From dd3c85be09b5d9a782d5175e3ea108ad7afa9144 Mon Sep 17 00:00:00 2001 From: Eric Tune Date: Wed, 12 Nov 2014 23:54:54 -0800 Subject: [PATCH 1/2] Use https when Insecure is selected. --- pkg/client/helper.go | 2 +- pkg/client/helper_test.go | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/client/helper.go b/pkg/client/helper.go index 176259014b6..e77ae7c26b0 100644 --- a/pkg/client/helper.go +++ b/pkg/client/helper.go @@ -231,7 +231,7 @@ func IsConfigTransportSecure(config *Config) bool { func defaultServerUrlFor(config *Config) (*url.URL, error) { version := defaultVersionFor(config) // TODO: move the default to secure when the apiserver supports TLS by default - defaultSecure := config.CertFile != "" + defaultSecure := config.CertFile != "" || config.Insecure host := config.Host if host == "" { host = "localhost" diff --git a/pkg/client/helper_test.go b/pkg/client/helper_test.go index d24296ffc40..e925b4d6e0f 100644 --- a/pkg/client/helper_test.go +++ b/pkg/client/helper_test.go @@ -76,6 +76,13 @@ func TestIsConfigTransportSecure(t *testing.T) { }, Secure: false, }, + { + Config: &Config{ + Host: "1.2.3.4:567", + Insecure: true, + }, + Secure: true, + }, } for _, testCase := range testCases { secure := IsConfigTransportSecure(testCase.Config) From 5c24855349a151f7e62012591bccc7e5a69585ec Mon Sep 17 00:00:00 2001 From: Eric Tune Date: Thu, 13 Nov 2014 21:42:36 -0800 Subject: [PATCH 2/2] Rename Secure -> TLS; we may use TLS insecurely. --- cmd/kubecfg/kubecfg.go | 2 +- pkg/client/helper.go | 15 ++++++++------- pkg/client/helper_test.go | 24 ++++++++++++------------ pkg/kubectl/cmd/cmd.go | 2 +- 4 files changed, 22 insertions(+), 21 deletions(-) diff --git a/cmd/kubecfg/kubecfg.go b/cmd/kubecfg/kubecfg.go index 8f97cdf05ad..b93c2ba94a1 100644 --- a/cmd/kubecfg/kubecfg.go +++ b/cmd/kubecfg/kubecfg.go @@ -201,7 +201,7 @@ func main() { // TODO: eventually apiserver should start on 443 and be secure by default clientConfig.Host = "http://localhost:8080" } - if client.IsConfigTransportSecure(clientConfig) { + if client.IsConfigTransportTLS(clientConfig) { auth, err := kubecfg.LoadAuthInfo(*authConfig, os.Stdin) if err != nil { glog.Fatalf("Error loading auth: %v", err) diff --git a/pkg/client/helper.go b/pkg/client/helper.go index e77ae7c26b0..2c64e2a5165 100644 --- a/pkg/client/helper.go +++ b/pkg/client/helper.go @@ -172,7 +172,7 @@ func TransportFor(config *Config) (http.RoundTripper, error) { // DefaultServerURL converts a host, host:port, or URL string to the default base server API path // to use with a Client at a given API version following the standard conventions for a // Kubernetes API. -func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.URL, error) { +func DefaultServerURL(host, prefix, version string, defaultTLS bool) (*url.URL, error) { if host == "" { return nil, fmt.Errorf("host must be a URL or a host:port pair") } @@ -186,7 +186,7 @@ func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.UR } if hostURL.Scheme == "" { scheme := "http://" - if defaultSecure { + if defaultTLS { scheme = "https://" } hostURL, err = url.Parse(scheme + base) @@ -213,13 +213,13 @@ func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.UR return hostURL, nil } -// IsConfigTransportSecure returns true iff the provided config will result in a protected +// IsConfigTransportTLS returns true iff the provided config will result in a protected // connection to the server when it is passed to client.New() or client.RESTClientFor(). // Use to determine when to send credentials over the wire. // // Note: the Insecure flag is ignored when testing for this value, so MITM attacks are // still possible. -func IsConfigTransportSecure(config *Config) bool { +func IsConfigTransportTLS(config *Config) bool { baseURL, err := defaultServerUrlFor(config) if err != nil { return false @@ -227,16 +227,17 @@ func IsConfigTransportSecure(config *Config) bool { return baseURL.Scheme == "https" } -// defaultServerUrlFor is shared between IsConfigSecure and RESTClientFor +// defaultServerUrlFor is shared between IsConfigTransportTLS and RESTClientFor func defaultServerUrlFor(config *Config) (*url.URL, error) { version := defaultVersionFor(config) // TODO: move the default to secure when the apiserver supports TLS by default - defaultSecure := config.CertFile != "" || config.Insecure + // config.Insecure is taken to mean "I want HTTPS but don't bother checking the certs against a CA." + defaultTLS := config.CertFile != "" || config.Insecure host := config.Host if host == "" { host = "localhost" } - return DefaultServerURL(host, config.Prefix, version, defaultSecure) + return DefaultServerURL(host, config.Prefix, version, defaultTLS) } // defaultVersionFor is shared between defaultServerUrlFor and RESTClientFor diff --git a/pkg/client/helper_test.go b/pkg/client/helper_test.go index e925b4d6e0f..485e7eb425a 100644 --- a/pkg/client/helper_test.go +++ b/pkg/client/helper_test.go @@ -47,47 +47,47 @@ func TestTransportFor(t *testing.T) { } } -func TestIsConfigTransportSecure(t *testing.T) { +func TestIsConfigTransportTLS(t *testing.T) { testCases := []struct { - Config *Config - Secure bool + Config *Config + TransportTLS bool }{ { - Config: &Config{}, - Secure: false, + Config: &Config{}, + TransportTLS: false, }, { Config: &Config{ Host: "https://localhost", }, - Secure: true, + TransportTLS: true, }, { Config: &Config{ Host: "localhost", CertFile: "foo", }, - Secure: true, + TransportTLS: true, }, { Config: &Config{ Host: "///:://localhost", CertFile: "foo", }, - Secure: false, + TransportTLS: false, }, { Config: &Config{ Host: "1.2.3.4:567", Insecure: true, }, - Secure: true, + TransportTLS: true, }, } for _, testCase := range testCases { - secure := IsConfigTransportSecure(testCase.Config) - if testCase.Secure != secure { - t.Errorf("expected %v for %#v", testCase.Secure, testCase.Config) + useTLS := IsConfigTransportTLS(testCase.Config) + if testCase.TransportTLS != useTLS { + t.Errorf("expected %v for %#v", testCase.TransportTLS, testCase.Config) } } } diff --git a/pkg/kubectl/cmd/cmd.go b/pkg/kubectl/cmd/cmd.go index 84034e35739..c7271c322c4 100644 --- a/pkg/kubectl/cmd/cmd.go +++ b/pkg/kubectl/cmd/cmd.go @@ -172,7 +172,7 @@ func GetKubeConfig(cmd *cobra.Command) *client.Config { } config.Host = host - if client.IsConfigTransportSecure(config) { + if client.IsConfigTransportTLS(config) { // Get the values from the file on disk (or from the user at the // command line). Override them with the command line parameters, if // provided.