diff --git a/cmd/cloud-controller-manager/app/controllermanager.go b/cmd/cloud-controller-manager/app/controllermanager.go index 3ffefbad47..879035c175 100644 --- a/cmd/cloud-controller-manager/app/controllermanager.go +++ b/cmd/cloud-controller-manager/app/controllermanager.go @@ -115,6 +115,11 @@ func Run(c *cloudcontrollerconfig.CompletedConfig) error { // Start the controller manager HTTP server stopCh := make(chan struct{}) + if c.Generic.SecureServing != nil { + if err := genericcontrollermanager.Serve(&c.Generic, c.Generic.SecureServing.Serve, stopCh); err != nil { + return err + } + } if c.Generic.InsecureServing != nil { if err := genericcontrollermanager.Serve(&c.Generic, c.Generic.InsecureServing.Serve, stopCh); err != nil { return err diff --git a/cmd/cloud-controller-manager/app/options/options.go b/cmd/cloud-controller-manager/app/options/options.go index e783e06ccb..530137ff6c 100644 --- a/cmd/cloud-controller-manager/app/options/options.go +++ b/cmd/cloud-controller-manager/app/options/options.go @@ -54,6 +54,9 @@ func NewCloudControllerManagerOptions() *CloudControllerManagerOptions { } s.Generic.ComponentConfig.LeaderElection.LeaderElect = true + s.Generic.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes" + s.Generic.SecureServing.ServerCert.PairName = "cloud-controller-manager" + return &s } diff --git a/cmd/cloud-controller-manager/app/options/options_test.go b/cmd/cloud-controller-manager/app/options/options_test.go index bc5844fb60..6a199c01a2 100644 --- a/cmd/cloud-controller-manager/app/options/options_test.go +++ b/cmd/cloud-controller-manager/app/options/options_test.go @@ -26,6 +26,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/diff" + apiserveroptions "k8s.io/apiserver/pkg/server/options" cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options" "k8s.io/kubernetes/pkg/apis/componentconfig" ) @@ -63,6 +64,9 @@ func TestAddFlags(t *testing.T) { "--route-reconciliation-period=30s", "--min-resync-period=100m", "--use-service-account-credentials=false", + "--cert-dir=/a/b/c", + "--bind-address=192.168.4.21", + "--secure-port=10001", } f.Parse(args) @@ -139,6 +143,14 @@ func TestAddFlags(t *testing.T) { CIDRAllocatorType: "RangeAllocator", Controllers: []string{"*"}, }, + SecureServing: &apiserveroptions.SecureServingOptions{ + BindPort: 10001, + BindAddress: net.ParseIP("192.168.4.21"), + ServerCert: apiserveroptions.GeneratableKeyCert{ + CertDirectory: "/a/b/c", + PairName: "cloud-controller-manager", + }, + }, InsecureServing: &cmoptions.InsecureServingOptions{ BindAddress: net.ParseIP("192.168.4.10"), BindPort: int(10000), diff --git a/cmd/controller-manager/app/config.go b/cmd/controller-manager/app/config.go index d97adc127a..b62550e390 100644 --- a/cmd/controller-manager/app/config.go +++ b/cmd/controller-manager/app/config.go @@ -17,6 +17,7 @@ limitations under the License. package app import ( + apiserver "k8s.io/apiserver/pkg/server" clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/client-go/tools/record" @@ -28,6 +29,8 @@ type Config struct { // TODO: split up the component config. This is not generic. ComponentConfig componentconfig.KubeControllerManagerConfiguration + SecureServing *apiserver.SecureServingInfo + // TODO: remove deprecated insecure serving InsecureServing *InsecureServingInfo // the general kube client diff --git a/cmd/controller-manager/app/options/options.go b/cmd/controller-manager/app/options/options.go index 5d1834c106..82393c7ba6 100644 --- a/cmd/controller-manager/app/options/options.go +++ b/cmd/controller-manager/app/options/options.go @@ -26,6 +26,7 @@ import ( "github.com/spf13/pflag" "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + apiserveroptions "k8s.io/apiserver/pkg/server/options" "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes" v1core "k8s.io/client-go/kubernetes/typed/core/v1" @@ -44,9 +45,12 @@ type GenericControllerManagerOptions struct { // TODO: turn ComponentConfig into modular option structs. This is not generic. ComponentConfig componentconfig.KubeControllerManagerConfiguration + SecureServing *apiserveroptions.SecureServingOptions + // TODO: remove insecure serving mode InsecureServing *InsecureServingOptions - Master string - Kubeconfig string + + Master string + Kubeconfig string } const ( @@ -65,6 +69,7 @@ const ( func NewGenericControllerManagerOptions(componentConfig componentconfig.KubeControllerManagerConfiguration) GenericControllerManagerOptions { o := GenericControllerManagerOptions{ ComponentConfig: componentConfig, + SecureServing: apiserveroptions.NewSecureServingOptions(), InsecureServing: &InsecureServingOptions{ BindAddress: net.ParseIP(componentConfig.Address), BindPort: int(componentConfig.Port), @@ -72,6 +77,10 @@ func NewGenericControllerManagerOptions(componentConfig componentconfig.KubeCont }, } + // disable secure serving for now + // TODO: enable HTTPS by default + o.SecureServing.BindPort = 0 + return o } @@ -163,6 +172,7 @@ func (o *GenericControllerManagerOptions) AddFlags(fs *pflag.FlagSet) { fs.Int32Var(&o.ComponentConfig.KubeAPIBurst, "kube-api-burst", o.ComponentConfig.KubeAPIBurst, "Burst to use while talking with kubernetes apiserver.") fs.DurationVar(&o.ComponentConfig.ControllerStartInterval.Duration, "controller-start-interval", o.ComponentConfig.ControllerStartInterval.Duration, "Interval between starting controller managers.") + o.SecureServing.AddFlags(fs) o.InsecureServing.AddFlags(fs) o.InsecureServing.AddDeprecatedFlags(fs) } @@ -171,6 +181,9 @@ func (o *GenericControllerManagerOptions) AddFlags(fs *pflag.FlagSet) { func (o *GenericControllerManagerOptions) ApplyTo(c *genericcontrollermanager.Config, userAgent string) error { c.ComponentConfig = o.ComponentConfig + if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil { + return err + } if err := o.InsecureServing.ApplyTo(&c.InsecureServing, &c.ComponentConfig); err != nil { return err } @@ -199,6 +212,7 @@ func (o *GenericControllerManagerOptions) ApplyTo(c *genericcontrollermanager.Co // Validate checks GenericControllerManagerOptions and return a slice of found errors. func (o *GenericControllerManagerOptions) Validate() []error { errors := []error{} + errors = append(errors, o.SecureServing.Validate()...) errors = append(errors, o.InsecureServing.Validate()...) // TODO: validate component config, master and kubeconfig diff --git a/cmd/kube-controller-manager/app/controllermanager.go b/cmd/kube-controller-manager/app/controllermanager.go index 5b321c422f..5bc5260f0c 100644 --- a/cmd/kube-controller-manager/app/controllermanager.go +++ b/cmd/kube-controller-manager/app/controllermanager.go @@ -123,6 +123,11 @@ func Run(c *config.CompletedConfig) error { // Start the controller manager HTTP server stopCh := make(chan struct{}) + if c.Generic.SecureServing != nil { + if err := genericcontrollerconfig.Serve(&c.Generic, c.Generic.SecureServing.Serve, stopCh); err != nil { + return err + } + } if c.Generic.InsecureServing != nil { if err := genericcontrollerconfig.Serve(&c.Generic, c.Generic.InsecureServing.Serve, stopCh); err != nil { return err diff --git a/cmd/kube-controller-manager/app/options/options.go b/cmd/kube-controller-manager/app/options/options.go index 572e60c55d..f9adc670c6 100644 --- a/cmd/kube-controller-manager/app/options/options.go +++ b/cmd/kube-controller-manager/app/options/options.go @@ -52,6 +52,9 @@ func NewKubeControllerManagerOptions() *KubeControllerManagerOptions { Generic: cmoptions.NewGenericControllerManagerOptions(componentConfig), } + s.Generic.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes" + s.Generic.SecureServing.ServerCert.PairName = "kube-controller-manager" + gcIgnoredResources := make([]componentconfig.GroupResource, 0, len(garbagecollector.DefaultIgnoredResources())) for r := range garbagecollector.DefaultIgnoredResources() { gcIgnoredResources = append(gcIgnoredResources, componentconfig.GroupResource{Group: r.Group, Resource: r.Resource}) diff --git a/cmd/kube-controller-manager/app/options/options_test.go b/cmd/kube-controller-manager/app/options/options_test.go index e7c246bdbf..997b25646d 100644 --- a/cmd/kube-controller-manager/app/options/options_test.go +++ b/cmd/kube-controller-manager/app/options/options_test.go @@ -27,6 +27,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/diff" + apiserveroptions "k8s.io/apiserver/pkg/server/options" cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options" "k8s.io/kubernetes/pkg/apis/componentconfig" ) @@ -104,6 +105,9 @@ func TestAddFlags(t *testing.T) { "--terminated-pod-gc-threshold=12000", "--unhealthy-zone-threshold=0.6", "--use-service-account-credentials=true", + "--cert-dir=/a/b/c", + "--bind-address=192.168.4.21", + "--secure-port=10001", } f.Parse(args) // Sort GCIgnoredResources because it's built from a map, which means the @@ -205,6 +209,14 @@ func TestAddFlags(t *testing.T) { HorizontalPodAutoscalerUseRESTClients: true, UseServiceAccountCredentials: true, }, + SecureServing: &apiserveroptions.SecureServingOptions{ + BindPort: 10001, + BindAddress: net.ParseIP("192.168.4.21"), + ServerCert: apiserveroptions.GeneratableKeyCert{ + CertDirectory: "/a/b/c", + PairName: "kube-controller-manager", + }, + }, InsecureServing: &cmoptions.InsecureServingOptions{ BindAddress: net.ParseIP("192.168.4.10"), BindPort: int(10000), diff --git a/pkg/master/ports/ports.go b/pkg/master/ports/ports.go index fae2d6225d..d4a42f603b 100644 --- a/pkg/master/ports/ports.go +++ b/pkg/master/ports/ports.go @@ -28,7 +28,7 @@ const ( SchedulerPort = 10251 // InsecureKubeControllerManagerPort is the default port for the controller manager status server. // May be overridden by a flag at startup. - InsecureControllerManagerPort = 10252 + InsecureKubeControllerManagerPort = 10252 // InsecureCloudControllerManagerPort is the default port for the cloud controller manager server. // This value may be overridden by a flag at startup. InsecureCloudControllerManagerPort = 10253