diff --git a/pkg/scheduler/api/BUILD b/pkg/scheduler/api/BUILD index b322e1cd21..da8f819eea 100644 --- a/pkg/scheduler/api/BUILD +++ b/pkg/scheduler/api/BUILD @@ -22,7 +22,6 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", - "//staging/src/k8s.io/client-go/rest:go_default_library", ], ) diff --git a/pkg/scheduler/api/compatibility/compatibility_test.go b/pkg/scheduler/api/compatibility/compatibility_test.go index 7bae849127..9a04f19935 100644 --- a/pkg/scheduler/api/compatibility/compatibility_test.go +++ b/pkg/scheduler/api/compatibility/compatibility_test.go @@ -398,7 +398,7 @@ func TestCompatibility_v1_Scheduler(t *testing.T) { Weight: 1, BindVerb: "bind", // 1.7 was missing json tags on the BindVerb field and required "BindVerb" EnableHTTPS: true, - TLSConfig: &restclient.TLSClientConfig{Insecure: true}, + TLSConfig: &schedulerapi.ExtenderTLSConfig{Insecure: true}, HTTPTimeout: 1, NodeCacheCapable: true, }}, @@ -490,7 +490,7 @@ func TestCompatibility_v1_Scheduler(t *testing.T) { Weight: 1, BindVerb: "bind", // 1.8 became case-insensitive and tolerated "bindVerb" EnableHTTPS: true, - TLSConfig: &restclient.TLSClientConfig{Insecure: true}, + TLSConfig: &schedulerapi.ExtenderTLSConfig{Insecure: true}, HTTPTimeout: 1, NodeCacheCapable: true, }}, @@ -584,7 +584,7 @@ func TestCompatibility_v1_Scheduler(t *testing.T) { Weight: 1, BindVerb: "bind", // 1.9 was case-insensitive and tolerated "bindVerb" EnableHTTPS: true, - TLSConfig: &restclient.TLSClientConfig{Insecure: true}, + TLSConfig: &schedulerapi.ExtenderTLSConfig{Insecure: true}, HTTPTimeout: 1, NodeCacheCapable: true, }}, @@ -683,7 +683,7 @@ func TestCompatibility_v1_Scheduler(t *testing.T) { Weight: 1, BindVerb: "bind", // 1.10 was case-insensitive and tolerated "bindVerb" EnableHTTPS: true, - TLSConfig: &restclient.TLSClientConfig{Insecure: true}, + TLSConfig: &schedulerapi.ExtenderTLSConfig{Insecure: true}, HTTPTimeout: 1, NodeCacheCapable: true, ManagedResources: []schedulerapi.ExtenderManagedResource{{Name: v1.ResourceName("example.com/foo"), IgnoredByScheduler: true}}, @@ -805,7 +805,7 @@ func TestCompatibility_v1_Scheduler(t *testing.T) { Weight: 1, BindVerb: "bind", // 1.11 restored case-sensitivity, but allowed either "BindVerb" or "bindVerb" EnableHTTPS: true, - TLSConfig: &restclient.TLSClientConfig{Insecure: true}, + TLSConfig: &schedulerapi.ExtenderTLSConfig{Insecure: true}, HTTPTimeout: 1, NodeCacheCapable: true, ManagedResources: []schedulerapi.ExtenderManagedResource{{Name: v1.ResourceName("example.com/foo"), IgnoredByScheduler: true}}, @@ -929,7 +929,7 @@ func TestCompatibility_v1_Scheduler(t *testing.T) { Weight: 1, BindVerb: "bind", // 1.11 restored case-sensitivity, but allowed either "BindVerb" or "bindVerb" EnableHTTPS: true, - TLSConfig: &restclient.TLSClientConfig{Insecure: true}, + TLSConfig: &schedulerapi.ExtenderTLSConfig{Insecure: true}, HTTPTimeout: 1, NodeCacheCapable: true, ManagedResources: []schedulerapi.ExtenderManagedResource{{Name: v1.ResourceName("example.com/foo"), IgnoredByScheduler: true}}, diff --git a/pkg/scheduler/api/types.go b/pkg/scheduler/api/types.go index 3bffc21637..fcc490820e 100644 --- a/pkg/scheduler/api/types.go +++ b/pkg/scheduler/api/types.go @@ -22,7 +22,6 @@ import ( "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" - restclient "k8s.io/client-go/rest" ) const ( @@ -172,6 +171,33 @@ type ExtenderManagedResource struct { IgnoredByScheduler bool } +// ExtenderTLSConfig contains settings to enable TLS with extender +type ExtenderTLSConfig struct { + // Server should be accessed without verifying the TLS certificate. For testing only. + Insecure bool + // ServerName is passed to the server for SNI and is used in the client to check server + // ceritificates against. If ServerName is empty, the hostname used to contact the + // server is used. + ServerName string + + // Server requires TLS client certificate authentication + CertFile string + // Server requires TLS client certificate authentication + KeyFile string + // Trusted root certificates for server + CAFile string + + // CertData holds PEM-encoded bytes (typically read from a client certificate file). + // CertData takes precedence over CertFile + CertData []byte + // KeyData holds PEM-encoded bytes (typically read from a client certificate key file). + // KeyData takes precedence over KeyFile + KeyData []byte + // CAData holds PEM-encoded bytes (typically read from a root certificates bundle). + // CAData takes precedence over CAFile + CAData []byte +} + // ExtenderConfig holds the parameters used to communicate with the extender. If a verb is unspecified/empty, // it is assumed that the extender chose not to provide that extension. type ExtenderConfig struct { @@ -193,7 +219,7 @@ type ExtenderConfig struct { // EnableHTTPS specifies whether https should be used to communicate with the extender EnableHTTPS bool // TLSConfig specifies the transport layer security config - TLSConfig *restclient.TLSClientConfig + TLSConfig *ExtenderTLSConfig // HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize // timeout is ignored, k8s/other extenders priorities are used to select the node. HTTPTimeout time.Duration diff --git a/pkg/scheduler/api/v1/BUILD b/pkg/scheduler/api/v1/BUILD index 7c911c9ece..85d53c672a 100644 --- a/pkg/scheduler/api/v1/BUILD +++ b/pkg/scheduler/api/v1/BUILD @@ -21,7 +21,6 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", - "//staging/src/k8s.io/client-go/rest:go_default_library", ], ) diff --git a/pkg/scheduler/api/v1/types.go b/pkg/scheduler/api/v1/types.go index 10ea29bb32..b8d4942986 100644 --- a/pkg/scheduler/api/v1/types.go +++ b/pkg/scheduler/api/v1/types.go @@ -23,7 +23,6 @@ import ( apiv1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" - restclient "k8s.io/client-go/rest" ) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -152,6 +151,33 @@ type ExtenderManagedResource struct { IgnoredByScheduler bool `json:"ignoredByScheduler,omitempty"` } +// ExtenderTLSConfig contains settings to enable TLS with extender +type ExtenderTLSConfig struct { + // Server should be accessed without verifying the TLS certificate. For testing only. + Insecure bool `json:"insecure,omitempty"` + // ServerName is passed to the server for SNI and is used in the client to check server + // ceritificates against. If ServerName is empty, the hostname used to contact the + // server is used. + ServerName string `json:"serverName,omitempty"` + + // Server requires TLS client certificate authentication + CertFile string `json:"certFile,omitempty"` + // Server requires TLS client certificate authentication + KeyFile string `json:"keyFile,omitempty"` + // Trusted root certificates for server + CAFile string `json:"caFile,omitempty"` + + // CertData holds PEM-encoded bytes (typically read from a client certificate file). + // CertData takes precedence over CertFile + CertData []byte `json:"certData,omitempty"` + // KeyData holds PEM-encoded bytes (typically read from a client certificate key file). + // KeyData takes precedence over KeyFile + KeyData []byte `json:"keyData,omitempty"` + // CAData holds PEM-encoded bytes (typically read from a root certificates bundle). + // CAData takes precedence over CAFile + CAData []byte `json:"caData,omitempty"` +} + // ExtenderConfig holds the parameters used to communicate with the extender. If a verb is unspecified/empty, // it is assumed that the extender chose not to provide that extension. type ExtenderConfig struct { @@ -169,11 +195,11 @@ type ExtenderConfig struct { // Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender. // If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender // can implement this function. - BindVerb string + BindVerb string `json:"bindVerb,omitempty"` // EnableHTTPS specifies whether https should be used to communicate with the extender EnableHTTPS bool `json:"enableHttps,omitempty"` // TLSConfig specifies the transport layer security config - TLSConfig *restclient.TLSClientConfig `json:"tlsConfig,omitempty"` + TLSConfig *ExtenderTLSConfig `json:"tlsConfig,omitempty"` // HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize // timeout is ignored, k8s/other extenders priorities are used to select the node. HTTPTimeout time.Duration `json:"httpTimeout,omitempty"` diff --git a/pkg/scheduler/api/v1/zz_generated.deepcopy.go b/pkg/scheduler/api/v1/zz_generated.deepcopy.go index 7fc885f946..b201de16a0 100644 --- a/pkg/scheduler/api/v1/zz_generated.deepcopy.go +++ b/pkg/scheduler/api/v1/zz_generated.deepcopy.go @@ -23,7 +23,6 @@ package v1 import ( corev1 "k8s.io/api/core/v1" runtime "k8s.io/apimachinery/pkg/runtime" - rest "k8s.io/client-go/rest" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -98,7 +97,7 @@ func (in *ExtenderConfig) DeepCopyInto(out *ExtenderConfig) { *out = *in if in.TLSConfig != nil { in, out := &in.TLSConfig, &out.TLSConfig - *out = new(rest.TLSClientConfig) + *out = new(ExtenderTLSConfig) (*in).DeepCopyInto(*out) } if in.ManagedResources != nil { @@ -254,6 +253,37 @@ func (in *ExtenderPreemptionResult) DeepCopy() *ExtenderPreemptionResult { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtenderTLSConfig) DeepCopyInto(out *ExtenderTLSConfig) { + *out = *in + if in.CertData != nil { + in, out := &in.CertData, &out.CertData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CAData != nil { + in, out := &in.CAData, &out.CAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtenderTLSConfig. +func (in *ExtenderTLSConfig) DeepCopy() *ExtenderTLSConfig { + if in == nil { + return nil + } + out := new(ExtenderTLSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in FailedNodesMap) DeepCopyInto(out *FailedNodesMap) { { diff --git a/pkg/scheduler/api/zz_generated.deepcopy.go b/pkg/scheduler/api/zz_generated.deepcopy.go index 418c78cd1e..30c1013515 100644 --- a/pkg/scheduler/api/zz_generated.deepcopy.go +++ b/pkg/scheduler/api/zz_generated.deepcopy.go @@ -23,7 +23,6 @@ package api import ( v1 "k8s.io/api/core/v1" runtime "k8s.io/apimachinery/pkg/runtime" - rest "k8s.io/client-go/rest" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -98,7 +97,7 @@ func (in *ExtenderConfig) DeepCopyInto(out *ExtenderConfig) { *out = *in if in.TLSConfig != nil { in, out := &in.TLSConfig, &out.TLSConfig - *out = new(rest.TLSClientConfig) + *out = new(ExtenderTLSConfig) (*in).DeepCopyInto(*out) } if in.ManagedResources != nil { @@ -254,6 +253,37 @@ func (in *ExtenderPreemptionResult) DeepCopy() *ExtenderPreemptionResult { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtenderTLSConfig) DeepCopyInto(out *ExtenderTLSConfig) { + *out = *in + if in.CertData != nil { + in, out := &in.CertData, &out.CertData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CAData != nil { + in, out := &in.CAData, &out.CAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtenderTLSConfig. +func (in *ExtenderTLSConfig) DeepCopy() *ExtenderTLSConfig { + if in == nil { + return nil + } + out := new(ExtenderTLSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in FailedNodesMap) DeepCopyInto(out *FailedNodesMap) { { diff --git a/pkg/scheduler/core/extender.go b/pkg/scheduler/core/extender.go index 010d48daf2..d3830d047a 100644 --- a/pkg/scheduler/core/extender.go +++ b/pkg/scheduler/core/extender.go @@ -55,7 +55,14 @@ type HTTPExtender struct { func makeTransport(config *schedulerapi.ExtenderConfig) (http.RoundTripper, error) { var cfg restclient.Config if config.TLSConfig != nil { - cfg.TLSClientConfig = *config.TLSConfig + cfg.TLSClientConfig.Insecure = config.TLSConfig.Insecure + cfg.TLSClientConfig.ServerName = config.TLSConfig.ServerName + cfg.TLSClientConfig.CertFile = config.TLSConfig.CertFile + cfg.TLSClientConfig.KeyFile = config.TLSConfig.KeyFile + cfg.TLSClientConfig.CAFile = config.TLSConfig.CAFile + cfg.TLSClientConfig.CertData = config.TLSConfig.CertData + cfg.TLSClientConfig.KeyData = config.TLSConfig.KeyData + cfg.TLSClientConfig.CAData = config.TLSConfig.CAData } if config.EnableHTTPS { hasCA := len(cfg.CAFile) > 0 || len(cfg.CAData) > 0