mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
move insecure options to kubeapiserver
This commit is contained in:
deads2k
parent
d6c5f05954
commit
c2f8ef1b1a
@ -32,6 +32,7 @@ go_library(
|
||||
"//pkg/kubeapiserver:go_default_library",
|
||||
"//pkg/kubeapiserver/admission:go_default_library",
|
||||
"//pkg/kubeapiserver/authenticator:go_default_library",
|
||||
"//pkg/kubeapiserver/options:go_default_library",
|
||||
"//pkg/master:go_default_library",
|
||||
"//pkg/master/thirdparty:go_default_library",
|
||||
"//pkg/master/tunneler:go_default_library",
|
||||
|
||||
@ -44,7 +44,7 @@ type ServerRunOptions struct {
|
||||
GenericServerRunOptions *genericoptions.ServerRunOptions
|
||||
Etcd *genericoptions.EtcdOptions
|
||||
SecureServing *genericoptions.SecureServingOptions
|
||||
InsecureServing *genericoptions.ServingOptions
|
||||
InsecureServing *kubeoptions.InsecureServingOptions
|
||||
Audit *genericoptions.AuditLogOptions
|
||||
Features *genericoptions.FeatureOptions
|
||||
Authentication *kubeoptions.BuiltInAuthenticationOptions
|
||||
@ -74,7 +74,7 @@ func NewServerRunOptions() *ServerRunOptions {
|
||||
GenericServerRunOptions: genericoptions.NewServerRunOptions(),
|
||||
Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, api.Scheme, nil)),
|
||||
SecureServing: kubeoptions.NewSecureServingOptions(),
|
||||
InsecureServing: genericoptions.NewInsecureServingOptions(),
|
||||
InsecureServing: kubeoptions.NewInsecureServingOptions(),
|
||||
Audit: genericoptions.NewAuditLogOptions(),
|
||||
Features: genericoptions.NewFeatureOptions(),
|
||||
Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
|
||||
|
||||
@ -66,6 +66,7 @@ import (
|
||||
"k8s.io/kubernetes/pkg/kubeapiserver"
|
||||
kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
||||
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
|
||||
kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
|
||||
"k8s.io/kubernetes/pkg/master"
|
||||
"k8s.io/kubernetes/pkg/master/tunneler"
|
||||
"k8s.io/kubernetes/pkg/registry/cachesize"
|
||||
@ -441,7 +442,11 @@ func BuildStorageFactory(s *options.ServerRunOptions) (*serverstorage.DefaultSto
|
||||
}
|
||||
|
||||
func defaultOptions(s *options.ServerRunOptions) error {
|
||||
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing, s.InsecureServing); err != nil {
|
||||
// set defaults
|
||||
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
|
||||
return err
|
||||
}
|
||||
_, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange)
|
||||
|
||||
@ -41,6 +41,7 @@ go_library(
|
||||
"//pkg/generated/openapi:go_default_library",
|
||||
"//pkg/kubeapiserver:go_default_library",
|
||||
"//pkg/kubeapiserver/admission:go_default_library",
|
||||
"//pkg/kubeapiserver/options:go_default_library",
|
||||
"//pkg/registry/autoscaling/horizontalpodautoscaler/storage:go_default_library",
|
||||
"//pkg/registry/batch/job/storage:go_default_library",
|
||||
"//pkg/registry/cachesize:go_default_library",
|
||||
|
||||
@ -36,7 +36,7 @@ type ServerRunOptions struct {
|
||||
GenericServerRunOptions *genericoptions.ServerRunOptions
|
||||
Etcd *genericoptions.EtcdOptions
|
||||
SecureServing *genericoptions.SecureServingOptions
|
||||
InsecureServing *genericoptions.ServingOptions
|
||||
InsecureServing *kubeoptions.InsecureServingOptions
|
||||
Audit *genericoptions.AuditLogOptions
|
||||
Features *genericoptions.FeatureOptions
|
||||
Authentication *kubeoptions.BuiltInAuthenticationOptions
|
||||
@ -54,7 +54,7 @@ func NewServerRunOptions() *ServerRunOptions {
|
||||
GenericServerRunOptions: genericoptions.NewServerRunOptions(),
|
||||
Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, api.Scheme, nil)),
|
||||
SecureServing: kubeoptions.NewSecureServingOptions(),
|
||||
InsecureServing: genericoptions.NewInsecureServingOptions(),
|
||||
InsecureServing: kubeoptions.NewInsecureServingOptions(),
|
||||
Audit: genericoptions.NewAuditLogOptions(),
|
||||
Features: genericoptions.NewFeatureOptions(),
|
||||
Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
|
||||
|
||||
@ -45,6 +45,7 @@ import (
|
||||
"k8s.io/kubernetes/pkg/generated/openapi"
|
||||
"k8s.io/kubernetes/pkg/kubeapiserver"
|
||||
kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
||||
kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
|
||||
"k8s.io/kubernetes/pkg/registry/cachesize"
|
||||
"k8s.io/kubernetes/pkg/routes"
|
||||
"k8s.io/kubernetes/pkg/version"
|
||||
@ -81,7 +82,10 @@ func Run(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
|
||||
// stop with the given channel.
|
||||
func NonBlockingRun(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
|
||||
// set defaults
|
||||
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing, s.InsecureServing); err != nil {
|
||||
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.SecureServing.MaybeDefaultWithSelfSignedCerts(s.GenericServerRunOptions.AdvertiseAddress.String(), nil, nil); err != nil {
|
||||
|
||||
@ -28,8 +28,10 @@ go_library(
|
||||
"//pkg/kubeapiserver/authorizer:go_default_library",
|
||||
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
||||
"//vendor:github.com/golang/glog",
|
||||
"//vendor:github.com/pborman/uuid",
|
||||
"//vendor:github.com/spf13/pflag",
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/net",
|
||||
"//vendor:k8s.io/apiserver/pkg/server",
|
||||
"//vendor:k8s.io/apiserver/pkg/server/options",
|
||||
"//vendor:k8s.io/apiserver/pkg/util/flag",
|
||||
|
||||
@ -18,8 +18,15 @@ limitations under the License.
|
||||
package options
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"strconv"
|
||||
|
||||
"github.com/pborman/uuid"
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
genericoptions "k8s.io/apiserver/pkg/server/options"
|
||||
)
|
||||
|
||||
@ -27,13 +34,101 @@ import (
|
||||
// "normal" API servers running on the platform
|
||||
func NewSecureServingOptions() *genericoptions.SecureServingOptions {
|
||||
return &genericoptions.SecureServingOptions{
|
||||
ServingOptions: genericoptions.ServingOptions{
|
||||
BindAddress: net.ParseIP("0.0.0.0"),
|
||||
BindPort: 6443,
|
||||
},
|
||||
BindAddress: net.ParseIP("0.0.0.0"),
|
||||
BindPort: 6443,
|
||||
ServerCert: genericoptions.GeneratableKeyCert{
|
||||
PairName: "apiserver",
|
||||
CertDirectory: "/var/run/kubernetes",
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
|
||||
// unset. The field will be set based on the SecureServingOptions. If
|
||||
// the SecureServingOptions is not present, DefaultExternalAddress
|
||||
// will fall back to the insecure ServingOptions.
|
||||
func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
|
||||
if insecure == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
|
||||
hostIP, err := insecure.DefaultExternalAddress()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
|
||||
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
|
||||
}
|
||||
s.AdvertiseAddress = hostIP
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
|
||||
// No one should be using these anymore.
|
||||
type InsecureServingOptions struct {
|
||||
BindAddress net.IP
|
||||
BindPort int
|
||||
}
|
||||
|
||||
// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
|
||||
// No one should be using these anymore.
|
||||
func NewInsecureServingOptions() *InsecureServingOptions {
|
||||
return &InsecureServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 8080,
|
||||
}
|
||||
}
|
||||
|
||||
func (s InsecureServingOptions) Validate(portArg string) []error {
|
||||
errors := []error{}
|
||||
|
||||
if s.BindPort < 0 || s.BindPort > 65535 {
|
||||
errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", s.BindPort))
|
||||
}
|
||||
|
||||
return errors
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
|
||||
return utilnet.ChooseBindAddress(s.BindAddress)
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
|
||||
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
|
||||
"Defaults to localhost.")
|
||||
|
||||
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
|
||||
"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
|
||||
"that firewall rules are set up such that this port is not reachable from outside of "+
|
||||
"the cluster and that port 443 on the cluster's public address is proxied to this "+
|
||||
"port. This is performed by nginx in the default setup.")
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
|
||||
"DEPRECATED: see --insecure-bind-address instead.")
|
||||
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
|
||||
|
||||
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
|
||||
fs.MarkDeprecated("port", "see --insecure-port instead.")
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) ApplyTo(c *server.Config) error {
|
||||
if s.BindPort <= 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
c.InsecureServingInfo = &server.ServingInfo{
|
||||
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
||||
}
|
||||
|
||||
var err error
|
||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
||||
if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -71,29 +71,19 @@ func (s *ServerRunOptions) ApplyTo(c *server.Config) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
|
||||
// unset. The field will be set based on the SecureServingOptions. If
|
||||
// the SecureServingOptions is not present, DefaultExternalAddress
|
||||
// will fall back to the insecure ServingOptions.
|
||||
func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions, insecure *ServingOptions) error {
|
||||
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
|
||||
switch {
|
||||
case secure != nil:
|
||||
hostIP, err := secure.ServingOptions.DefaultExternalAddress()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
|
||||
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
|
||||
}
|
||||
s.AdvertiseAddress = hostIP
|
||||
// DefaultAdvertiseAddress sets the field AdvertiseAddress if unset. The field will be set based on the SecureServingOptions.
|
||||
func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions) error {
|
||||
if secure == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
case insecure != nil:
|
||||
hostIP, err := insecure.DefaultExternalAddress()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
|
||||
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
|
||||
}
|
||||
s.AdvertiseAddress = hostIP
|
||||
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
|
||||
hostIP, err := secure.DefaultExternalAddress()
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
|
||||
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
|
||||
}
|
||||
s.AdvertiseAddress = hostIP
|
||||
}
|
||||
|
||||
return nil
|
||||
|
||||
@ -35,13 +35,9 @@ import (
|
||||
certutil "k8s.io/client-go/util/cert"
|
||||
)
|
||||
|
||||
type ServingOptions struct {
|
||||
type SecureServingOptions struct {
|
||||
BindAddress net.IP
|
||||
BindPort int
|
||||
}
|
||||
|
||||
type SecureServingOptions struct {
|
||||
ServingOptions ServingOptions
|
||||
|
||||
// ServerCert is the TLS cert info for serving secure traffic
|
||||
ServerCert GeneratableKeyCert
|
||||
@ -71,10 +67,8 @@ type GeneratableKeyCert struct {
|
||||
|
||||
func NewSecureServingOptions() *SecureServingOptions {
|
||||
return &SecureServingOptions{
|
||||
ServingOptions: ServingOptions{
|
||||
BindAddress: net.ParseIP("0.0.0.0"),
|
||||
BindPort: 443,
|
||||
},
|
||||
BindAddress: net.ParseIP("0.0.0.0"),
|
||||
BindPort: 443,
|
||||
ServerCert: GeneratableKeyCert{
|
||||
PairName: "apiserver",
|
||||
CertDirectory: "apiserver.local.config/certificates",
|
||||
@ -82,23 +76,27 @@ func NewSecureServingOptions() *SecureServingOptions {
|
||||
}
|
||||
}
|
||||
|
||||
func (s *SecureServingOptions) DefaultExternalAddress() (net.IP, error) {
|
||||
return utilnet.ChooseBindAddress(s.BindAddress)
|
||||
}
|
||||
|
||||
func (s *SecureServingOptions) Validate() []error {
|
||||
errors := []error{}
|
||||
if s == nil {
|
||||
return errors
|
||||
|
||||
if s.BindPort < 0 || s.BindPort > 65535 {
|
||||
errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", s.BindPort))
|
||||
}
|
||||
|
||||
errors = append(errors, s.ServingOptions.Validate("secure-port")...)
|
||||
return errors
|
||||
}
|
||||
|
||||
func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.ServingOptions.BindAddress, "bind-address", s.ServingOptions.BindAddress, ""+
|
||||
fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+
|
||||
"The IP address on which to listen for the --secure-port port. The "+
|
||||
"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
|
||||
"clients. If blank, all interfaces will be used (0.0.0.0).")
|
||||
|
||||
fs.IntVar(&s.ServingOptions.BindPort, "secure-port", s.ServingOptions.BindPort, ""+
|
||||
fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+
|
||||
"The port on which to serve HTTPS with authentication and authorization. If 0, "+
|
||||
"don't serve HTTPS at all.")
|
||||
|
||||
@ -131,13 +129,13 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
}
|
||||
|
||||
func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.ServingOptions.BindAddress, "public-address-override", s.ServingOptions.BindAddress,
|
||||
fs.IPVar(&s.BindAddress, "public-address-override", s.BindAddress,
|
||||
"DEPRECATED: see --bind-address instead.")
|
||||
fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
|
||||
}
|
||||
|
||||
func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
|
||||
if s.ServingOptions.BindPort <= 0 {
|
||||
if s.BindPort <= 0 {
|
||||
return nil
|
||||
}
|
||||
if err := s.applyServingInfoTo(c); err != nil {
|
||||
@ -173,13 +171,13 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
|
||||
}
|
||||
|
||||
func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
|
||||
if s.ServingOptions.BindPort <= 0 {
|
||||
if s.BindPort <= 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
secureServingInfo := &server.SecureServingInfo{
|
||||
ServingInfo: server.ServingInfo{
|
||||
BindAddress: net.JoinHostPort(s.ServingOptions.BindAddress.String(), strconv.Itoa(s.ServingOptions.BindPort)),
|
||||
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
||||
},
|
||||
}
|
||||
|
||||
@ -231,67 +229,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
|
||||
}
|
||||
|
||||
c.SecureServingInfo = secureServingInfo
|
||||
c.ReadWritePort = s.ServingOptions.BindPort
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func NewInsecureServingOptions() *ServingOptions {
|
||||
return &ServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 8080,
|
||||
}
|
||||
}
|
||||
|
||||
func (s ServingOptions) Validate(portArg string) []error {
|
||||
errors := []error{}
|
||||
|
||||
if s.BindPort < 0 || s.BindPort > 65535 {
|
||||
errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
|
||||
}
|
||||
|
||||
return errors
|
||||
}
|
||||
|
||||
func (s *ServingOptions) DefaultExternalAddress() (net.IP, error) {
|
||||
return utilnet.ChooseBindAddress(s.BindAddress)
|
||||
}
|
||||
|
||||
func (s *ServingOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
|
||||
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
|
||||
"Defaults to localhost.")
|
||||
|
||||
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
|
||||
"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
|
||||
"that firewall rules are set up such that this port is not reachable from outside of "+
|
||||
"the cluster and that port 443 on the cluster's public address is proxied to this "+
|
||||
"port. This is performed by nginx in the default setup.")
|
||||
}
|
||||
|
||||
func (s *ServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
|
||||
"DEPRECATED: see --insecure-bind-address instead.")
|
||||
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
|
||||
|
||||
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
|
||||
fs.MarkDeprecated("port", "see --insecure-port instead.")
|
||||
}
|
||||
|
||||
func (s *ServingOptions) ApplyTo(c *server.Config) error {
|
||||
if s.BindPort <= 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
c.InsecureServingInfo = &server.ServingInfo{
|
||||
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
||||
}
|
||||
|
||||
var err error
|
||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
||||
if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
|
||||
return err
|
||||
}
|
||||
c.ReadWritePort = s.BindPort
|
||||
|
||||
return nil
|
||||
}
|
||||
@ -301,7 +239,7 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
|
||||
return nil
|
||||
}
|
||||
keyCert := &s.ServerCert.CertKey
|
||||
if s.ServingOptions.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 {
|
||||
if s.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -314,11 +252,11 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
|
||||
}
|
||||
if !canReadCertAndKey {
|
||||
// add either the bind address or localhost to the valid alternates
|
||||
bindIP := s.ServingOptions.BindAddress.String()
|
||||
bindIP := s.BindAddress.String()
|
||||
if bindIP == "0.0.0.0" {
|
||||
alternateDNS = append(alternateDNS, "localhost")
|
||||
} else {
|
||||
alternateIPs = append(alternateIPs, s.ServingOptions.BindAddress)
|
||||
alternateIPs = append(alternateIPs, s.BindAddress)
|
||||
}
|
||||
|
||||
if cert, key, err := certutil.GenerateSelfSignedCertKey(publicAddress, alternateIPs, alternateDNS); err != nil {
|
||||
|
||||
@ -459,10 +459,8 @@ NextTest:
|
||||
|
||||
config.EnableIndex = true
|
||||
secureOptions := &SecureServingOptions{
|
||||
ServingOptions: ServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 6443,
|
||||
},
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 6443,
|
||||
ServerCert: GeneratableKeyCert{
|
||||
CertKey: CertKey{
|
||||
CertFile: serverCertBundleFile,
|
||||
|
||||
@ -96,7 +96,6 @@ func NewDefaultOptions(out, err io.Writer) *AggregatorOptions {
|
||||
StdOut: out,
|
||||
StdErr: err,
|
||||
}
|
||||
o.RecommendedOptions.SecureServing.ServingOptions.BindPort = 443
|
||||
return o
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user