mirror of https://github.com/k3s-io/k3s
Merge pull request #2343 from erictune/tokens_need_private_comms
Use https when Insecure is selected.pull/6/head
Daniel Smith
commit
7df0f6d3bd
|
|
@ -201,7 +201,7 @@ func main() {
|
|||
// TODO: eventually apiserver should start on 443 and be secure by default
|
||||
clientConfig.Host = "http://localhost:8080"
|
||||
}
|
||||
if client.IsConfigTransportSecure(clientConfig) {
|
||||
if client.IsConfigTransportTLS(clientConfig) {
|
||||
auth, err := kubecfg.LoadAuthInfo(*authConfig, os.Stdin)
|
||||
if err != nil {
|
||||
glog.Fatalf("Error loading auth: %v", err)
|
||||
|
|
|
|||
|
|
@ -172,7 +172,7 @@ func TransportFor(config *Config) (http.RoundTripper, error) {
|
|||
// DefaultServerURL converts a host, host:port, or URL string to the default base server API path
|
||||
// to use with a Client at a given API version following the standard conventions for a
|
||||
// Kubernetes API.
|
||||
func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.URL, error) {
|
||||
func DefaultServerURL(host, prefix, version string, defaultTLS bool) (*url.URL, error) {
|
||||
if host == "" {
|
||||
return nil, fmt.Errorf("host must be a URL or a host:port pair")
|
||||
}
|
||||
|
|
@ -186,7 +186,7 @@ func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.UR
|
|||
}
|
||||
if hostURL.Scheme == "" {
|
||||
scheme := "http://"
|
||||
if defaultSecure {
|
||||
if defaultTLS {
|
||||
scheme = "https://"
|
||||
}
|
||||
hostURL, err = url.Parse(scheme + base)
|
||||
|
|
@ -213,13 +213,13 @@ func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.UR
|
|||
return hostURL, nil
|
||||
}
|
||||
|
||||
// IsConfigTransportSecure returns true iff the provided config will result in a protected
|
||||
// IsConfigTransportTLS returns true iff the provided config will result in a protected
|
||||
// connection to the server when it is passed to client.New() or client.RESTClientFor().
|
||||
// Use to determine when to send credentials over the wire.
|
||||
//
|
||||
// Note: the Insecure flag is ignored when testing for this value, so MITM attacks are
|
||||
// still possible.
|
||||
func IsConfigTransportSecure(config *Config) bool {
|
||||
func IsConfigTransportTLS(config *Config) bool {
|
||||
baseURL, err := defaultServerUrlFor(config)
|
||||
if err != nil {
|
||||
return false
|
||||
|
|
@ -227,16 +227,17 @@ func IsConfigTransportSecure(config *Config) bool {
|
|||
return baseURL.Scheme == "https"
|
||||
}
|
||||
|
||||
// defaultServerUrlFor is shared between IsConfigSecure and RESTClientFor
|
||||
// defaultServerUrlFor is shared between IsConfigTransportTLS and RESTClientFor
|
||||
func defaultServerUrlFor(config *Config) (*url.URL, error) {
|
||||
version := defaultVersionFor(config)
|
||||
// TODO: move the default to secure when the apiserver supports TLS by default
|
||||
defaultSecure := config.CertFile != ""
|
||||
// config.Insecure is taken to mean "I want HTTPS but don't bother checking the certs against a CA."
|
||||
defaultTLS := config.CertFile != "" || config.Insecure
|
||||
host := config.Host
|
||||
if host == "" {
|
||||
host = "localhost"
|
||||
}
|
||||
return DefaultServerURL(host, config.Prefix, version, defaultSecure)
|
||||
return DefaultServerURL(host, config.Prefix, version, defaultTLS)
|
||||
}
|
||||
|
||||
// defaultVersionFor is shared between defaultServerUrlFor and RESTClientFor
|
||||
|
|
|
|||
|
|
@ -47,40 +47,47 @@ func TestTransportFor(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestIsConfigTransportSecure(t *testing.T) {
|
||||
func TestIsConfigTransportTLS(t *testing.T) {
|
||||
testCases := []struct {
|
||||
Config *Config
|
||||
Secure bool
|
||||
Config *Config
|
||||
TransportTLS bool
|
||||
}{
|
||||
{
|
||||
Config: &Config{},
|
||||
Secure: false,
|
||||
Config: &Config{},
|
||||
TransportTLS: false,
|
||||
},
|
||||
{
|
||||
Config: &Config{
|
||||
Host: "https://localhost",
|
||||
},
|
||||
Secure: true,
|
||||
TransportTLS: true,
|
||||
},
|
||||
{
|
||||
Config: &Config{
|
||||
Host: "localhost",
|
||||
CertFile: "foo",
|
||||
},
|
||||
Secure: true,
|
||||
TransportTLS: true,
|
||||
},
|
||||
{
|
||||
Config: &Config{
|
||||
Host: "///:://localhost",
|
||||
CertFile: "foo",
|
||||
},
|
||||
Secure: false,
|
||||
TransportTLS: false,
|
||||
},
|
||||
{
|
||||
Config: &Config{
|
||||
Host: "1.2.3.4:567",
|
||||
Insecure: true,
|
||||
},
|
||||
TransportTLS: true,
|
||||
},
|
||||
}
|
||||
for _, testCase := range testCases {
|
||||
secure := IsConfigTransportSecure(testCase.Config)
|
||||
if testCase.Secure != secure {
|
||||
t.Errorf("expected %v for %#v", testCase.Secure, testCase.Config)
|
||||
useTLS := IsConfigTransportTLS(testCase.Config)
|
||||
if testCase.TransportTLS != useTLS {
|
||||
t.Errorf("expected %v for %#v", testCase.TransportTLS, testCase.Config)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -170,7 +170,7 @@ func GetKubeConfig(cmd *cobra.Command) *client.Config {
|
|||
}
|
||||
config.Host = host
|
||||
|
||||
if client.IsConfigTransportSecure(config) {
|
||||
if client.IsConfigTransportTLS(config) {
|
||||
// Get the values from the file on disk (or from the user at the
|
||||
// command line). Override them with the command line parameters, if
|
||||
// provided.
|
||||
|
|
|
|||
Loading…
Reference in New Issue