mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-27 21:47:07 +00:00
Merge pull request #2343 from erictune/tokens_need_private_comms
Use https when Insecure is selected.
This commit is contained in:
Daniel Smith
commit
7df0f6d3bd
@ -201,7 +201,7 @@ func main() {
|
|||||||
// TODO: eventually apiserver should start on 443 and be secure by default
|
// TODO: eventually apiserver should start on 443 and be secure by default
|
||||||
clientConfig.Host = "http://localhost:8080"
|
clientConfig.Host = "http://localhost:8080"
|
||||||
}
|
}
|
||||||
if client.IsConfigTransportSecure(clientConfig) {
|
if client.IsConfigTransportTLS(clientConfig) {
|
||||||
auth, err := kubecfg.LoadAuthInfo(*authConfig, os.Stdin)
|
auth, err := kubecfg.LoadAuthInfo(*authConfig, os.Stdin)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Fatalf("Error loading auth: %v", err)
|
glog.Fatalf("Error loading auth: %v", err)
|
||||||
|
|||||||
@ -172,7 +172,7 @@ func TransportFor(config *Config) (http.RoundTripper, error) {
|
|||||||
// DefaultServerURL converts a host, host:port, or URL string to the default base server API path
|
// DefaultServerURL converts a host, host:port, or URL string to the default base server API path
|
||||||
// to use with a Client at a given API version following the standard conventions for a
|
// to use with a Client at a given API version following the standard conventions for a
|
||||||
// Kubernetes API.
|
// Kubernetes API.
|
||||||
func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.URL, error) {
|
func DefaultServerURL(host, prefix, version string, defaultTLS bool) (*url.URL, error) {
|
||||||
if host == "" {
|
if host == "" {
|
||||||
return nil, fmt.Errorf("host must be a URL or a host:port pair")
|
return nil, fmt.Errorf("host must be a URL or a host:port pair")
|
||||||
}
|
}
|
||||||
@ -186,7 +186,7 @@ func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.UR
|
|||||||
}
|
}
|
||||||
if hostURL.Scheme == "" {
|
if hostURL.Scheme == "" {
|
||||||
scheme := "http://"
|
scheme := "http://"
|
||||||
if defaultSecure {
|
if defaultTLS {
|
||||||
scheme = "https://"
|
scheme = "https://"
|
||||||
}
|
}
|
||||||
hostURL, err = url.Parse(scheme + base)
|
hostURL, err = url.Parse(scheme + base)
|
||||||
@ -213,13 +213,13 @@ func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.UR
|
|||||||
return hostURL, nil
|
return hostURL, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsConfigTransportSecure returns true iff the provided config will result in a protected
|
// IsConfigTransportTLS returns true iff the provided config will result in a protected
|
||||||
// connection to the server when it is passed to client.New() or client.RESTClientFor().
|
// connection to the server when it is passed to client.New() or client.RESTClientFor().
|
||||||
// Use to determine when to send credentials over the wire.
|
// Use to determine when to send credentials over the wire.
|
||||||
//
|
//
|
||||||
// Note: the Insecure flag is ignored when testing for this value, so MITM attacks are
|
// Note: the Insecure flag is ignored when testing for this value, so MITM attacks are
|
||||||
// still possible.
|
// still possible.
|
||||||
func IsConfigTransportSecure(config *Config) bool {
|
func IsConfigTransportTLS(config *Config) bool {
|
||||||
baseURL, err := defaultServerUrlFor(config)
|
baseURL, err := defaultServerUrlFor(config)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false
|
return false
|
||||||
@ -227,16 +227,17 @@ func IsConfigTransportSecure(config *Config) bool {
|
|||||||
return baseURL.Scheme == "https"
|
return baseURL.Scheme == "https"
|
||||||
}
|
}
|
||||||
|
|
||||||
// defaultServerUrlFor is shared between IsConfigSecure and RESTClientFor
|
// defaultServerUrlFor is shared between IsConfigTransportTLS and RESTClientFor
|
||||||
func defaultServerUrlFor(config *Config) (*url.URL, error) {
|
func defaultServerUrlFor(config *Config) (*url.URL, error) {
|
||||||
version := defaultVersionFor(config)
|
version := defaultVersionFor(config)
|
||||||
// TODO: move the default to secure when the apiserver supports TLS by default
|
// TODO: move the default to secure when the apiserver supports TLS by default
|
||||||
defaultSecure := config.CertFile != ""
|
// config.Insecure is taken to mean "I want HTTPS but don't bother checking the certs against a CA."
|
||||||
|
defaultTLS := config.CertFile != "" || config.Insecure
|
||||||
host := config.Host
|
host := config.Host
|
||||||
if host == "" {
|
if host == "" {
|
||||||
host = "localhost"
|
host = "localhost"
|
||||||
}
|
}
|
||||||
return DefaultServerURL(host, config.Prefix, version, defaultSecure)
|
return DefaultServerURL(host, config.Prefix, version, defaultTLS)
|
||||||
}
|
}
|
||||||
|
|
||||||
// defaultVersionFor is shared between defaultServerUrlFor and RESTClientFor
|
// defaultVersionFor is shared between defaultServerUrlFor and RESTClientFor
|
||||||
|
|||||||
@ -47,40 +47,47 @@ func TestTransportFor(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestIsConfigTransportSecure(t *testing.T) {
|
func TestIsConfigTransportTLS(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
Config *Config
|
Config *Config
|
||||||
Secure bool
|
TransportTLS bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
Config: &Config{},
|
Config: &Config{},
|
||||||
Secure: false,
|
TransportTLS: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Config: &Config{
|
Config: &Config{
|
||||||
Host: "https://localhost",
|
Host: "https://localhost",
|
||||||
},
|
},
|
||||||
Secure: true,
|
TransportTLS: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Config: &Config{
|
Config: &Config{
|
||||||
Host: "localhost",
|
Host: "localhost",
|
||||||
CertFile: "foo",
|
CertFile: "foo",
|
||||||
},
|
},
|
||||||
Secure: true,
|
TransportTLS: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Config: &Config{
|
Config: &Config{
|
||||||
Host: "///:://localhost",
|
Host: "///:://localhost",
|
||||||
CertFile: "foo",
|
CertFile: "foo",
|
||||||
},
|
},
|
||||||
Secure: false,
|
TransportTLS: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Config: &Config{
|
||||||
|
Host: "1.2.3.4:567",
|
||||||
|
Insecure: true,
|
||||||
|
},
|
||||||
|
TransportTLS: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, testCase := range testCases {
|
for _, testCase := range testCases {
|
||||||
secure := IsConfigTransportSecure(testCase.Config)
|
useTLS := IsConfigTransportTLS(testCase.Config)
|
||||||
if testCase.Secure != secure {
|
if testCase.TransportTLS != useTLS {
|
||||||
t.Errorf("expected %v for %#v", testCase.Secure, testCase.Config)
|
t.Errorf("expected %v for %#v", testCase.TransportTLS, testCase.Config)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -170,7 +170,7 @@ func GetKubeConfig(cmd *cobra.Command) *client.Config {
|
|||||||
}
|
}
|
||||||
config.Host = host
|
config.Host = host
|
||||||
|
|
||||||
if client.IsConfigTransportSecure(config) {
|
if client.IsConfigTransportTLS(config) {
|
||||||
// Get the values from the file on disk (or from the user at the
|
// Get the values from the file on disk (or from the user at the
|
||||||
// command line). Override them with the command line parameters, if
|
// command line). Override them with the command line parameters, if
|
||||||
// provided.
|
// provided.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user