.com/GoogleCloudPlatform/kubernetes/pkg/api/registered" "github.com/GoogleCloudPlatform/kubernetes/pkg/runtime" @@ -236,17 +237,24 @@ func NewOrDie(c *Config) *Client { // running inside a pod running on kuberenetes. It will return an error if // called from a process not running in a kubernetes environment. func InClusterConfig() (*Config, error) { - token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token") + token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/" + api.ServiceAccountTokenKey) if err != nil { return nil, err } + tlsClientConfig := TLSClientConfig{} + rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/" + api.ServiceAccountRootCAKey + if _, err := util.CertPoolFromFile(rootCAFile); err != nil { + glog.Errorf("expected to load root ca config from %s, but got err: %v", rootCAFile, err) + } else { + tlsClientConfig.CAFile = rootCAFile + } + return &Config{ // TODO: switch to using cluster DNS. - Host: "https://" + net.JoinHostPort(os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT")), - Version: "v1beta3", - BearerToken: string(token), - // TODO: package certs along with the token - Insecure: true, + Host: "https://" + net.JoinHostPort(os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT")), + Version: "v1beta3", + BearerToken: string(token), + TLSClientConfig: tlsClientConfig, }, nil }