github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-20 17:38:50 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #50476 from caesarxuchao/plumb-proxy

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 51824, 50476, 52451, 52009, 52237)

Plumbing the proxy dialer to the webhook admission plugin

* Fixing https://github.com/kubernetes/kubernetes/issues/49987. Plumb the `Dial` function to the `transport.Config`
* Fixing https://github.com/kubernetes/kubernetes/issues/52366. Let the webhook admission plugin sets the `TLSConfg.ServerName`.

I tested it in my gke setup. I don't have time to implement an e2e test before 1.8 release. I think it's ok to add the test later, because *i)* the change only affects the alpha webhook admission feature, and *ii)* the webhook feature is unusable without the fix. That said, it's up to my reviewer to decide.

Filed https://github.com/kubernetes/kubernetes/issues/52368 for the missing e2e test.

( The second commit is https://github.com/kubernetes/kubernetes/pull/52372, which is just a cleanup of client configuration in e2e tests. It removed a function that marshalled the client config to json and then unmarshalled it. It is a prerequisite of this PR, because this PR added the `Dial` function to the config which is not json marshallable.)

```release-note
Fixed the webhook admission plugin so that it works even if the apiserver and the nodes are in two networks (e.g., in GKE).
Fixed the webhook admission plugin so that webhook author could use the DNS name of the service as the CommonName when generating the server cert for the webhook.

Action required:
Anyone who generated server cert for admission webhooks need to regenerate the cert. Previously, when generating server cert for the admission webhook, the CN value doesn't matter. Now you must set it to the DNS name of the webhook service, i.e., `<service.Name>.<service.Namespace>.svc`.
```
This commit is contained in:
Kubernetes Submit Queue
2017-09-15 01:08:01 -07:00
committed by GitHub
parent b3e641d7f3 856a1db57a
commit 7181dd4946
11 changed files with 258 additions and 205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/kube-apiserver/app/server.go
View File

@@ -251,7 +251,7 @@ func CreateNodeDialer(s *options.ServerRunOptions) (tunneler.Tunneler, *http.Tra
} }
// CreateKubeAPIServerConfig creates all the resources for running the API server, but runs none of them // CreateKubeAPIServerConfig creates all the resources for running the API server, but runs none of them
func CreateKubeAPIServerConfig(s *options.ServerRunOptions, nodeTunneler tunneler.Tunneler, proxyTransport http.RoundTripper) (*master.Config, informers.SharedInformerFactory, clientgoinformers.SharedInformerFactory, *kubeserver.InsecureServingInfo, aggregatorapiserver.ServiceResolver, error) { func CreateKubeAPIServerConfig(s *options.ServerRunOptions, nodeTunneler tunneler.Tunneler, proxyTransport *http.Transport) (*master.Config, informers.SharedInformerFactory, clientgoinformers.SharedInformerFactory, *kubeserver.InsecureServingInfo, aggregatorapiserver.ServiceResolver, error) {
// set defaults in the options before trying to create the generic config // set defaults in the options before trying to create the generic config
if err := defaultOptions(s); err != nil { if err := defaultOptions(s); err != nil {
return nil, nil, nil, nil, nil, err return nil, nil, nil, nil, nil, err
@@ -269,8 +269,7 @@ func CreateKubeAPIServerConfig(s *options.ServerRunOptions, nodeTunneler tunnele
return nil, nil, nil, nil, nil, err return nil, nil, nil, nil, nil, err
} }
} }
genericConfig, sharedInformers, versionedInformers, insecureServingOptions, serviceResolver, err := BuildGenericConfig(s, proxyTransport)
genericConfig, sharedInformers, versionedInformers, insecureServingOptions, serviceResolver, err := BuildGenericConfig(s)
if err != nil { if err != nil {
return nil, nil, nil, nil, nil, err return nil, nil, nil, nil, nil, err
} }
@@ -354,7 +353,7 @@ func CreateKubeAPIServerConfig(s *options.ServerRunOptions, nodeTunneler tunnele
} }
// BuildGenericConfig takes the master server options and produces the genericapiserver.Config associated with it // BuildGenericConfig takes the master server options and produces the genericapiserver.Config associated with it
func BuildGenericConfig(s *options.ServerRunOptions) (*genericapiserver.Config, informers.SharedInformerFactory, clientgoinformers.SharedInformerFactory, *kubeserver.InsecureServingInfo, aggregatorapiserver.ServiceResolver, error) { func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transport) (*genericapiserver.Config, informers.SharedInformerFactory, clientgoinformers.SharedInformerFactory, *kubeserver.InsecureServingInfo, aggregatorapiserver.ServiceResolver, error) {
genericConfig := genericapiserver.NewConfig(api.Codecs) genericConfig := genericapiserver.NewConfig(api.Codecs)
if err := s.GenericServerRunOptions.ApplyTo(genericConfig); err != nil { if err := s.GenericServerRunOptions.ApplyTo(genericConfig); err != nil {
return nil, nil, nil, nil, nil, err return nil, nil, nil, nil, nil, err
@@ -460,6 +459,7 @@ func BuildGenericConfig(s *options.ServerRunOptions) (*genericapiserver.Config,
sharedInformers, sharedInformers,
genericConfig.Authorizer, genericConfig.Authorizer,
serviceResolver, serviceResolver,
proxyTransport,
) )
if err != nil { if err != nil {
return nil, nil, nil, nil, nil, fmt.Errorf("failed to create admission plugin initializer: %v", err) return nil, nil, nil, nil, nil, fmt.Errorf("failed to create admission plugin initializer: %v", err)
@@ -476,7 +476,7 @@ func BuildGenericConfig(s *options.ServerRunOptions) (*genericapiserver.Config,
} }
// BuildAdmissionPluginInitializer constructs the admission plugin initializer // BuildAdmissionPluginInitializer constructs the admission plugin initializer
func BuildAdmissionPluginInitializer(s *options.ServerRunOptions, client internalclientset.Interface, externalClient clientset.Interface, sharedInformers informers.SharedInformerFactory, apiAuthorizer authorizer.Authorizer, serviceResolver aggregatorapiserver.ServiceResolver) (admission.PluginInitializer, error) { func BuildAdmissionPluginInitializer(s *options.ServerRunOptions, client internalclientset.Interface, externalClient clientset.Interface, sharedInformers informers.SharedInformerFactory, apiAuthorizer authorizer.Authorizer, serviceResolver aggregatorapiserver.ServiceResolver, proxyTransport *http.Transport) (admission.PluginInitializer, error) {
var cloudConfig []byte var cloudConfig []byte
if s.CloudProvider.CloudConfigFile != "" { if s.CloudProvider.CloudConfigFile != "" {
@@ -510,6 +510,7 @@ func BuildAdmissionPluginInitializer(s *options.ServerRunOptions, client interna
} }
pluginInitializer = pluginInitializer.SetServiceResolver(serviceResolver) pluginInitializer = pluginInitializer.SetServiceResolver(serviceResolver)
pluginInitializer = pluginInitializer.SetProxyTransport(proxyTransport)
return pluginInitializer, nil return pluginInitializer, nil
} }

22
pkg/kubeapiserver/admission/initializer.go
View File

@@ -17,6 +17,7 @@ limitations under the License.
package admission package admission
import ( import (
"net/http"
"net/url" "net/url"
"k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/api/meta"
@@ -88,6 +89,12 @@ type ServiceResolver interface {
ResolveEndpoint(namespace, name string) (*url.URL, error) ResolveEndpoint(namespace, name string) (*url.URL, error)
} }
// WantsProxyTransport defines a fuction that accepts a proxy transport for admission
// plugins that need to make calls to pods.
type WantsProxyTransport interface {
SetProxyTransport(proxyTransport *http.Transport)
}
type PluginInitializer struct { type PluginInitializer struct {
internalClient internalclientset.Interface internalClient internalclientset.Interface
externalClient clientset.Interface externalClient clientset.Interface
@@ -99,8 +106,9 @@ type PluginInitializer struct {
serviceResolver ServiceResolver serviceResolver ServiceResolver
// for proving we are apiserver in call-outs // for proving we are apiserver in call-outs
clientCert []byte clientCert []byte
clientKey []byte clientKey []byte
proxyTransport *http.Transport
} }
var _ admission.PluginInitializer = &PluginInitializer{} var _ admission.PluginInitializer = &PluginInitializer{}
@@ -142,6 +150,12 @@ func (i *PluginInitializer) SetClientCert(cert, key []byte) *PluginInitializer {
return i return i
} }
// SetProxyTransport sets the proxyTransport which is needed by some plugins.
func (i *PluginInitializer) SetProxyTransport(proxyTransport *http.Transport) *PluginInitializer {
i.proxyTransport = proxyTransport
return i
}
// Initialize checks the initialization interfaces implemented by each plugin // Initialize checks the initialization interfaces implemented by each plugin
// and provide the appropriate initialization data // and provide the appropriate initialization data
func (i *PluginInitializer) Initialize(plugin admission.Interface) { func (i *PluginInitializer) Initialize(plugin admission.Interface) {
@@ -186,4 +200,8 @@ func (i *PluginInitializer) Initialize(plugin admission.Interface) {
} }
wants.SetClientCert(i.clientCert, i.clientKey) wants.SetClientCert(i.clientCert, i.clientKey)
} }
if wants, ok := plugin.(WantsProxyTransport); ok {
wants.SetProxyTransport(i.proxyTransport)
}
} }

20
plugin/pkg/admission/webhook/admission.go
View File

@@ -21,6 +21,8 @@ import (
"context" "context"
"fmt" "fmt"
"io" "io"
"net"
"net/http"
"sync" "sync"
"time" "time"
@@ -106,6 +108,7 @@ type GenericAdmissionWebhook struct {
negotiatedSerializer runtime.NegotiatedSerializer negotiatedSerializer runtime.NegotiatedSerializer
clientCert []byte clientCert []byte
clientKey []byte clientKey []byte
proxyTransport *http.Transport
} }
var ( var (
@@ -114,6 +117,10 @@ var (
_ = admissioninit.WantsExternalKubeClientSet(&GenericAdmissionWebhook{}) _ = admissioninit.WantsExternalKubeClientSet(&GenericAdmissionWebhook{})
) )
func (a *GenericAdmissionWebhook) SetProxyTransport(pt *http.Transport) {
a.proxyTransport = pt
}
func (a *GenericAdmissionWebhook) SetServiceResolver(sr admissioninit.ServiceResolver) { func (a *GenericAdmissionWebhook) SetServiceResolver(sr admissioninit.ServiceResolver) {
a.serviceResolver = sr a.serviceResolver = sr
} }
@@ -242,20 +249,27 @@ func (a *GenericAdmissionWebhook) hookClient(h *v1alpha1.ExternalAdmissionHook)
return nil, err return nil, err
} }
var dial func(network, addr string) (net.Conn, error)
if a.proxyTransport != nil && a.proxyTransport.Dial != nil {
dial = a.proxyTransport.Dial
}
// TODO: cache these instead of constructing one each time // TODO: cache these instead of constructing one each time
cfg := &rest.Config{ cfg := &rest.Config{
Host: u.Host, Host: u.Host,
APIPath: u.Path, APIPath: u.Path,
TLSClientConfig: rest.TLSClientConfig{ TLSClientConfig: rest.TLSClientConfig{
CAData: h.ClientConfig.CABundle, ServerName: h.ClientConfig.Service.Name + "." + h.ClientConfig.Service.Namespace + ".svc",
CertData: a.clientCert, CAData: h.ClientConfig.CABundle,
KeyData: a.clientKey, CertData: a.clientCert,
KeyData: a.clientKey,
}, },
UserAgent: "kube-apiserver-admission", UserAgent: "kube-apiserver-admission",
Timeout: 30 * time.Second, Timeout: 30 * time.Second,
ContentConfig: rest.ContentConfig{ ContentConfig: rest.ContentConfig{
NegotiatedSerializer: a.negotiatedSerializer, NegotiatedSerializer: a.negotiatedSerializer,
}, },
Dial: dial,
} }
return rest.UnversionedRESTClientFor(cfg) return rest.UnversionedRESTClientFor(cfg)
} }

42
plugin/pkg/admission/webhook/admission_test.go
View File

@@ -53,6 +53,7 @@ func (f *fakeHookSource) Run(stopCh <-chan struct{}) {}
type fakeServiceResolver struct { type fakeServiceResolver struct {
base url.URL base url.URL
path string
} }
func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL, error) { func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL, error) {
@@ -60,7 +61,7 @@ func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL,
return nil, fmt.Errorf("couldn't resolve service location") return nil, fmt.Errorf("couldn't resolve service location")
} }
u := f.base u := f.base
u.Path = name u.Path = f.path
return &u, nil return &u, nil
} }
@@ -89,7 +90,6 @@ func TestAdmit(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
wh.serviceResolver = fakeServiceResolver{*serverURL}
wh.clientCert = clientCert wh.clientCert = clientCert
wh.clientKey = clientKey wh.clientKey = clientKey
@@ -123,16 +123,16 @@ func TestAdmit(t *testing.T) {
type test struct { type test struct {
hookSource fakeHookSource hookSource fakeHookSource
path string
expectAllow bool expectAllow bool
errorContains string errorContains string
} }
ccfg := func(result string) registrationv1alpha1.AdmissionHookClientConfig { ccfg := registrationv1alpha1.AdmissionHookClientConfig{
return registrationv1alpha1.AdmissionHookClientConfig{ Service: registrationv1alpha1.ServiceReference{
Service: registrationv1alpha1.ServiceReference{ Name: "webhook-test",
Name: result, Namespace: "default",
}, },
CABundle: caCert, CABundle: caCert,
}
} }
matchEverythingRules := []registrationv1alpha1.RuleWithOperations{{ matchEverythingRules := []registrationv1alpha1.RuleWithOperations{{
Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll}, Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll},
@@ -148,66 +148,72 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "nomatch", Name: "nomatch",
ClientConfig: ccfg("disallow"), ClientConfig: ccfg,
Rules: []registrationv1alpha1.RuleWithOperations{{ Rules: []registrationv1alpha1.RuleWithOperations{{
Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.Create}, Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.Create},
}}, }},
}}, }},
}, },
path: "disallow",
expectAllow: true, expectAllow: true,
}, },
"match & allow": { "match & allow": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "allow", Name: "allow",
ClientConfig: ccfg("allow"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}}, }},
}, },
path: "allow",
expectAllow: true, expectAllow: true,
}, },
"match & disallow": { "match & disallow": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "disallow", Name: "disallow",
ClientConfig: ccfg("disallow"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}}, }},
}, },
path: "disallow",
errorContains: "without explanation", errorContains: "without explanation",
}, },
"match & disallow ii": { "match & disallow ii": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "disallowReason", Name: "disallowReason",
ClientConfig: ccfg("disallowReason"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}}, }},
}, },
path: "disallowReason",
errorContains: "you shall not pass", errorContains: "you shall not pass",
}, },
"match & fail (but allow because fail open)": { "match & fail (but allow because fail open)": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "internalErr A", Name: "internalErr A",
ClientConfig: ccfg("internalErr"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}, { }, {
Name: "invalidReq B", Name: "internalErr B",
ClientConfig: ccfg("invalidReq"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}, { }, {
Name: "invalidResp C", Name: "internalErr C",
ClientConfig: ccfg("invalidResp"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}}, }},
}, },
path: "internalErr",
expectAllow: true, expectAllow: true,
}, },
} }
for name, tt := range table { for name, tt := range table {
wh.hookSource = &tt.hookSource wh.hookSource = &tt.hookSource
wh.serviceResolver = fakeServiceResolver{base: *serverURL, path: tt.path}
err = wh.Admit(admission.NewAttributesRecord(&object, &oldObject, kind, namespace, name, resource, subResource, operation, &userInfo)) err = wh.Admit(admission.NewAttributesRecord(&object, &oldObject, kind, namespace, name, resource, subResource, operation, &userInfo))
if tt.expectAllow != (err == nil) { if tt.expectAllow != (err == nil) {

337
plugin/pkg/admission/webhook/certs_test.go
View File

@@ -20,199 +20,196 @@ limitations under the License.
package webhook package webhook
var caKey = []byte(`-----BEGIN RSA PRIVATE KEY----- var caKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA5qdHpJR3sAg1afEWLlnxdbDV1LtAvCd9WWE/4g71+BBwvwLL MIIEowIBAAKCAQEArHdRY9333U04xKotqnwKwJ52ihSGwr5hf4XkoZ46+ZYiaPS1
C/piPRi+m/7AYHJ9zoVwvwAUYBJM2ppQV2Gwsq4XA5dLvr8fXt4+YA/sLTAo0PAm sEeKkFPRZEZIK22cd/2glyy+AsEURi8yeFut7exu41Y6M5Cfgf64keY2EgRu9DlB
/QQmZziHU9v7OJ04ypjTTuA86D/EkkpEP7lRkN/NFpV3PhU0F5TTrkrzSpePBIR1 ZyQBTD67TfA64xRbztHmgJpBZHpd00R9o1I05OYso7ALFiqEtHDPvUj3PU17h7c3
aPSzh/6Um6TtFk9oiqat05leWcMzonizrgeQU9EW6bSYY5w+gq1X2eZb1s9eR98H xEfq1k7kQq8Tr0EbEQ+GWdE/X0IHW4J4pIjK010KHZSJz4W0wuVgsjDDvV4RGPIR
0xcZfoh3qHmJ1Iq9Cc2Nr+MUohm2m45ozT+1L+g46ZMJxyPB6xLr7uOhkoJsK30q cXT/nH36gmM+rcxNgtHgNHCSQ7i6ioUMjvg3utp08Vtw0icK9V5MV2MAGjNh5zCi
67AZKPo58tDTmEKSXfBotIvFI5N9P3sAWxcTiQIDAQABAoIBAAaJHOWT82RAh0ru Uvl+9rTsW5v7tR9Y5puWqBPEWaBpwJwjJlEaAQIDAQABAoIBAC7xMxgJnKOBl0gA
MuOzVr0v+o8hky8Bq3KZ59Z++AdEZ/1xldFMEfaLOfNvn4HcHKZ6b3xqAynJuvXC Qfm7VXnkJ8OhnqR3CTaajQZoeQjiEm+a27ElZ9Os3Lt8XbxkU0hdok5DgVxijVAl
w54GPZyChFJsug+4mKn2gCv2p4mMQMvS0jf/IxtvpZ4BsLek9NQAypQElJU8IVTH HImh+o9d4TjDiYfrf170o+wiSulQh5q10tVt+WR1Vqn6Dy0rp2l9vE2Yrt/YZp1Q
1/E6Tg5d2RDXwV43+Zbld64Ln6MwZGwv8UFPEHylDMjwkex5u3tzVBD5NaegI0MD cRn5ECiVdeT/z6Sy4ffzFLgimhj3AUyipDpBUdvqNnC6+OP2T5ZXDGC2LJGU6v4z
AHAf3fiCsANmAeGWjTvUXQsOes6wjaHw6kbih5QrXM6iThHfU/YHXYmgfdfSSIFC zLwjFV1pMRgxLJFoCD9Zy200OkbMYYAhYgaiXMyu5ZU3AjWynPdswANshccAtFt8
4puLaehp3/U8HcI97xN238B0khnkOVHzUmRJpmf17SWFSkOAZyUMiFfTSFSOedvu wqVICN20HEoOW1PEM+Z1wOUxpQYUOfL3ieJp9WKklHe7vbY3Iuaotg0Gmg74TNbR
lFO7v0UCgYEA/FczxADDZXq4SSTvrU61XzolgI//OKblsqe4RW8JGtk8pwjZdYOQ 8dcJsjkCgYEA4i1TcnUenv7Tdj9ectN6vXNeGrBUvBO4XFHKauBcGnhZQLuS9GRt
v4UAYEcv5rUWA3wWohcjgNWzI9EzdhOCYpC9YFqbHJalmwhGgOjRCvDy581pcXz7 cUJ+Y3rRLpf7rKE18Zl0YDgJRycfsNjbI6U74pcXZ/XBySPLGcfVrEqaTZ9o5apV
xsfkm2loWm3g+PcrCIset2tGQw/5gqSkBW42E/U0ba25wCS6RlYWCFsCgYEA6f+Q UOwbKkP1vtEuGLipFVuvZdinVLAs5QFrO2HoqmXqcYQhjVqHtT0NmGcCgYEAwzT2
vENXPmBUBW8TsyjWj7MZKVzKuV2yyKT37Mf7RmrpSNpft0PLJDqGqRMfhe1J7Adm UI/r14yRH7oaRU/cPmDG0pCfMjaXlKmU/oaqyYypn750NiyZqSWdZf7rhBxOCbPE
Np1fv/18RngjGjV3fSnjbvQ51748gabwzGZKWKiWJPsRDqjEriiQcFInhaqVJs7F tEtTGAPgGkEbb5GmpEDuJRtuj25kT0kIGqU6KjnYR0OO3iIr6mQN12Cv16JiFN5B
D0TaWalBHWyjPHCQQx7rWqA8tr3Wpga0AhNUuOsCgYEAnbrQU7L6cEM+UBIzcswh VNpNSXkR8Hi2kQimz1W/KzUXoInbzaEji9WF2VcCgYEA0FWt6t0k8pGJmP8v8ZcJ
GO4apPrdWIcSSxMFXvlh4pNpkys36nmbj+tN6eB1c6s7oF//McBu48gwWrIYjbTy FR8CjJTlyERl6mvQhvfY/uziUbU13PXwtYXpQ5rquf927IGmXb/bKZIUQb0w/MYT
KjQ4+7KHBF6yE28fytI8YK9t1jESuOqb4ovuPKqtnODT4Ct3jbaQM6xtVdv1ZZEO vNbDvaks/y6pbKwStdGT6VrinSN8DSkD40FImHr3DuhBjLXz0V+dxbN2FpUdFWhk
KYrTaLQ72lbeJdmPSgnjacMCgYASip6kXE2ocqeVuqR7+MtvnYhr359sqsEE5xWC LNO369VqyVtLSJgeLvxo3HsCgYA12kaZsxq9PGpM9mqI9J8uFkTDkmJY1/a5bI9O
HKKLhOMxU6Rr+CI7n6uV8B76VMAbxMZTo4q3wtU7HD/jzsLGFzCfVRjUQI241EqW KJi1QbkJ+ODWkTdTEq15lfojWCuvQYjitGUYGvmYRJ3tCaGPbtpEIm095JaHyP4T
V7Cib9Fd4ssKN1NGXY58Z/YbwFWLOq0gtZr7qc6wDzCsFFtKBkQt7S6CaG5+v186 W8HQJGUmQ90GKycyYqfu4x2fv4yPdUFQx2jK/DuWu7aiDGD4kg9LPDpob5/T+sBz
HuACuwKBgEd0JaREFj6AG6boytQAx+Npj+wGG7K22O8v9YslJjaS5t2i8XrvIr0F s1RZwQKBgDhwksMQXoEbQLdpllqOL45hmXu06/eOnG4tCY3OXlTf8UQXn31aPXdr
5ltR8Ijegp9a2pCgjshaEzUqMHhxX3EGvUxVM4R430EaQ933WRPmiLlVLyhthYt0 75W8VyyyB7vlNj414jI8N5xriGuRt36ihC3vmz+RotcHhCjH4sXnylP7hwg1ZuGh
9oPxMoN783J7UP/IkBc6AGi3a4uTn/h6Vi884wOLop4bmsK37uIt QE9Df6To9LjpRfZZZ9KdAnyx7P/OZPgXPcK7vd9U3+JQ4E8YW4qG
-----END RSA PRIVATE KEY-----`) -----END RSA PRIVATE KEY-----`)
var caCert = []byte(`-----BEGIN CERTIFICATE----- var caCert = []byte(`-----BEGIN CERTIFICATE-----
MIIDhDCCAmygAwIBAgIJAIf67NAEFfGmMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNV MIIDPTCCAiWgAwIBAgIJAKa7yqtdLQh0MA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV
BAMUKWdlbmVyaWNfd2ViaG9va19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhMCAX BAMMKWdlbmVyaWNfd2ViaG9va19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhMCAX
DTE3MDUwNDIyMzMyOFoYDzIyOTEwMjE3MjIzMzI4WjA0MTIwMAYDVQQDFClnZW5l DTE3MDkxMzAwMTAwNFoYDzIyOTEwNjI5MDAxMDA0WjA0MTIwMAYDVQQDDClnZW5l
cmljX3dlYmhvb2tfYWRtaXNzaW9uX3BsdWdpbl90ZXN0c19jYTCCASIwDQYJKoZI cmljX3dlYmhvb2tfYWRtaXNzaW9uX3BsdWdpbl90ZXN0c19jYTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAOanR6SUd7AINWnxFi5Z8XWw1dS7QLwnfVlh hvcNAQEBBQADggEPADCCAQoCggEBAKx3UWPd991NOMSqLap8CsCedooUhsK+YX+F
P+IO9fgQcL8Cywv6Yj0Yvpv+wGByfc6FcL8AFGASTNqaUFdhsLKuFwOXS76/H17e 5KGeOvmWImj0tbBHipBT0WRGSCttnHf9oJcsvgLBFEYvMnhbre3sbuNWOjOQn4H+
PmAP7C0wKNDwJv0EJmc4h1Pb+zidOMqY007gPOg/xJJKRD+5UZDfzRaVdz4VNBeU uJHmNhIEbvQ5QWckAUw+u03wOuMUW87R5oCaQWR6XdNEfaNSNOTmLKOwCxYqhLRw
065K80qXjwSEdWj0s4f+lJuk7RZPaIqmrdOZXlnDM6J4s64HkFPRFum0mGOcPoKt z71I9z1Ne4e3N8RH6tZO5EKvE69BGxEPhlnRP19CB1uCeKSIytNdCh2Uic+FtMLl
V9nmW9bPXkffB9MXGX6Id6h5idSKvQnNja/jFKIZtpuOaM0/tS/oOOmTCccjwesS YLIww71eERjyEXF0/5x9+oJjPq3MTYLR4DRwkkO4uoqFDI74N7radPFbcNInCvVe
6+7joZKCbCt9KuuwGSj6OfLQ05hCkl3waLSLxSOTfT97AFsXE4kCAwEAAaOBljCB TFdjABozYecwolL5fva07Fub+7UfWOablqgTxFmgacCcIyZRGgECAwEAAaNQME4w
kzAdBgNVHQ4EFgQU55hOE1Dsydy16+6wgOxwsPKZ8JEwZAYDVR0jBF0wW4AU55hO HQYDVR0OBBYEFPa03YxFI220gcsALquzjQkfHztBMB8GA1UdIwQYMBaAFPa03YxF
E1Dsydy16+6wgOxwsPKZ8JGhOKQ2MDQxMjAwBgNVBAMUKWdlbmVyaWNfd2ViaG9v I220gcsALquzjQkfHztBMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
a19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhggkAh/rs0AQV8aYwDAYDVR0TBAUw AJkgjVhVNAoVdNA55qPPYxouOpOUNyy6GV8ZKCSepz4O5uSRl1FHxTIoodnYzBvO
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAtEa7AMnFdc/GmVrtY0aOmA3h1WJ/rhhd RkYBJCMupB4Ee+wuMlZGPd3Tfnl6SaP1V4vGYD1iS4otMM6J2tTJBxoLqQwNaDkc
SnVOp7LmA+1jnA6FMMvVCOFflYLfBwLhIPjPj4arQadWHyd5Quok6GIqgzL4RkK7 S2E2zfbQ0OxaRNbMBn9AZvZE4lN2TMVuWuTGl1amMLF7Fsxs2ndt+OCpf8d2sWpW
67hPMc8inNH8w+9K0kgsCls06Jy08NIt7QTtIckh8skvxQsfJ6An/ROiCNI5QiYj Enh475ch0PJfqZU0papeSV0XRdn60lTGwIbRldUowTBLYcbKo4tTMsCE3oOK7yul
oQOK3Tp8jGf/2wcsJLeO9y09ZPcOUbLkDe2YlnT+OqNMx9VXrPSvRwq2qtYphgYW 0QhQ9eJktvMbZNMYwGWz+p4pjs/eqBnlBP0KuXguKFHFXILxPlyRMhsvHKURUnC8
YWHPMEBnB/9XrVkEtnKeWPjtjarVd+rNnfVpCW0ImnZRFtKQQeI4rtf4Gr83Gdju ugGtqN9AEw6SF2Hf1rzmNno=
Z0gPepfIFptDMl5wKWyw4o2XVSZ69Ur8tQQynoNyX/FTIx6tQ//hzg==
-----END CERTIFICATE-----`) -----END CERTIFICATE-----`)
var badCAKey = []byte(`-----BEGIN RSA PRIVATE KEY----- var badCAKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA2Mbqfl5nW+rYCSw/+G00ymtBElvTwzEI88sg3m5PXU0XMv5y MIIEpQIBAAKCAQEA5T0xQ7mapkcE+h3owavy8NDxc2eKRe9q/5/yFp27F8QpnY13
Tyjt+S3mhbzLY460ty6fXlEiveNNP0bzbo0k+tvUj7HbOG4q4Cs0JWiLvibchRXQ SQS0GXvDiFW1eXdXTg39loy5fG3SZLd/f0eniF2FWKsRvIJbRGyyVBzySbNvbEit
LimqtndsVsT2xj56m7oTETWMYhjd8KFz1s6w7yK9dChe2pBCeeGjIbQs0def8Bf0 ekVeKQJTTH3Xlnb2JdRrr4vxWQC7crVPksS+AsB+MzdB39XIYxvK6hqwF7On8gro
5h7BbsmuXQb44nnpUdWgFI/Frqcz6jO6jySYV5U3ajqCjcWOBQmXRtMi1we48Hdj tzJ+k9e9+/rk0u8FsOBvnE8Z9MX5qX+00UnHSVZuzQt//rTG4Dqsm1yswwTlUfe9
2t4jW/evbRIo/tX88kluXFSVBmTitKA3nn23AzA+/qa6kTDwzQ8OntjC09JT7ykS XpjSh7D6fpjp5YNH9p3vLZMjoY/7ZqO0svHlcWjyv/zoN35p0gMwOGrByATYi2lo
764WLRiBOo+wC3a6M3eZNMkW615+DNP7wAjYEwIDAQABAoIBAC9lZnXUvDKLqUpw wYBckI8oC+CzyRO8ThKUDW19fa9jKYcqsIDhwQIDAQABAoIBADFvadFWFFCpXhxm
I1h0wBsV0jdqXmWJ/hQXsIsRgUa8CTt8CJAoOcfGcmWBPtL4q6h1iCC+CqOL5CLW GMyzPRfLp1YgzQPZ5rQrlPRlnXQ5nFParw+zEPex5e/fs9v27X/qqnYt8M4xjL6l
p3jfYVt73wC/+VdgNv2mVJNtRUiBBKwQdeDx+UJF4CkkjXQQywvrZinYFGaKW1Q2 h7w2Ap34tQnzEkcZwX7XBfn3qBRWur+aSLbmgLDNTJNhS/2pt9lenr5jqm9sJgBN
aLZpoKPYa6XPAdY1vmMZo2pGE5qZbGbIXKcl3kl5N2X0qyJKvTR6RA1Q8JiTmATh s1ROUz+arVx0HSOdIbKlyrODf9gMQL6hg/ZYNym2KaaYjnNfyrGtb3GQgYDn5FNQ
H1U3S9K/MIGU+9OwP8zCDVKFdDI+xgJvDo05W8bt6XLfmE4bLRYHRfe0iE0uBNSC TSeseXOm82Ev34pSbtQ/oFtU5W4DW72VFA68ciaLM2XslVl/zcncyDk+0LpvSq+W
zx5OGBNqkiHq/vMk5mLCYM0w/uzUkhB5uXqe5gSqa7DioLrHztqAe+sbtBvfL+Yd PYSQbwU/xZukMXXxbBoQUaorNK1fDOdYXBzSzs+Yzo+71D3azFaqPv6CMlHCYeA8
hP3asWECgYEA9NQXa2B6AVXVf2GII67H8diPFrILKLEw4CUZjFmVbvrKIRB2ypqA EUkDRAECgYEA8rmOnzjoHStjkOr7Yb5zqX4UyC0VvB6S9EJxy2a133K0eXJ82KPR
IsohpYl97s0nstetZt/75uEvkv3RPu5ad5LJaVAPHE3ESXKdAz6u4fSmi33qqPi6 L7fkkvZk04PwDUpClTqcTw3gblhIaBYsFqTnCn6+8hS1Lqa6OqUYo5/UD1O4mXVh
PvhHLYDDXvMgC7j2yCYyANVKNg2T+EJvpWMISlXM4h7CVm21CSDVZjECgYEA4qsl ebLvss5CNqA2+ii80XkRZSW4w/27CG+u/iBAiS5JeYi0zm89G5PYbCECgYEA8cbR
zDA3sHoClfC4nAOVrRghYlHU2bT6HPLxjLtBkcUTfj6nO6nOLGC7EFVkqYw5mUWq VoUB6rFNC0VOd/D+LPMWaCU7FguAJQ+8Opoh/JgmxFqWwWYeteuX0tbGrKb8LXSA
uSNntk1D1+MYVnZBeKqw6y21FFsclmzzXTtAJg0vuAg1jxnMHqiDbNqpUUO8ZWLG XLEL1vrZjQ2W9tKP4hP9rgiZbvNujPABS1ey5mMFDPMy6q2OYgLY85jpeYU9PpRt
iz2tdAWiBAKwZv0Psv44Dy++4v/BMd8FBb/iHYMCgYEAttKmRmW91b9t9Xg0fEjp dOZiw7a0TFENRU19/WMeSfdDvEzafX6tqA/gwaECgYEA0337V6EuHrx/tPYKs9BO
QBzyBQWhNZrTn520rUy8PSqDxBsSSgsDgncklwPMCYYjjfZmo3rBFdC0gPSOy4qb 15CUaxddqNy7DzoWDTUho+E+f9PSFLIow3toHuWyVNrRf8ME4SKAsCFXPM6PyKIJ
/cycIMtK7VzZJeuzehfV6h+SOnolwFY0Zg9qv3z257FwDbDqf92d22dqymBrTaj2 KHHnHq3xkt2YQV3lRtQz895/2BsK7ivpEzFmylYOO6q+PJria2MiVQ/ZPm0HWwJ1
zC7eovvdSkGj53x3AsEE+hECgYAd7JJU3pi7h6AHw3vbvO1pqKHfpQYAp8/NOpWB Z9iSYvWB7/O+F2G1zSG1ogECgYEAtoV0VY+VsdplokORCGULTV26JactoufNtqzZ
CsehQu9L32GcktJRMYQAqAVeDNEd1wCu6Gmsu46VVbnE0F/cWkx4/9PEGDMx+Lg4 WZgwXiNy6LrGonv4ZTfU5tszIvXw3FPd75vMp1+6Soze0biF3JNg6DgftK3bYFRz
OrZBT8RY+1x2w+UatwyCtmtb+yFIET4866uWgZfeB6zaK9aCvuUPvDHrLfCHcPXs dbBgIyLPlkYmwxmAqqchp0xhvVaDtLGSrDScjMlp9U8e6JmmqlpgbFBZd1bBfwna
yGRFmQKBgQDYvcjkUqKvnZwwpV6p6BHi6PuHWyjL+GLTk/IzsxOJykHzX4SV46Sd CUzrTOECgYEAx98UtYAFWVwoCZwtqSfzTKHerFN/qMFY34cXhdns2ZWn6kEb6alk
9IxyE+OWZhkISBMSMe8wQC/S+QYs8hDbEE3WH1DXp33joyNgt2aWI0Splu7S1f6P dXqNDkXV/7EBGWAcvKn/zbrwlhVDwPHUETgjCUpxqST0ly6E/JnwiNbrSOWG4Yg0
Pe08fYlLgz1xrbJuJAOgvkbskAUcmfmRwFeGaZSkkCtkzVxgN7LS3Q== RoKj46nUcolMbgRub+yeQqcQ48Y2/1OvnRUQ9aQ5MqVSyTyylgMKlB8=
-----END RSA PRIVATE KEY-----`) -----END RSA PRIVATE KEY-----`)
var badCACert = []byte(`-----BEGIN CERTIFICATE----- var badCACert = []byte(`-----BEGIN CERTIFICATE-----
MIIDhDCCAmygAwIBAgIJAIabsJi6ILN7MA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNV MIIDPTCCAiWgAwIBAgIJAOQ6iHm4OCSMMA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV
BAMUKWdlbmVyaWNfd2ViaG9va19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhMCAX BAMMKWdlbmVyaWNfd2ViaG9va19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhMCAX
DTE3MDUwNDIyMzMyOFoYDzIyOTEwMjE3MjIzMzI4WjA0MTIwMAYDVQQDFClnZW5l DTE3MDkxMzAwMTAwNFoYDzIyOTEwNjI5MDAxMDA0WjA0MTIwMAYDVQQDDClnZW5l
cmljX3dlYmhvb2tfYWRtaXNzaW9uX3BsdWdpbl90ZXN0c19jYTCCASIwDQYJKoZI cmljX3dlYmhvb2tfYWRtaXNzaW9uX3BsdWdpbl90ZXN0c19jYTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANjG6n5eZ1vq2AksP/htNMprQRJb08MxCPPL hvcNAQEBBQADggEPADCCAQoCggEBAOU9MUO5mqZHBPod6MGr8vDQ8XNnikXvav+f
IN5uT11NFzL+ck8o7fkt5oW8y2OOtLcun15RIr3jTT9G826NJPrb1I+x2zhuKuAr 8haduxfEKZ2Nd0kEtBl7w4hVtXl3V04N/ZaMuXxt0mS3f39Hp4hdhVirEbyCW0Rs
NCVoi74m3IUV0C4pqrZ3bFbE9sY+epu6ExE1jGIY3fChc9bOsO8ivXQoXtqQQnnh slQc8kmzb2xIrXpFXikCU0x915Z29iXUa6+L8VkAu3K1T5LEvgLAfjM3Qd/VyGMb
oyG0LNHXn/AX9OYewW7Jrl0G+OJ56VHVoBSPxa6nM+ozuo8kmFeVN2o6go3FjgUJ yuoasBezp/IK6LcyfpPXvfv65NLvBbDgb5xPGfTF+al/tNFJx0lWbs0Lf/60xuA6
l0bTItcHuPB3Y9reI1v3r20SKP7V/PJJblxUlQZk4rSgN559twMwPv6mupEw8M0P rJtcrMME5VH3vV6Y0oew+n6Y6eWDR/ad7y2TI6GP+2ajtLLx5XFo8r/86Dd+adID
Dp7YwtPSU+8pEu+uFi0YgTqPsAt2ujN3mTTJFutefgzT+8AI2BMCAwEAAaOBljCB MDhqwcgE2ItpaMGAXJCPKAvgs8kTvE4SlA1tfX2vYymHKrCA4cECAwEAAaNQME4w
kzAdBgNVHQ4EFgQU9SUu1vDxGeyGEgy7pzZjLm+WSH0wZAYDVR0jBF0wW4AU9SUu HQYDVR0OBBYEFEe2nQ5ONNJFv/+6pWnzvfqRNTR9MB8GA1UdIwQYMBaAFEe2nQ5O
1vDxGeyGEgy7pzZjLm+WSH2hOKQ2MDQxMjAwBgNVBAMUKWdlbmVyaWNfd2ViaG9v NNJFv/+6pWnzvfqRNTR9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
a19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhggkAhpuwmLogs3swDAYDVR0TBAUw AEORwyo3MJZVuYbqft728t9MWw0wFORzxPnFVLXMIrX223flNEmqvkA8UBSulxmq
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAViib1ZcwLUi5YE279NRypsGLa8pfT/A8 yDYOOkOWByd2eemCZtc/MlmiSeYNFSi/PS+METkAef2cZfSQNdIUwwl5BZ4vW973
10u41L4xw+32mD2HojMmAlAF4jnC62exaXFsAYEsze4TF+0zqwDkHyGqViw/hKAv J+fDNm0LQh3ZPDngylQ3XprQkF7l+UefRVfbDDTALVDzmJCV/FCm05ijg+HssgwX
SrGgPUX3C7wLyiMa3pjZfcQQy+80SKiJLeClxxjkdhO0mGNo1LdJThYU5IADHVtF +rYI9ZdJbp2z9xftN0RRIwrBQ3S9vA1mq6OoZFco+9Oq5Li5DHv0BpQgOS64dY1z
u2oOKLTjWBVzkMRkTXp5RReeEoUPvFgJhPKIVLggdXdJT8oQjgIVlx6IuzjU0AeM dtOy4RvQNF8NsITkOlp7f39716448dvq8TJlCdE27ptL44hU82cZib3cwQx8cynu
tJ5AIWYrsqv9FlpfUXWjdiy8uF3iLWTOpd6pICnjzfj02wQouTEkxQ2iFinl7Das 45owbCivEhgee3RUY7gVuc8=
iK+7d34q6Ww1/1nu4EBBDYB1VlWdhDLJVT4F+mF8wZFBu863Ba+U5Q==
-----END CERTIFICATE-----`) -----END CERTIFICATE-----`)
var serverKey = []byte(`-----BEGIN RSA PRIVATE KEY----- var serverKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAquioChbTG+iyTg3+SwGww/7yN84jtj55v8Xld8TgkyavSZm7 MIIEpAIBAAKCAQEAxjTbuWppAQB140aAxVVo0jdcGw5id4IAa8ji3T/X1+mDIkU8
Q6WURevvXtJHMug/NAz6qoCFy/zOiozUrMB36GFOA8MtwaOddCMdHMruX7q2+CiF dA8kfpwgaeurh3Nai0R6LT9ZZ5aJD8a2udhVivY0Q11snw/4G40avL2yPr1VJSKk
amhFg58uPfVr9qit20JiyBhaPH97WmQzwsfRQt4E1mCbEHZYK6r1RlF3i00nDCxc lv5/b1knSh53Cvj+7ma6yjn5yBxw8V7v++37yVe6LHP3B0QBvR07n9k507gKHkw/
741wuYp4Uc5oYM0dYoVCv11DYdf62v1grLFO02a5qjAULS74KKNaJ4YDOmqnTtWt R924I6JUdBtlqoIPwRJlWRVyJ5RawfDZ+KX2d9rY0WAxW60Xge8gWPMv8XKViyw+
I75ZkEJSC2TT90o8eFIRuImY17venqIbp30A+XtvMhITg55648Zdci+CGHDcqJA1 p5+5ct6aHiu6/vtRP5N70lL8HXQjr+x0qaFd6m3/SajjX8AKvdIQzDocTzmjdlRL
C+y0rxXZkcuFFFrK0tiN7K/cPK1LDtS08gp61QIDAQABAoIBAFhGVxTu+Rc/N2lt Rj8kvLYf8fPazSybqWv0JeXkVxCZPv25SN26BwIDAQABAoIBAGYsqXgTmr2hdyQK
fNzNALobIoyEYpms50GQO5eDDuOyZXNEfh7QlScQV9DIF5JJtutxkL8kJvdXmm6h HCedt8NmNlzcNXZV1dG6ZPiZCLOM9MSd3GQXykBaS3tOucXBeVOBoVnh5jy4JT+0
ku+vcb+LErqKw0Vy9s6XnF/UyQ6U6BCBDXgKZ202eLHz41HBihrnzRHA0krRJato uE1lb/OKp7ZyWqREnynUu4vAXjppb5MNILuVxiuoUdCrk8JcSU6sNm45JMI7px1G
efuvLXy2JBV+TFlSZvQXFxy801wVIxlI7Jh94YR7CT3HYmD5qjAtiTVkSS+wmx++ S4AbVkicqKRxw05DiIHsp+fnGyBAPRK5+NxHzvERGH9Fxu6jKngSEfz345hZet07
cfh0rrMulkXDEUlRPm/fXqt0do+neH9eNYee4h0mbZ84f3ecz/ql3HfkfoK9ZBq+ C93tREsRYAPymjMO3Z/vLzO8MjwvLrL+ko6RR1/+VQjWG/tSgnSEhOpGibgWl4ni
M85VWnEvRetRF0AQlYK3IUPQH2XHIEZkUab8s+EZoIsgVBY9xvl6VTEQWFtbzRWC 4MvgipRzxkPfRE0qhAjbiQc/epRKDWWTkVfCDruKPSu5SIqD5NmT+MJTws25ZO4c
7ozg2PkCgYEA3X8Pv6a5wzWBwX17RkTXcPqS44uzJ/K0adv1QSrVvXrZJQ0FEGqr C3yh08ECgYEA//nPrMwOFft47maJR+y5TS+ym7pemMAztnB+9sLQB1iAF4RP29sK
gR74aQXiaVl06X/N50y/soQIHWpvqGjoEbkA+jS5y4GkGxAviFFAuRnW9DyRePxH s6WsQmxAiqb0X8lP6N0uRXBD/Cc30hXFfkfx4iWZl5/GYSswEVNXVx7GlFjh1DdB
nQiYFzgxBj55iDsdvdqJ2e0vM1EWNcaVmghNI25D+cBc4Qh1Zz4qFSsCgYEAxYg9 dbAK/04+/pJGHWaWJFyoWy8+HRDezJ33dF/y6BVX85eA1b8jdvrBB/UCgYEAxjmm
vYGepcTMJ0/dk4SVMaITi/8nAnZHnptILpSjgPNp8udsovQPkymwo+EDnjQqVPO4 fo2B1UDVfPb48SbiVV2w8VVo8p6/AOUxUYg10ZkJj5zSB76FC2yfYVPZGCnt2dcZ
OIIICEopk6Zup0Rq2iW3zRGbRJtp+uJ7mfFS+nT6sAe0tPWbGejwrudDDcx0fkx4 N3EPQ4ETVbYgL9N1fgukzWSez38SFuYDajJUxJ7tt4G9W881pZPfi3B1by7xcyaW
C+1//rJ95H0c9L4nd51azCJD0k2yKtIFyj91r/8CgYBwMkWa8exU+oyQo2xHSuXK 4M9gDvsvM2QYPGiz6mH1DwxG2rtY0ktolWkbyIsCgYEAo8xmYSueY+CsbNl+RWEs
n9K6GnCUwrcqjDWuXfFI+qp1vyOajj3zuOlh4Y4viRXUlV2KVXEhDwpBREHtD77G 3kCEaXRj7hknvjnUdPEKj3jJVsMbGxPakESWq1Z8In1daSH4GYnXfyWsy2EJLk0y
A22AUCbw8+lZoBhDt8zONk2RCAE0RK5N2CWaVWdX31uWa0OEgOelESUAnIlgkggD OHGvTchDtavPFQS+2IddH2mZJvqNX/AP2lBRaTfXxa0yYsPvlcsZDGh5tb3C5Gq9
r0LLuLYME6m4f51gv7d3YwKBgCFp8He0C3AjIB2uRt8DWHFy5zeRS7oA5BCSV915 G2H+nRZzVnP/REfwWMVy2jUCgYEApgsKlT2RwQGTEx+J/e71bk6R9kX2KC2jj2ts
S0cu5ccvGpNeEZxlOvodwAzs6hRAvfLhHBa65NmTF7i3vBN2uea4iblLSNwln57k +X/gnRbVdHAHWydTKPOvOgbTdjNBItXUMKXLBF+tw4FQyt8VrySvwsEDaoplq7q2
0ZKIYzePtiO+QCRb4QrVF+SnpzUOHmh2HmapLt6Nw24rFGYJeih5y1sxxWe060HR p5FLgnwiYjISXUJgDLembJYiOKUY6b0sa1oqe8IakrDIwGlwM+gkL5u4CmceiuFR
BkllAoGBAMkT1a3BhhEwoyyKiwC05+gzlKfAWz7t6J//6/yx+82lXDk4/J455qcw 1L374OsCgYAA5KmaCPoDefbvjpQ0EEZ+EFUyT9zVPHvqJa0aYo9KeWGfD/c9gYcQ
ny2y6P6r964EUoqMrAU0bdTs3sKDtOLdNMIt5RfoDBsdQDt2ktbv0pvii3E8SQFi WYWmap9Ed7RfMSxSE3oS2JCFIW19Y0HlBiyu+mi3oJ1ErJRmzgNQHmMkzDr1plQ6
JuJWSenrfFaI+AgwE9jDo1Hy6dhF6/hnV3+QoznwEPRAO6wmPyVA Zs423AVUJak0hiqLhF2o/I+pbbtGXB1TBaR6d6cGNP3wTCHtCjNc6w==
-----END RSA PRIVATE KEY-----`) -----END RSA PRIVATE KEY-----`)
var serverCert = []byte(`-----BEGIN CERTIFICATE----- var serverCert = []byte(`-----BEGIN CERTIFICATE-----
MIIDOzCCAiOgAwIBAgIJAN0PSMLOjTVAMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNV MIIDJjCCAg6gAwIBAgIJAPJEHs7Aav1jMA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV
BAMUKWdlbmVyaWNfd2ViaG9va19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhMCAX BAMMKWdlbmVyaWNfd2ViaG9va19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhMCAX
DTE3MDUwNDIyMzMyOFoYDzIyOTEwMjE3MjIzMzI4WjA4MTYwNAYDVQQDDC1nZW5l DTE3MDkxMzAwMTAwNFoYDzIyOTEwNjI5MDAxMDA0WjAjMSEwHwYDVQQDExh3ZWJo
cmljX3dlYmhvb2tfYWRtaXNzaW9uX3BsdWdpbl90ZXN0c19zZXJ2ZXIwggEiMA0G b29rLXRlc3QuZGVmYXVsdC5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq6KgKFtMb6LJODf5LAbDD/vI3ziO2 AoIBAQDGNNu5amkBAHXjRoDFVWjSN1wbDmJ3ggBryOLdP9fX6YMiRTx0DyR+nCBp
Pnm/xeV3xOCTJq9JmbtDpZRF6+9e0kcy6D80DPqqgIXL/M6KjNSswHfoYU4Dwy3B 66uHc1qLRHotP1lnlokPxra52FWK9jRDXWyfD/gbjRq8vbI+vVUlIqSW/n9vWSdK
o510Ix0cyu5furb4KIVqaEWDny499Wv2qK3bQmLIGFo8f3taZDPCx9FC3gTWYJsQ HncK+P7uZrrKOfnIHHDxXu/77fvJV7osc/cHRAG9HTuf2TnTuAoeTD9H3bgjolR0
dlgrqvVGUXeLTScMLFzvjXC5inhRzmhgzR1ihUK/XUNh1/ra/WCssU7TZrmqMBQt G2Wqgg/BEmVZFXInlFrB8Nn4pfZ32tjRYDFbrReB7yBY8y/xcpWLLD6nn7ly3poe
Lvgoo1onhgM6aqdO1a0jvlmQQlILZNP3Sjx4UhG4iZjXu96eohunfQD5e28yEhOD K7r++1E/k3vSUvwddCOv7HSpoV3qbf9JqONfwAq90hDMOhxPOaN2VEtGPyS8th/x
nnrjxl1yL4IYcNyokDUL7LSvFdmRy4UUWsrS2I3sr9w8rUsO1LTyCnrVAgMBAAGj 89rNLJupa/Ql5eRXEJk+/blI3boHAgMBAAGjSjBIMAkGA1UdEwQCMAAwCwYDVR0P
SjBIMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMC BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHREECDAG
BggrBgEFBQcDATAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBBQUAA4IBAQCA hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQAp99rbIZlUhvNmxhiQCMcltLqtIpGs
/IFclqY/dsadGY0e9U3xq0XliIjZIHaI6OLXmO8xBdLDVf2+d6Bt3dl9gQMtGQI3 ZorxbInV4QCdV+Kybot+L7kUDxu/OqERNLqr1qRsjqJRHUhiZZVv8gjZgwz4bO1/
zj9vqJrM+znXR30yAERFefZItk8hTzAotk15HYExVJkIn5JQBaXRbeO2DUZFgAnu ycjUyAoS92OMKEWlvXe1nMnHH3Jw+lXnwiaOumoExhB1gpMjGqsU3mBQrHXGenNS
6OU6KnuVC6i+7xDlbMl8wtRPmeZ6FS1wW4wnxLWZtKYAuLVDs0ISy6qbznGhCkWc JyJtRsBFnkgk1hGycJPgNc/juaHuGBexLDdPqOy3Zmv1AtzFhvPzOTEFpaIGa5dz
b0uPbxnMmZHQLVL+yF1LYWpX9+Xa9QnWXOSY7KHtcuYXZB/XV4Pt6aDncg76bFdl vewjDBFBCpFFTqpISD93JX6AbkucPVKnfF97DkBLyj3mr+X9Cy0pLGjwN8Gcp1Ez
MG3bocbJ9MsoS/LdlAiYzLNmKlFa243QPOo/zN170NhEZaF1lM80YBaLIE4rRtga 5MvTqbOmqLypcRJu285K0Yxmv7a38GND7xeoijfnPFjVjYGlacCnI7ps
nrkNOnPHx1evvuleH0Yv
-----END CERTIFICATE-----`) -----END CERTIFICATE-----`)
var clientKey = []byte(`-----BEGIN RSA PRIVATE KEY----- var clientKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA1Cf8Tch5IieN9zAI0b5FFJoMzPsN3RAYD5GAk3Xo9XNbKnvJ MIIEowIBAAKCAQEA1jCNOxaX7C6bH8YffvoneePNQVAnMejecJqQz+KJHdrwTlOD
38o2TKdxFu1/Q8hqG3668vWuL6TYDYVcYWtC6rwNpU/moAdJZyyEtmZIam1Va1VW dqzpBVf21tzUo2AU7xoKzpHnEZ5PvBlgzveBhBy3E48ILWRs4ZCnCXYRG62LD6fI
HDCpylsk4b8jbUxxm6OzF1XxZpBUJg9o/1OvL1XA0rmcDiddXN5VdL2adJZsS54t ub0uEt2IwHiT0A6q1fGrAYlrzLkYRz3LQyOQhL0Ca7nB2IeCzY/Vfz0TR2+4bMtY
gI57hcH0jkQocHTEv5gIl2tcTDStd4GeWxBmCotYdCQWcNk+96QMRxIai88aPPYw 54Go5G+lZRP1N88E2cplS8YEZLPlQqqVS6J15bkpnAMmQWL5x67cUbnXdST4qvns
QxpOQeaABrYrjPO1fJA0jimM9bhkjGXK6cnrRQrg3jkeF3vuPw9BFbE4VeENLY+y 3cSqjjC0LKhOd1aInxdCgwL7dT4lwF64Jz1/25OSUVFN5J5Y8xmPqQWHNtauVTjw
v2OWBPYOD8ov0Tn2inge4QjE2DZyK95l46wQbwIDAQABAoIBAGZiAY1cALEt24H9 /StV1DYfe3LnVhVriQ+aNu/cssfe1Se7x6w7HQIDAQABAoIBACRaOy4jKIfCZTug
yVPG+bluelz1jwQuvx3MPvtqvIivKcC/ynVYNYoaiCXjaTZB4orwRrH3RB8z8xvb UaooZNjQK/8AzpYu8snjwd42kZUKmqyAihhzQl1Qz6kp88ECxqrKHblvk+sullPT
TvCofbugEwnDHG3/9jl3L3iCtdG+f6lznkGublH8WDklL6iQaocMoeHSFNRFNIbF btXRth6pDP150iZ6G+yws1jsu/yZmLeAf5XeoNo81T/tdxDh3GbRTHfHTg+B/rfg
iwskzHcQcCSBdEEUWCb4GM9krMQz7pBR9BloyV40ZAGilMXI9F9FZ0YBWWee09gi qgXsHFQbDDUiYt8QKMgguFiPEh2WbedyAe1N9LhtEazMhrnLXCUxTXIFddmcKvnk
jid6sEzYQveZ5RQgEEDrE/i+jzXkU8sBKsSm1GuKH62+YrtelBqP83DwVIKthMOJ fTcnV6mG4FftXFwh+Qn4HukphENHD+xazxIp/WFGDbbStQ8sbjkUSydU0w5x/eQ/
79tw6i98v5JHV+1ikqC1Na/c7OxBBF3xrgwCN47ok0cHaIXh7SX+EIN6jcwKTmRH V6z7ibgDmlHoSyKCxc0B0wuNE/BBQzQGvy2T9UhA4V2+vwuQpcXxM77tXMNnmxaX
VZQBz2ECgYEA6tTpJEKNAzEY3KOO578zY2hWhPUNqzUTm8yLxZedhDt2rwyWjd4J fEXHQBUCgYEA+sYZKOTL7JCJNnGexVVxn6OWZUuSf94LAyVBCveHnItlFgowzwU1
HhS7CiNqFpMT/kxFyOupA8SFJPZDhJBXttnyzO9Sb61fLWgSP739K9OQfK1FGTA6 NYUFD894SR7orvbnSHvEOvim10C7YoyDcsH5+zt4K7dMnVJ6I6I4mNv0r/1WylHe
khjc3vHtBeGrWm9+1jSxQtrwly7Rs+EmdvseDCN7yie/mgrBLS7p1l8CgYEA50fN JyNkYP7jn6znMqVgvo4YHCMrk2OoPIE8jeH1aN+I/YOTi47BIb+MbfcCgYEA2qdG
6BnbeAgCTK8GDBWSJPaYUlo/lebUDCn5QIp1LK93vPQWjJR8xRBwL1TbiVKGd054 AbgwVoWeQT7Z+3iJxTgaZGjO66Id2164HMK0NGeYjNeWikt58Y5Vitblk6h8JqQy
dRZVuJYMJx+2mbrt5ca9UArisZp5OZgR4xz29n9u69P5XiuG8Fq/JBJXp1GXONVx yOipyyIbQFnQbmTo6vlvNTKw2NOrPHkYktridIfFrinYqEmKfhbhQWnZAOTjOnpJ
JNOsUHOW/b3w2tNUWZcMQAH601BHOtO+EtaEX/ECgYBHygz4A8xeFG1YTjwKxt3r 9RFC5LbErmrf5G6HIWV8bfX/kBvi0QbF6VYuKosCgYB2Ztf0PeqmnCuc4BKFu2z1
3uLMRKoIE/LJp093eXEzEoam3v9LoXxCEO5ZHBh7jD0JecG/uaNyvmpBsXNUnFfk YcidtQvLgawTZSCLrAmEeTBWMqOO6zePOGoGZ/+0DnrwOTVEPOOOsF4d3btbsVpS
U16xndwiveqh0/X4PJmgA05hfwrnt2HAdg9XrLfcG3Ap9nnc/EDQgmQYo7yB9Cux 8ZE09IQtp9LtqMZwUqSET7385hF3XyYTtpsrTM1uU7WpbPn7np11k4l8gp4pSx+r
JfW6mkJmu54Mdos1x+i+mwKBgHmewcGe71E0bPkkRLrQERUM89bCjJNoWfO3ktIE Ide8F2bXw6sDRniblZQZSwKBgQCjN4RZmj1zCLEWcS1UuyjUcEm7NEVpvY1eCLmU
vU9tSjr75GuyndYHKedJ6VRSKFHO2vs/bn5tsSBVxfEbYoSlOOJBhyo8AClwNV/H tn7AM6i7Ud8NAsRXXXFbf4jGDVoHmkBSmuLMQHxpL+IX1fnMFUA/TMSYRoEnVhnS
2HqRUqQCySxjGUeFgOQYHS3ocuw5GZFzGjcIQctXObPo0391NcTnBZ5fpcVimZ5Q 3dN3OzaECLazAJqB/uBM7Q9QzIsWRtzYM/dkNU5iCGNy6FK0ykX061HHKBnLAKxR
XjYRAoGAN2O3HQjPyThoOUOn5MJEIx0L5bMvGNDzJO+oFngAntX/zv0zu/zsD9tc vsQdewKBgGCZiy/QYdGR3jdfD7Qytfuptgf6zFLB0BqHJTG/YmnonCDTI8ZxmDOF
kk4EbMLluiw2/XJvYjCStieaYxbSWioKwlThy39C+iUut+IbpP2eI46SOkhvPczt DspoiVbrjYdHED0IfcnXYNK8+Bv/2vVxAGqqCdA/aJbFXx86zKJvu8ZHcFrWl6Fy
4u1/sslqjs4ZSntR4Z9UOk3vY3oxRKbiXX2/vl9cqzB/cGYu01c= vdk6OsJjqpA0RM/lD2kVvHeaBO44qGmMFfZHv52ONu+wE4mVX6Y8
-----END RSA PRIVATE KEY-----`) -----END RSA PRIVATE KEY-----`)
var clientCert = []byte(`-----BEGIN CERTIFICATE----- var clientCert = []byte(`-----BEGIN CERTIFICATE-----
MIIDOzCCAiOgAwIBAgIJAN0PSMLOjTVBMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNV MIIDOzCCAiOgAwIBAgIJAPJEHs7Aav1kMA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV
BAMUKWdlbmVyaWNfd2ViaG9va19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhMCAX BAMMKWdlbmVyaWNfd2ViaG9va19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhMCAX
DTE3MDUwNDIyMzMyOFoYDzIyOTEwMjE3MjIzMzI4WjA4MTYwNAYDVQQDDC1nZW5l DTE3MDkxMzAwMTAwNFoYDzIyOTEwNjI5MDAxMDA0WjA4MTYwNAYDVQQDFC1nZW5l
cmljX3dlYmhvb2tfYWRtaXNzaW9uX3BsdWdpbl90ZXN0c19jbGllbnQwggEiMA0G cmljX3dlYmhvb2tfYWRtaXNzaW9uX3BsdWdpbl90ZXN0c19jbGllbnQwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUJ/xNyHkiJ433MAjRvkUUmgzM+w3d CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWMI07FpfsLpsfxh9++id5481BUCcx
EBgPkYCTdej1c1sqe8nfyjZMp3EW7X9DyGobfrry9a4vpNgNhVxha0LqvA2lT+ag 6N5wmpDP4okd2vBOU4N2rOkFV/bW3NSjYBTvGgrOkecRnk+8GWDO94GEHLcTjwgt
B0lnLIS2ZkhqbVVrVVYcMKnKWyThvyNtTHGbo7MXVfFmkFQmD2j/U68vVcDSuZwO ZGzhkKcJdhEbrYsPp8i5vS4S3YjAeJPQDqrV8asBiWvMuRhHPctDI5CEvQJrucHY
J11c3lV0vZp0lmxLni2AjnuFwfSORChwdMS/mAiXa1xMNK13gZ5bEGYKi1h0JBZw h4LNj9V/PRNHb7hsy1jngajkb6VlE/U3zwTZymVLxgRks+VCqpVLonXluSmcAyZB
2T73pAxHEhqLzxo89jBDGk5B5oAGtiuM87V8kDSOKYz1uGSMZcrpyetFCuDeOR4X YvnHrtxRudd1JPiq+ezdxKqOMLQsqE53VoifF0KDAvt1PiXAXrgnPX/bk5JRUU3k
e+4/D0EVsThV4Q0tj7K/Y5YE9g4Pyi/ROfaKeB7hCMTYNnIr3mXjrBBvAgMBAAGj nljzGY+pBYc21q5VOPD9K1XUNh97cudWFWuJD5o279yyx97VJ7vHrDsdAgMBAAGj
SjBIMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMC SjBIMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDATAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBBQUAA4IBAQC/ BggrBgEFBQcDATAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBh
TBXk511JBKLosKVqrjluo8bzbgnREUrPcKclatiAOiIFKbMBy4nE4BlGZZW34t1u cqu6S6MkUUtNhlWR33ZfV6Ewoz06IGtUIUDDuRmVuizCDOdCcGOTDvdoXtbZMwUf
sStB1dDHBHIuEkZxs93xwjqXN03yNNfve+FkRcb+guaZJEIBRlNocNxhd+lVDo8J ZRVVaSyIjqdz5k+C06mHM7uEEgo+Xo7YolK1AiW9VflG8K47l/+XlLoHFv0eB9k/
axRTdoOxyEOHGCjg+gyb0i9f/rqEqLnDwnYLZbH9Qbh/yv6OgISUTYOCzH35H0/6 KdlFkzh3pszM4uEiynkLlSpQxyyBOhyaVdQlXdamqmSfIO0HlLza1OAP2rMILeMb
unY5JaBhRvmJHI0Z3KtmvMShbUyzoYD+oNLaS31fvoYIekcHsnOjZGBukaIx1bE1 GJ0y+DCxxAspwVvmCUzc5nL6t35+oEDihRk9bjGDLhfh+b0AYSO4RUjzhNlayUBG
4SFjCUSPGDdzJdaYxQb0UXNI7oXKr6e6YeOrglIrVbboa0X3jtqGF1U7rop8ts3v /Kbxh6GiimYmWwpIUTcTAbO7gB7Ya5eXmEB80McS0Z6MY/AEBHnu2Cy8BVEDY30f
24SeXsvxqJht40itVvGK uOhGOj+iPQxidcxc+wuy
-----END CERTIFICATE-----`) -----END CERTIFICATE-----`)

2
plugin/pkg/admission/webhook/gencerts.sh
View File

@@ -61,7 +61,7 @@ openssl req -x509 -new -nodes -key badCAKey.pem -days 100000 -out badCACert.pem
# Create a server certiticate # Create a server certiticate
openssl genrsa -out serverKey.pem 2048 openssl genrsa -out serverKey.pem 2048
openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN_BASE}_server" -config server.conf openssl req -new -key serverKey.pem -out server.csr -subj "/CN=webhook-test.default.svc" -config server.conf
openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf
# Create a client certiticate # Create a client certiticate

3
staging/src/k8s.io/client-go/rest/config.go
View File

@@ -114,6 +114,9 @@ type Config struct {
// The maximum length of time to wait before giving up on a server request. A value of zero means no timeout. // The maximum length of time to wait before giving up on a server request. A value of zero means no timeout.
Timeout time.Duration Timeout time.Duration
// Dial specifies the dial function for creating unencrypted TCP connections.
Dial func(network, addr string) (net.Conn, error)
// Version forces a specific version to be used (if registered) // Version forces a specific version to be used (if registered)
// Do we need this? // Do we need this?
// Version string // Version string

3
staging/src/k8s.io/client-go/rest/config_test.go
View File

@@ -18,6 +18,7 @@ package rest
import ( import (
"io" "io"
"net"
"net/http" "net/http"
"path/filepath" "path/filepath"
"reflect" "reflect"
@@ -236,6 +237,8 @@ func TestAnonymousConfig(t *testing.T) {
func(r *clientcmdapi.AuthProviderConfig, f fuzz.Continue) { func(r *clientcmdapi.AuthProviderConfig, f fuzz.Continue) {
r.Config = map[string]string{} r.Config = map[string]string{}
}, },
// Dial does not require fuzzer
func(r *func(network, addr string) (net.Conn, error), f fuzz.Continue) {},
) )
for i := 0; i < 20; i++ { for i := 0; i < 20; i++ {
original := &Config{} original := &Config{}

1
staging/src/k8s.io/client-go/rest/transport.go
View File

@@ -96,5 +96,6 @@ func (c *Config) TransportConfig() (*transport.Config, error) {
Groups: c.Impersonate.Groups, Groups: c.Impersonate.Groups,
Extra: c.Impersonate.Extra, Extra: c.Impersonate.Extra,
}, },
Dial: c.Dial,
}, nil }, nil
} }

12
staging/src/k8s.io/client-go/transport/cache.go
View File

@@ -63,16 +63,20 @@ func (c *tlsTransportCache) get(config *Config) (http.RoundTripper, error) {
return http.DefaultTransport, nil return http.DefaultTransport, nil
} }
dial := config.Dial
if dial == nil {
dial = (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial
}
// Cache a single transport for these options // Cache a single transport for these options
c.transports[key] = utilnet.SetTransportDefaults(&http.Transport{ c.transports[key] = utilnet.SetTransportDefaults(&http.Transport{
Proxy: http.ProxyFromEnvironment, Proxy: http.ProxyFromEnvironment,
TLSHandshakeTimeout: 10 * time.Second, TLSHandshakeTimeout: 10 * time.Second,
TLSClientConfig: tlsConfig, TLSClientConfig: tlsConfig,
MaxIdleConnsPerHost: idleConnsPerHost, MaxIdleConnsPerHost: idleConnsPerHost,
Dial: (&net.Dialer{ Dial: dial,
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
}) })
return c.transports[key], nil return c.transports[key], nil
} }

8
staging/src/k8s.io/client-go/transport/config.go
View File

@@ -16,7 +16,10 @@ limitations under the License.
package transport package transport
import "net/http" import (
"net"
"net/http"
)
// Config holds various options for establishing a transport. // Config holds various options for establishing a transport.
type Config struct { type Config struct {
@@ -52,6 +55,9 @@ type Config struct {
// config may layer other RoundTrippers on top of the returned // config may layer other RoundTrippers on top of the returned
// RoundTripper. // RoundTripper.
WrapTransport func(rt http.RoundTripper) http.RoundTripper WrapTransport func(rt http.RoundTripper) http.RoundTripper
// Dial specifies the dial function for creating unencrypted TCP connections.
Dial func(network, addr string) (net.Conn, error)
} }
// ImpersonationConfig has all the available impersonation options // ImpersonationConfig has all the available impersonation options