Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
4f625db1
Commit
4f625db1
authored
Dec 05, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
move client-ca to authentication args
parent
2c63b6f5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
36 additions
and
14 deletions
+36
-14
server.go
cmd/kube-apiserver/app/server.go
+1
-1
server.go
federation/cmd/federation-apiserver/app/server.go
+1
-1
config.go
pkg/genericapiserver/config.go
+4
-1
authentication.go
pkg/genericapiserver/options/authentication.go
+30
-4
serving.go
pkg/genericapiserver/options/serving.go
+0
-7
No files found.
cmd/kube-apiserver/app/server.go
View file @
4f625db1
...
...
@@ -219,7 +219,7 @@ func Run(s *options.ServerRunOptions) error {
}
}
authenticatorConfig
:=
s
.
Authentication
.
ToAuthenticationConfig
(
s
.
SecureServing
.
ClientCA
)
authenticatorConfig
:=
s
.
Authentication
.
ToAuthenticationConfig
()
if
s
.
Authentication
.
ServiceAccounts
.
Lookup
{
// If we need to look up service accounts and tokens,
// go directly to etcd to avoid recursive auth insanity
...
...
federation/cmd/federation-apiserver/app/server.go
View file @
4f625db1
...
...
@@ -126,7 +126,7 @@ func Run(s *options.ServerRunOptions) error {
storageFactory
.
SetEtcdLocation
(
groupResource
,
servers
)
}
apiAuthenticator
,
securityDefinitions
,
err
:=
authenticator
.
New
(
s
.
Authentication
.
ToAuthenticationConfig
(
s
.
SecureServing
.
ClientCA
))
apiAuthenticator
,
securityDefinitions
,
err
:=
authenticator
.
New
(
s
.
Authentication
.
ToAuthenticationConfig
())
if
err
!=
nil
{
glog
.
Fatalf
(
"Invalid Authentication Config: %v"
,
err
)
}
...
...
pkg/genericapiserver/config.go
View file @
4f625db1
...
...
@@ -232,7 +232,6 @@ func (c *Config) ApplySecureServingOptions(secureServing *options.SecureServingO
ServingInfo
:
ServingInfo
{
BindAddress
:
net
.
JoinHostPort
(
secureServing
.
ServingOptions
.
BindAddress
.
String
(),
strconv
.
Itoa
(
secureServing
.
ServingOptions
.
BindPort
)),
},
ClientCA
:
secureServing
.
ClientCA
,
}
serverCertFile
,
serverKeyFile
:=
secureServing
.
ServerCert
.
CertKey
.
CertFile
,
secureServing
.
ServerCert
.
CertKey
.
KeyFile
...
...
@@ -305,6 +304,10 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
return
c
}
if
o
.
ClientCert
!=
nil
&&
c
.
SecureServingInfo
!=
nil
{
c
.
SecureServingInfo
.
ClientCA
=
o
.
ClientCert
.
ClientCA
}
c
.
SupportsBasicAuth
=
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
return
c
}
...
...
pkg/genericapiserver/options/authentication.go
View file @
4f625db1
...
...
@@ -29,6 +29,7 @@ import (
type
BuiltInAuthenticationOptions
struct
{
Anonymous
*
AnonymousAuthenticationOptions
AnyToken
*
AnyTokenAuthenticationOptions
ClientCert
*
ClientCertAuthenticationOptions
Keystone
*
KeystoneAuthenticationOptions
OIDC
*
OIDCAuthenticationOptions
PasswordFile
*
PasswordFileAuthenticationOptions
...
...
@@ -85,6 +86,7 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
return
s
.
WithAnyonymous
()
.
WithAnyToken
()
.
WithClientCert
()
.
WithKeystone
()
.
WithOIDC
()
.
WithPasswordFile
()
.
...
...
@@ -104,6 +106,11 @@ func (s *BuiltInAuthenticationOptions) WithAnyToken() *BuiltInAuthenticationOpti
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithClientCert
()
*
BuiltInAuthenticationOptions
{
s
.
ClientCert
=
&
ClientCertAuthenticationOptions
{}
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithKeystone
()
*
BuiltInAuthenticationOptions
{
s
.
Keystone
=
&
KeystoneAuthenticationOptions
{}
return
s
...
...
@@ -161,6 +168,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
}
if
s
.
ClientCert
!=
nil
{
s
.
ClientCert
.
AddFlags
(
fs
)
}
if
s
.
Keystone
!=
nil
{
fs
.
StringVar
(
&
s
.
Keystone
.
URL
,
"experimental-keystone-url"
,
s
.
Keystone
.
URL
,
"If passed, activates the keystone authentication plugin."
)
...
...
@@ -229,10 +240,9 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
}
}
func
(
s
*
BuiltInAuthenticationOptions
)
ToAuthenticationConfig
(
clientCAFile
string
)
authenticator
.
AuthenticatorConfig
{
ret
:=
authenticator
.
AuthenticatorConfig
{
ClientCAFile
:
clientCAFile
,
}
func
(
s
*
BuiltInAuthenticationOptions
)
ToAuthenticationConfig
()
authenticator
.
AuthenticatorConfig
{
ret
:=
authenticator
.
AuthenticatorConfig
{}
if
s
.
Anonymous
!=
nil
{
ret
.
Anonymous
=
s
.
Anonymous
.
Allow
}
...
...
@@ -241,6 +251,10 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin
ret
.
AnyToken
=
s
.
AnyToken
.
Allow
}
if
s
.
ClientCert
!=
nil
{
ret
.
ClientCAFile
=
s
.
ClientCert
.
ClientCA
}
if
s
.
Keystone
!=
nil
{
ret
.
KeystoneURL
=
s
.
Keystone
.
URL
ret
.
KeystoneCAFile
=
s
.
Keystone
.
CAFile
...
...
@@ -323,6 +337,18 @@ func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig
}
}
type
ClientCertAuthenticationOptions
struct
{
// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
ClientCA
string
}
func
(
s
*
ClientCertAuthenticationOptions
)
AddFlags
(
fs
*
pflag
.
FlagSet
)
{
fs
.
StringVar
(
&
s
.
ClientCA
,
"client-ca-file"
,
s
.
ClientCA
,
""
+
"If set, any request presenting a client certificate signed by one of "
+
"the authorities in the client-ca-file is authenticated with an identity "
+
"corresponding to the CommonName of the client certificate."
)
}
// DelegatingAuthenticationOptions provides an easy way for composing API servers to delegate their authentication to
// the root kube API server
type
DelegatingAuthenticationOptions
struct
{
...
...
pkg/genericapiserver/options/serving.go
View file @
4f625db1
...
...
@@ -41,8 +41,6 @@ type SecureServingOptions struct {
ServerCert
GeneratableKeyCert
// SNICertKeys are named CertKeys for serving secure traffic with SNI support.
SNICertKeys
[]
config
.
NamedCertKey
// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
ClientCA
string
}
type
CertKey
struct
{
...
...
@@ -124,11 +122,6 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
"trump over extracted names. For multiple key/certificate pairs, use the "
+
"--tls-sni-cert-key multiple times. "
+
"Examples:
\"
example.key,example.crt
\"
or
\"
*.foo.com,foo.com:foo.key,foo.crt
\"
."
)
fs
.
StringVar
(
&
s
.
ClientCA
,
"client-ca-file"
,
s
.
ClientCA
,
""
+
"If set, any request presenting a client certificate signed by one of "
+
"the authorities in the client-ca-file is authenticated with an identity "
+
"corresponding to the CommonName of the client certificate."
)
}
func
(
s
*
SecureServingOptions
)
AddDeprecatedFlags
(
fs
*
pflag
.
FlagSet
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment