github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-02 16:29:21 +00:00
Code Issues Projects Releases Wiki Activity

refactor tls init for reuse

Browse Source
This commit is contained in:
James DeFelice 2015-06-05 11:45:40 +00:00
parent 7309e1f707
commit b3c8f71aca
1 changed files with 27 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
cmd/kubelet/app/server.go
View File

@ -284,23 +284,9 @@ func (s *KubeletServer) Run(_ []string) error {
return err return err
} }
if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" { tlsOptions, err := s.InitializeTLS()
s.TLSCertFile = path.Join(s.CertDirectory, "kubelet.crt") if err != nil {
s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "kubelet.key") return err
if err := util.GenerateSelfSignedCert(util.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile); err != nil {
return fmt.Errorf("unable to generate self signed cert: %v", err)
}
glog.V(4).Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile)
}
tlsOptions := &kubelet.TLSOptions{
Config: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability).
MinVersion: tls.VersionTLS10,
// Populate PeerCertificates in requests, but don't yet reject connections without certificates.
ClientAuth: tls.RequestClientCert,
},
CertFile: s.TLSCertFile,
KeyFile: s.TLSPrivateKeyFile,
} }
mounter := mount.New() mounter := mount.New()
@ -391,6 +377,30 @@ func (s *KubeletServer) Run(_ []string) error {
select {} select {}
} }
// InitializeTLS checks for a configured TLSCertFile and TLSPrivateKeyFile: if unspecified a new self-signed
// certificate and key file are generated. Returns a configured kubelet.TLSOptions object.
func (s *KubeletServer) InitializeTLS() (*kubelet.TLSOptions, error) {
if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" {
s.TLSCertFile = path.Join(s.CertDirectory, "kubelet.crt")
s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "kubelet.key")
if err := util.GenerateSelfSignedCert(util.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile); err != nil {
return nil, fmt.Errorf("unable to generate self signed cert: %v", err)
}
glog.V(4).Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile)
}
tlsOptions := &kubelet.TLSOptions{
Config: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability).
MinVersion: tls.VersionTLS10,
// Populate PeerCertificates in requests, but don't yet reject connections without certificates.
ClientAuth: tls.RequestClientCert,
},
CertFile: s.TLSCertFile,
KeyFile: s.TLSPrivateKeyFile,
}
return tlsOptions, nil
}
func (s *KubeletServer) authPathClientConfig(useDefaults bool) (*client.Config, error) { func (s *KubeletServer) authPathClientConfig(useDefaults bool) (*client.Config, error) {
authInfo, err := clientauth.LoadFromFile(s.AuthPath.Value()) authInfo, err := clientauth.LoadFromFile(s.AuthPath.Value())
if err != nil && !useDefaults { if err != nil && !useDefaults {