Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
4f625db1
Commit
4f625db1
authored
Dec 05, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
move client-ca to authentication args
parent
2c63b6f5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
36 additions
and
14 deletions
+36
-14
server.go
cmd/kube-apiserver/app/server.go
+1
-1
server.go
federation/cmd/federation-apiserver/app/server.go
+1
-1
config.go
pkg/genericapiserver/config.go
+4
-1
authentication.go
pkg/genericapiserver/options/authentication.go
+30
-4
serving.go
pkg/genericapiserver/options/serving.go
+0
-7
No files found.
cmd/kube-apiserver/app/server.go
View file @
4f625db1
...
@@ -219,7 +219,7 @@ func Run(s *options.ServerRunOptions) error {
...
@@ -219,7 +219,7 @@ func Run(s *options.ServerRunOptions) error {
}
}
}
}
authenticatorConfig
:=
s
.
Authentication
.
ToAuthenticationConfig
(
s
.
SecureServing
.
ClientCA
)
authenticatorConfig
:=
s
.
Authentication
.
ToAuthenticationConfig
()
if
s
.
Authentication
.
ServiceAccounts
.
Lookup
{
if
s
.
Authentication
.
ServiceAccounts
.
Lookup
{
// If we need to look up service accounts and tokens,
// If we need to look up service accounts and tokens,
// go directly to etcd to avoid recursive auth insanity
// go directly to etcd to avoid recursive auth insanity
...
...
federation/cmd/federation-apiserver/app/server.go
View file @
4f625db1
...
@@ -126,7 +126,7 @@ func Run(s *options.ServerRunOptions) error {
...
@@ -126,7 +126,7 @@ func Run(s *options.ServerRunOptions) error {
storageFactory
.
SetEtcdLocation
(
groupResource
,
servers
)
storageFactory
.
SetEtcdLocation
(
groupResource
,
servers
)
}
}
apiAuthenticator
,
securityDefinitions
,
err
:=
authenticator
.
New
(
s
.
Authentication
.
ToAuthenticationConfig
(
s
.
SecureServing
.
ClientCA
))
apiAuthenticator
,
securityDefinitions
,
err
:=
authenticator
.
New
(
s
.
Authentication
.
ToAuthenticationConfig
())
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
Fatalf
(
"Invalid Authentication Config: %v"
,
err
)
glog
.
Fatalf
(
"Invalid Authentication Config: %v"
,
err
)
}
}
...
...
pkg/genericapiserver/config.go
View file @
4f625db1
...
@@ -232,7 +232,6 @@ func (c *Config) ApplySecureServingOptions(secureServing *options.SecureServingO
...
@@ -232,7 +232,6 @@ func (c *Config) ApplySecureServingOptions(secureServing *options.SecureServingO
ServingInfo
:
ServingInfo
{
ServingInfo
:
ServingInfo
{
BindAddress
:
net
.
JoinHostPort
(
secureServing
.
ServingOptions
.
BindAddress
.
String
(),
strconv
.
Itoa
(
secureServing
.
ServingOptions
.
BindPort
)),
BindAddress
:
net
.
JoinHostPort
(
secureServing
.
ServingOptions
.
BindAddress
.
String
(),
strconv
.
Itoa
(
secureServing
.
ServingOptions
.
BindPort
)),
},
},
ClientCA
:
secureServing
.
ClientCA
,
}
}
serverCertFile
,
serverKeyFile
:=
secureServing
.
ServerCert
.
CertKey
.
CertFile
,
secureServing
.
ServerCert
.
CertKey
.
KeyFile
serverCertFile
,
serverKeyFile
:=
secureServing
.
ServerCert
.
CertKey
.
CertFile
,
secureServing
.
ServerCert
.
CertKey
.
KeyFile
...
@@ -305,6 +304,10 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
...
@@ -305,6 +304,10 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
return
c
return
c
}
}
if
o
.
ClientCert
!=
nil
&&
c
.
SecureServingInfo
!=
nil
{
c
.
SecureServingInfo
.
ClientCA
=
o
.
ClientCert
.
ClientCA
}
c
.
SupportsBasicAuth
=
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
c
.
SupportsBasicAuth
=
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
return
c
return
c
}
}
...
...
pkg/genericapiserver/options/authentication.go
View file @
4f625db1
...
@@ -29,6 +29,7 @@ import (
...
@@ -29,6 +29,7 @@ import (
type
BuiltInAuthenticationOptions
struct
{
type
BuiltInAuthenticationOptions
struct
{
Anonymous
*
AnonymousAuthenticationOptions
Anonymous
*
AnonymousAuthenticationOptions
AnyToken
*
AnyTokenAuthenticationOptions
AnyToken
*
AnyTokenAuthenticationOptions
ClientCert
*
ClientCertAuthenticationOptions
Keystone
*
KeystoneAuthenticationOptions
Keystone
*
KeystoneAuthenticationOptions
OIDC
*
OIDCAuthenticationOptions
OIDC
*
OIDCAuthenticationOptions
PasswordFile
*
PasswordFileAuthenticationOptions
PasswordFile
*
PasswordFileAuthenticationOptions
...
@@ -85,6 +86,7 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
...
@@ -85,6 +86,7 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
return
s
.
return
s
.
WithAnyonymous
()
.
WithAnyonymous
()
.
WithAnyToken
()
.
WithAnyToken
()
.
WithClientCert
()
.
WithKeystone
()
.
WithKeystone
()
.
WithOIDC
()
.
WithOIDC
()
.
WithPasswordFile
()
.
WithPasswordFile
()
.
...
@@ -104,6 +106,11 @@ func (s *BuiltInAuthenticationOptions) WithAnyToken() *BuiltInAuthenticationOpti
...
@@ -104,6 +106,11 @@ func (s *BuiltInAuthenticationOptions) WithAnyToken() *BuiltInAuthenticationOpti
return
s
return
s
}
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithClientCert
()
*
BuiltInAuthenticationOptions
{
s
.
ClientCert
=
&
ClientCertAuthenticationOptions
{}
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithKeystone
()
*
BuiltInAuthenticationOptions
{
func
(
s
*
BuiltInAuthenticationOptions
)
WithKeystone
()
*
BuiltInAuthenticationOptions
{
s
.
Keystone
=
&
KeystoneAuthenticationOptions
{}
s
.
Keystone
=
&
KeystoneAuthenticationOptions
{}
return
s
return
s
...
@@ -161,6 +168,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -161,6 +168,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
}
}
if
s
.
ClientCert
!=
nil
{
s
.
ClientCert
.
AddFlags
(
fs
)
}
if
s
.
Keystone
!=
nil
{
if
s
.
Keystone
!=
nil
{
fs
.
StringVar
(
&
s
.
Keystone
.
URL
,
"experimental-keystone-url"
,
s
.
Keystone
.
URL
,
fs
.
StringVar
(
&
s
.
Keystone
.
URL
,
"experimental-keystone-url"
,
s
.
Keystone
.
URL
,
"If passed, activates the keystone authentication plugin."
)
"If passed, activates the keystone authentication plugin."
)
...
@@ -229,10 +240,9 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -229,10 +240,9 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
}
}
}
}
func
(
s
*
BuiltInAuthenticationOptions
)
ToAuthenticationConfig
(
clientCAFile
string
)
authenticator
.
AuthenticatorConfig
{
func
(
s
*
BuiltInAuthenticationOptions
)
ToAuthenticationConfig
()
authenticator
.
AuthenticatorConfig
{
ret
:=
authenticator
.
AuthenticatorConfig
{
ret
:=
authenticator
.
AuthenticatorConfig
{}
ClientCAFile
:
clientCAFile
,
}
if
s
.
Anonymous
!=
nil
{
if
s
.
Anonymous
!=
nil
{
ret
.
Anonymous
=
s
.
Anonymous
.
Allow
ret
.
Anonymous
=
s
.
Anonymous
.
Allow
}
}
...
@@ -241,6 +251,10 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin
...
@@ -241,6 +251,10 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin
ret
.
AnyToken
=
s
.
AnyToken
.
Allow
ret
.
AnyToken
=
s
.
AnyToken
.
Allow
}
}
if
s
.
ClientCert
!=
nil
{
ret
.
ClientCAFile
=
s
.
ClientCert
.
ClientCA
}
if
s
.
Keystone
!=
nil
{
if
s
.
Keystone
!=
nil
{
ret
.
KeystoneURL
=
s
.
Keystone
.
URL
ret
.
KeystoneURL
=
s
.
Keystone
.
URL
ret
.
KeystoneCAFile
=
s
.
Keystone
.
CAFile
ret
.
KeystoneCAFile
=
s
.
Keystone
.
CAFile
...
@@ -323,6 +337,18 @@ func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig
...
@@ -323,6 +337,18 @@ func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig
}
}
}
}
type
ClientCertAuthenticationOptions
struct
{
// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
ClientCA
string
}
func
(
s
*
ClientCertAuthenticationOptions
)
AddFlags
(
fs
*
pflag
.
FlagSet
)
{
fs
.
StringVar
(
&
s
.
ClientCA
,
"client-ca-file"
,
s
.
ClientCA
,
""
+
"If set, any request presenting a client certificate signed by one of "
+
"the authorities in the client-ca-file is authenticated with an identity "
+
"corresponding to the CommonName of the client certificate."
)
}
// DelegatingAuthenticationOptions provides an easy way for composing API servers to delegate their authentication to
// DelegatingAuthenticationOptions provides an easy way for composing API servers to delegate their authentication to
// the root kube API server
// the root kube API server
type
DelegatingAuthenticationOptions
struct
{
type
DelegatingAuthenticationOptions
struct
{
...
...
pkg/genericapiserver/options/serving.go
View file @
4f625db1
...
@@ -41,8 +41,6 @@ type SecureServingOptions struct {
...
@@ -41,8 +41,6 @@ type SecureServingOptions struct {
ServerCert
GeneratableKeyCert
ServerCert
GeneratableKeyCert
// SNICertKeys are named CertKeys for serving secure traffic with SNI support.
// SNICertKeys are named CertKeys for serving secure traffic with SNI support.
SNICertKeys
[]
config
.
NamedCertKey
SNICertKeys
[]
config
.
NamedCertKey
// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
ClientCA
string
}
}
type
CertKey
struct
{
type
CertKey
struct
{
...
@@ -124,11 +122,6 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -124,11 +122,6 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
"trump over extracted names. For multiple key/certificate pairs, use the "
+
"trump over extracted names. For multiple key/certificate pairs, use the "
+
"--tls-sni-cert-key multiple times. "
+
"--tls-sni-cert-key multiple times. "
+
"Examples:
\"
example.key,example.crt
\"
or
\"
*.foo.com,foo.com:foo.key,foo.crt
\"
."
)
"Examples:
\"
example.key,example.crt
\"
or
\"
*.foo.com,foo.com:foo.key,foo.crt
\"
."
)
fs
.
StringVar
(
&
s
.
ClientCA
,
"client-ca-file"
,
s
.
ClientCA
,
""
+
"If set, any request presenting a client certificate signed by one of "
+
"the authorities in the client-ca-file is authenticated with an identity "
+
"corresponding to the CommonName of the client certificate."
)
}
}
func
(
s
*
SecureServingOptions
)
AddDeprecatedFlags
(
fs
*
pflag
.
FlagSet
)
{
func
(
s
*
SecureServingOptions
)
AddDeprecatedFlags
(
fs
*
pflag
.
FlagSet
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment