github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

move client-ca to authentication args

pull/6/head
deads2k 2016-12-05 13:26:38 -05:00
parent 2c63b6f5ca
commit 4f625db133
5 changed files with 36 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/kube-apiserver/app/server.go
View File

@ -219,7 +219,7 @@ func Run(s *options.ServerRunOptions) error {
} }
} }
authenticatorConfig := s.Authentication.ToAuthenticationConfig(s.SecureServing.ClientCA) authenticatorConfig := s.Authentication.ToAuthenticationConfig()
if s.Authentication.ServiceAccounts.Lookup { if s.Authentication.ServiceAccounts.Lookup {
// If we need to look up service accounts and tokens, // If we need to look up service accounts and tokens,
// go directly to etcd to avoid recursive auth insanity // go directly to etcd to avoid recursive auth insanity

2
federation/cmd/federation-apiserver/app/server.go
View File

@ -126,7 +126,7 @@ func Run(s *options.ServerRunOptions) error {
storageFactory.SetEtcdLocation(groupResource, servers) storageFactory.SetEtcdLocation(groupResource, servers)
} }
apiAuthenticator, securityDefinitions, err := authenticator.New(s.Authentication.ToAuthenticationConfig(s.SecureServing.ClientCA)) apiAuthenticator, securityDefinitions, err := authenticator.New(s.Authentication.ToAuthenticationConfig())
if err != nil { if err != nil {
glog.Fatalf("Invalid Authentication Config: %v", err) glog.Fatalf("Invalid Authentication Config: %v", err)
} }

5
pkg/genericapiserver/config.go
View File

@ -232,7 +232,6 @@ func (c *Config) ApplySecureServingOptions(secureServing *options.SecureServingO
ServingInfo: ServingInfo{ ServingInfo: ServingInfo{
BindAddress: net.JoinHostPort(secureServing.ServingOptions.BindAddress.String(), strconv.Itoa(secureServing.ServingOptions.BindPort)), BindAddress: net.JoinHostPort(secureServing.ServingOptions.BindAddress.String(), strconv.Itoa(secureServing.ServingOptions.BindPort)),
}, },
ClientCA: secureServing.ClientCA,
} }
serverCertFile, serverKeyFile := secureServing.ServerCert.CertKey.CertFile, secureServing.ServerCert.CertKey.KeyFile serverCertFile, serverKeyFile := secureServing.ServerCert.CertKey.CertFile, secureServing.ServerCert.CertKey.KeyFile
@ -305,6 +304,10 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
return c return c
} }
if o.ClientCert != nil && c.SecureServingInfo != nil {
c.SecureServingInfo.ClientCA = o.ClientCert.ClientCA
}
c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0 c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
return c return c
} }

34
pkg/genericapiserver/options/authentication.go
View File

@ -29,6 +29,7 @@ import (
type BuiltInAuthenticationOptions struct { type BuiltInAuthenticationOptions struct {
Anonymous *AnonymousAuthenticationOptions Anonymous *AnonymousAuthenticationOptions
AnyToken *AnyTokenAuthenticationOptions AnyToken *AnyTokenAuthenticationOptions
ClientCert *ClientCertAuthenticationOptions
Keystone *KeystoneAuthenticationOptions Keystone *KeystoneAuthenticationOptions
OIDC *OIDCAuthenticationOptions OIDC *OIDCAuthenticationOptions
PasswordFile *PasswordFileAuthenticationOptions PasswordFile *PasswordFileAuthenticationOptions
@ -85,6 +86,7 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
return s. return s.
WithAnyonymous(). WithAnyonymous().
WithAnyToken(). WithAnyToken().
WithClientCert().
WithKeystone(). WithKeystone().
WithOIDC(). WithOIDC().
WithPasswordFile(). WithPasswordFile().
@ -104,6 +106,11 @@ func (s *BuiltInAuthenticationOptions) WithAnyToken() *BuiltInAuthenticationOpti
return s return s
} }
func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions {
s.ClientCert = &ClientCertAuthenticationOptions{}
return s
}
func (s *BuiltInAuthenticationOptions) WithKeystone() *BuiltInAuthenticationOptions { func (s *BuiltInAuthenticationOptions) WithKeystone() *BuiltInAuthenticationOptions {
s.Keystone = &KeystoneAuthenticationOptions{} s.Keystone = &KeystoneAuthenticationOptions{}
return s return s
@ -161,6 +168,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
} }
if s.ClientCert != nil {
s.ClientCert.AddFlags(fs)
}
if s.Keystone != nil { if s.Keystone != nil {
fs.StringVar(&s.Keystone.URL, "experimental-keystone-url", s.Keystone.URL, fs.StringVar(&s.Keystone.URL, "experimental-keystone-url", s.Keystone.URL,
"If passed, activates the keystone authentication plugin.") "If passed, activates the keystone authentication plugin.")
@ -229,10 +240,9 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
} }
} }
func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile string) authenticator.AuthenticatorConfig { func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.AuthenticatorConfig {
ret := authenticator.AuthenticatorConfig{ ret := authenticator.AuthenticatorConfig{}
ClientCAFile: clientCAFile,
}
if s.Anonymous != nil { if s.Anonymous != nil {
ret.Anonymous = s.Anonymous.Allow ret.Anonymous = s.Anonymous.Allow
} }
@ -241,6 +251,10 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin
ret.AnyToken = s.AnyToken.Allow ret.AnyToken = s.AnyToken.Allow
} }
if s.ClientCert != nil {
ret.ClientCAFile = s.ClientCert.ClientCA
}
if s.Keystone != nil { if s.Keystone != nil {
ret.KeystoneURL = s.Keystone.URL ret.KeystoneURL = s.Keystone.URL
ret.KeystoneCAFile = s.Keystone.CAFile ret.KeystoneCAFile = s.Keystone.CAFile
@ -323,6 +337,18 @@ func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig
} }
} }
type ClientCertAuthenticationOptions struct {
// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
ClientCA string
}
func (s *ClientCertAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.ClientCA, "client-ca-file", s.ClientCA, ""+
"If set, any request presenting a client certificate signed by one of "+
"the authorities in the client-ca-file is authenticated with an identity "+
"corresponding to the CommonName of the client certificate.")
}
// DelegatingAuthenticationOptions provides an easy way for composing API servers to delegate their authentication to // DelegatingAuthenticationOptions provides an easy way for composing API servers to delegate their authentication to
// the root kube API server // the root kube API server
type DelegatingAuthenticationOptions struct { type DelegatingAuthenticationOptions struct {

7
pkg/genericapiserver/options/serving.go
View File

@ -41,8 +41,6 @@ type SecureServingOptions struct {
ServerCert GeneratableKeyCert ServerCert GeneratableKeyCert
// SNICertKeys are named CertKeys for serving secure traffic with SNI support. // SNICertKeys are named CertKeys for serving secure traffic with SNI support.
SNICertKeys []config.NamedCertKey SNICertKeys []config.NamedCertKey
// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
ClientCA string
} }
type CertKey struct { type CertKey struct {
@ -124,11 +122,6 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
"trump over extracted names. For multiple key/certificate pairs, use the "+ "trump over extracted names. For multiple key/certificate pairs, use the "+
"--tls-sni-cert-key multiple times. "+ "--tls-sni-cert-key multiple times. "+
"Examples: \"example.key,example.crt\" or \"*.foo.com,foo.com:foo.key,foo.crt\".") "Examples: \"example.key,example.crt\" or \"*.foo.com,foo.com:foo.key,foo.crt\".")
fs.StringVar(&s.ClientCA, "client-ca-file", s.ClientCA, ""+
"If set, any request presenting a client certificate signed by one of "+
"the authorities in the client-ca-file is authenticated with an identity "+
"corresponding to the CommonName of the client certificate.")
} }
func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) { func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {