Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
d196d63c
Unverified
Commit
d196d63c
authored
Oct 30, 2018
by
k8s-ci-robot
Committed by
GitHub
Oct 30, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #69884 from liggitt/self-sign-in-memory
Allow components to generate certificates in-memory
parents
76234a31
b7160d4e
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
44 additions
and
16 deletions
+44
-16
options.go
cmd/cloud-controller-manager/app/options/options.go
+3
-1
options_test.go
cmd/cloud-controller-manager/app/options/options_test.go
+1
-1
options.go
cmd/kube-controller-manager/app/options/options.go
+2
-1
serving.go
staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+38
-13
No files found.
cmd/cloud-controller-manager/app/options/options.go
View file @
d196d63c
...
@@ -44,6 +44,7 @@ import (
...
@@ -44,6 +44,7 @@ import (
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/controller"
"k8s.io/kubernetes/pkg/controller"
"k8s.io/kubernetes/pkg/master/ports"
"k8s.io/kubernetes/pkg/master/ports"
// add the kubernetes feature gates
// add the kubernetes feature gates
_
"k8s.io/kubernetes/pkg/features"
_
"k8s.io/kubernetes/pkg/features"
)
)
...
@@ -102,7 +103,8 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
...
@@ -102,7 +103,8 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
s
.
Authorization
.
RemoteKubeConfigFileOptional
=
true
s
.
Authorization
.
RemoteKubeConfigFileOptional
=
true
s
.
Authorization
.
AlwaysAllowPaths
=
[]
string
{
"/healthz"
}
s
.
Authorization
.
AlwaysAllowPaths
=
[]
string
{
"/healthz"
}
s
.
SecureServing
.
ServerCert
.
CertDirectory
=
"/var/run/kubernetes"
// Set the PairName but leave certificate directory blank to generate in-memory by default
s
.
SecureServing
.
ServerCert
.
CertDirectory
=
""
s
.
SecureServing
.
ServerCert
.
PairName
=
"cloud-controller-manager"
s
.
SecureServing
.
ServerCert
.
PairName
=
"cloud-controller-manager"
s
.
SecureServing
.
BindPort
=
ports
.
CloudControllerManagerPort
s
.
SecureServing
.
BindPort
=
ports
.
CloudControllerManagerPort
...
...
cmd/cloud-controller-manager/app/options/options_test.go
View file @
d196d63c
...
@@ -78,7 +78,7 @@ func TestDefaultFlags(t *testing.T) {
...
@@ -78,7 +78,7 @@ func TestDefaultFlags(t *testing.T) {
BindPort
:
10258
,
BindPort
:
10258
,
BindAddress
:
net
.
ParseIP
(
"0.0.0.0"
),
BindAddress
:
net
.
ParseIP
(
"0.0.0.0"
),
ServerCert
:
apiserveroptions
.
GeneratableKeyCert
{
ServerCert
:
apiserveroptions
.
GeneratableKeyCert
{
CertDirectory
:
"
/var/run/kubernetes
"
,
CertDirectory
:
""
,
PairName
:
"cloud-controller-manager"
,
PairName
:
"cloud-controller-manager"
,
},
},
HTTP2MaxStreamsPerConnection
:
0
,
HTTP2MaxStreamsPerConnection
:
0
,
...
...
cmd/kube-controller-manager/app/options/options.go
View file @
d196d63c
...
@@ -190,7 +190,8 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
...
@@ -190,7 +190,8 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
s
.
Authorization
.
RemoteKubeConfigFileOptional
=
true
s
.
Authorization
.
RemoteKubeConfigFileOptional
=
true
s
.
Authorization
.
AlwaysAllowPaths
=
[]
string
{
"/healthz"
}
s
.
Authorization
.
AlwaysAllowPaths
=
[]
string
{
"/healthz"
}
s
.
SecureServing
.
ServerCert
.
CertDirectory
=
"/var/run/kubernetes"
// Set the PairName but leave certificate directory blank to generate in-memory by default
s
.
SecureServing
.
ServerCert
.
CertDirectory
=
""
s
.
SecureServing
.
ServerCert
.
PairName
=
"kube-controller-manager"
s
.
SecureServing
.
ServerCert
.
PairName
=
"kube-controller-manager"
s
.
SecureServing
.
BindPort
=
ports
.
KubeControllerManagerPort
s
.
SecureServing
.
BindPort
=
ports
.
KubeControllerManagerPort
...
...
staging/src/k8s.io/apiserver/pkg/server/options/serving.go
View file @
d196d63c
...
@@ -75,19 +75,25 @@ type CertKey struct {
...
@@ -75,19 +75,25 @@ type CertKey struct {
}
}
type
GeneratableKeyCert
struct
{
type
GeneratableKeyCert
struct
{
// CertKey allows setting an explicit cert/key file to use.
CertKey
CertKey
CertKey
CertKey
// CertDirectory is a directory that will contain the certificates. If the cert and key aren't specifically set
// CertDirectory specifies a directory to write generated certificates to if CertFile/KeyFile aren't explicitly set.
// this will be used to derive a match with the "pair-name"
// PairName is used to determine the filenames within CertDirectory.
// If CertDirectory and PairName are not set, an in-memory certificate will be generated.
CertDirectory
string
CertDirectory
string
// PairName is the name which will be used with CertDirectory to make a cert and key filenames.
// It becomes CertDirectory/PairName.crt and CertDirectory/PairName.key
PairName
string
// GeneratedCert holds an in-memory generated certificate if CertFile/KeyFile aren't explicitly set, and CertDirectory/PairName are not set.
GeneratedCert
*
tls
.
Certificate
// FixtureDirectory is a directory that contains test fixture used to avoid regeneration of certs during tests.
// FixtureDirectory is a directory that contains test fixture used to avoid regeneration of certs during tests.
// The format is:
// The format is:
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
FixtureDirectory
string
FixtureDirectory
string
// PairName is the name which will be used with CertDirectory to make a cert and key names
// It becomes CertDirector/PairName.crt and CertDirector/PairName.key
PairName
string
}
}
func
NewSecureServingOptions
()
*
SecureServingOptions
{
func
NewSecureServingOptions
()
*
SecureServingOptions
{
...
@@ -121,6 +127,10 @@ func (s *SecureServingOptions) Validate() []error {
...
@@ -121,6 +127,10 @@ func (s *SecureServingOptions) Validate() []error {
errors
=
append
(
errors
,
fmt
.
Errorf
(
"--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port"
,
s
.
BindPort
))
errors
=
append
(
errors
,
fmt
.
Errorf
(
"--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port"
,
s
.
BindPort
))
}
}
if
(
len
(
s
.
ServerCert
.
CertKey
.
CertFile
)
!=
0
||
len
(
s
.
ServerCert
.
CertKey
.
KeyFile
)
!=
0
)
&&
s
.
ServerCert
.
GeneratedCert
!=
nil
{
errors
=
append
(
errors
,
fmt
.
Errorf
(
"cert/key file and in-memory certificate cannot both be set"
))
}
return
errors
return
errors
}
}
...
@@ -219,6 +229,8 @@ func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error
...
@@ -219,6 +229,8 @@ func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error
return
fmt
.
Errorf
(
"unable to load server certificate: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to load server certificate: %v"
,
err
)
}
}
c
.
Cert
=
&
tlsCert
c
.
Cert
=
&
tlsCert
}
else
if
s
.
ServerCert
.
GeneratedCert
!=
nil
{
c
.
Cert
=
s
.
ServerCert
.
GeneratedCert
}
}
if
len
(
s
.
CipherSuites
)
!=
0
{
if
len
(
s
.
CipherSuites
)
!=
0
{
...
@@ -264,13 +276,20 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
...
@@ -264,13 +276,20 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
return
nil
return
nil
}
}
keyCert
.
CertFile
=
path
.
Join
(
s
.
ServerCert
.
CertDirectory
,
s
.
ServerCert
.
PairName
+
".crt"
)
canReadCertAndKey
:=
false
keyCert
.
KeyFile
=
path
.
Join
(
s
.
ServerCert
.
CertDirectory
,
s
.
ServerCert
.
PairName
+
".key"
)
if
len
(
s
.
ServerCert
.
CertDirectory
)
>
0
{
if
len
(
s
.
ServerCert
.
PairName
)
==
0
{
canReadCertAndKey
,
err
:=
certutil
.
CanReadCertAndKey
(
keyCert
.
CertFile
,
keyCert
.
KeyFile
)
return
fmt
.
Errorf
(
"PairName is required if CertDirectory is set"
)
if
err
!=
nil
{
}
return
err
keyCert
.
CertFile
=
path
.
Join
(
s
.
ServerCert
.
CertDirectory
,
s
.
ServerCert
.
PairName
+
".crt"
)
keyCert
.
KeyFile
=
path
.
Join
(
s
.
ServerCert
.
CertDirectory
,
s
.
ServerCert
.
PairName
+
".key"
)
if
canRead
,
err
:=
certutil
.
CanReadCertAndKey
(
keyCert
.
CertFile
,
keyCert
.
KeyFile
);
err
!=
nil
{
return
err
}
else
{
canReadCertAndKey
=
canRead
}
}
}
if
!
canReadCertAndKey
{
if
!
canReadCertAndKey
{
// add either the bind address or localhost to the valid alternates
// add either the bind address or localhost to the valid alternates
bindIP
:=
s
.
BindAddress
.
String
()
bindIP
:=
s
.
BindAddress
.
String
()
...
@@ -282,15 +301,21 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
...
@@ -282,15 +301,21 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
if
cert
,
key
,
err
:=
certutil
.
GenerateSelfSignedCertKeyWithFixtures
(
publicAddress
,
alternateIPs
,
alternateDNS
,
s
.
ServerCert
.
FixtureDirectory
);
err
!=
nil
{
if
cert
,
key
,
err
:=
certutil
.
GenerateSelfSignedCertKeyWithFixtures
(
publicAddress
,
alternateIPs
,
alternateDNS
,
s
.
ServerCert
.
FixtureDirectory
);
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to generate self signed cert: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to generate self signed cert: %v"
,
err
)
}
else
{
}
else
if
len
(
keyCert
.
CertFile
)
>
0
&&
len
(
keyCert
.
KeyFile
)
>
0
{
if
err
:=
certutil
.
WriteCert
(
keyCert
.
CertFile
,
cert
);
err
!=
nil
{
if
err
:=
certutil
.
WriteCert
(
keyCert
.
CertFile
,
cert
);
err
!=
nil
{
return
err
return
err
}
}
if
err
:=
certutil
.
WriteKey
(
keyCert
.
KeyFile
,
key
);
err
!=
nil
{
if
err
:=
certutil
.
WriteKey
(
keyCert
.
KeyFile
,
key
);
err
!=
nil
{
return
err
return
err
}
}
glog
.
Infof
(
"Generated self-signed cert (%s, %s)"
,
keyCert
.
CertFile
,
keyCert
.
KeyFile
)
glog
.
Infof
(
"Generated self-signed cert (%s, %s)"
,
keyCert
.
CertFile
,
keyCert
.
KeyFile
)
}
else
{
tlsCert
,
err
:=
tls
.
X509KeyPair
(
cert
,
key
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to generate self signed cert: %v"
,
err
)
}
s
.
ServerCert
.
GeneratedCert
=
&
tlsCert
glog
.
Infof
(
"Generated self-signed cert in-memory"
)
}
}
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment