mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #65832 from sttts/sttts-apiserver-reusable-loopback-logic
Automatic merge from submit-queue (batch tested with PRs 65832, 66160, 66145). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. apiserver: make loopback logic in SecureServingOptions reusable For reuse in other components this PR separates the loopback logic from the GenericApiServer config.
This commit is contained in:
commit
60ca804515
@ -433,7 +433,7 @@ func BuildGenericConfig(
|
||||
if insecureServingInfo, lastErr = s.InsecureServing.ApplyTo(genericConfig); lastErr != nil {
|
||||
return
|
||||
}
|
||||
if lastErr = s.SecureServing.ApplyTo(genericConfig); lastErr != nil {
|
||||
if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil {
|
||||
return
|
||||
}
|
||||
if lastErr = s.Authentication.ApplyTo(genericConfig); lastErr != nil {
|
||||
|
@ -410,24 +410,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
|
||||
c.DiscoveryAddresses = discovery.DefaultAddresses{DefaultAddress: c.ExternalAddress}
|
||||
}
|
||||
|
||||
// If the loopbackclientconfig is specified AND it has a token for use against the API server
|
||||
// wrap the authenticator and authorizer in loopback authentication logic
|
||||
if c.Authentication.Authenticator != nil && c.Authorization.Authorizer != nil && c.LoopbackClientConfig != nil && len(c.LoopbackClientConfig.BearerToken) > 0 {
|
||||
privilegedLoopbackToken := c.LoopbackClientConfig.BearerToken
|
||||
var uid = uuid.NewRandom().String()
|
||||
tokens := make(map[string]*user.DefaultInfo)
|
||||
tokens[privilegedLoopbackToken] = &user.DefaultInfo{
|
||||
Name: user.APIServerUser,
|
||||
UID: uid,
|
||||
Groups: []string{user.SystemPrivilegedGroup},
|
||||
}
|
||||
|
||||
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
|
||||
c.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authentication.Authenticator)
|
||||
|
||||
tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
|
||||
c.Authorization.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorization.Authorizer)
|
||||
}
|
||||
AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
|
||||
|
||||
if c.RequestInfoResolver == nil {
|
||||
c.RequestInfoResolver = NewRequestInfoResolver(c)
|
||||
@ -632,3 +615,26 @@ func (s *SecureServingInfo) HostPort() (string, int, error) {
|
||||
}
|
||||
return host, port, nil
|
||||
}
|
||||
|
||||
// AuthorizeClientBearerToken wraps the authenticator and authorizer in loopback authentication logic
|
||||
// if the loopback client config is specified AND it has a bearer token.
|
||||
func AuthorizeClientBearerToken(loopback *restclient.Config, authn *AuthenticationInfo, authz *AuthorizationInfo) {
|
||||
if loopback == nil || authn == nil || authz == nil || authn.Authenticator == nil && authz.Authorizer == nil || len(loopback.BearerToken) == 0 {
|
||||
return
|
||||
}
|
||||
|
||||
privilegedLoopbackToken := loopback.BearerToken
|
||||
var uid = uuid.NewRandom().String()
|
||||
tokens := make(map[string]*user.DefaultInfo)
|
||||
tokens[privilegedLoopbackToken] = &user.DefaultInfo{
|
||||
Name: user.APIServerUser,
|
||||
UID: uid,
|
||||
Groups: []string{user.SystemPrivilegedGroup},
|
||||
}
|
||||
|
||||
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
|
||||
authn.Authenticator = authenticatorunion.New(tokenAuthenticator, authn.Authenticator)
|
||||
|
||||
tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
|
||||
authz.Authorizer = authorizerunion.New(tokenAuthorizer, authz.Authorizer)
|
||||
}
|
||||
|
@ -83,7 +83,7 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r
|
||||
if err := o.Etcd.ApplyTo(&config.Config); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := o.SecureServing.ApplyTo(&config.Config); err != nil {
|
||||
if err := o.SecureServing.ApplyTo(&config.Config.SecureServing, &config.Config.LoopbackClientConfig); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := o.Authentication.ApplyTo(&config.Config.Authentication, config.SecureServing, config.OpenAPIConfig); err != nil {
|
||||
|
@ -485,7 +485,7 @@ func TestServerRunWithSNI(t *testing.T) {
|
||||
// get port
|
||||
secureOptions.BindPort = ln.Addr().(*net.TCPAddr).Port
|
||||
config.LoopbackClientConfig = &restclient.Config{}
|
||||
if err := secureOptions.ApplyTo(&config); err != nil {
|
||||
if err := secureOptions.ApplyTo(&config.SecureServing, &config.LoopbackClientConfig); err != nil {
|
||||
t.Fatalf("failed applying the SecureServingOptions: %v", err)
|
||||
}
|
||||
|
||||
|
@ -23,6 +23,7 @@ import (
|
||||
"github.com/pborman/uuid"
|
||||
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
"k8s.io/client-go/rest"
|
||||
certutil "k8s.io/client-go/util/cert"
|
||||
)
|
||||
|
||||
@ -35,16 +36,16 @@ func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback {
|
||||
}
|
||||
|
||||
// ApplyTo fills up serving information in the server configuration.
|
||||
func (s *SecureServingOptionsWithLoopback) ApplyTo(c *server.Config) error {
|
||||
if s == nil || s.SecureServingOptions == nil {
|
||||
func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.SecureServingInfo, loopbackClientConfig **rest.Config) error {
|
||||
if s == nil || s.SecureServingOptions == nil || secureServingInfo == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
if err := s.SecureServingOptions.ApplyTo(&c.SecureServing); err != nil {
|
||||
if err := s.SecureServingOptions.ApplyTo(secureServingInfo); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if c.SecureServing == nil {
|
||||
if *secureServingInfo == nil || loopbackClientConfig == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -59,18 +60,18 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(c *server.Config) error {
|
||||
return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
|
||||
}
|
||||
|
||||
secureLoopbackClientConfig, err := c.SecureServing.NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
|
||||
secureLoopbackClientConfig, err := (*secureServingInfo).NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
|
||||
switch {
|
||||
// if we failed and there's no fallback loopback client config, we need to fail
|
||||
case err != nil && c.LoopbackClientConfig == nil:
|
||||
case err != nil && secureLoopbackClientConfig == nil:
|
||||
return err
|
||||
|
||||
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
|
||||
case err != nil && c.LoopbackClientConfig != nil:
|
||||
case err != nil && secureLoopbackClientConfig != nil:
|
||||
|
||||
default:
|
||||
c.LoopbackClientConfig = secureLoopbackClientConfig
|
||||
c.SecureServing.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
|
||||
*loopbackClientConfig = secureLoopbackClientConfig
|
||||
(*secureServingInfo).SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
|
||||
}
|
||||
|
||||
return nil
|
||||
|
Loading…
Reference in New Issue
Block a user