controller-manager: add SecureServingOptions

2018-02-08 19:28:31 +01:00 · 2018-02-08 19:28:31 +01:00 · f4564ea0b8
parent 4e0114b0dd
commit f4564ea0b8
9 changed files with 60 additions and 3 deletions
--- a/cmd/cloud-controller-manager/app/controllermanager.go
+++ b/cmd/cloud-controller-manager/app/controllermanager.go
@ -115,6 +115,11 @@ func Run(c *cloudcontrollerconfig.CompletedConfig) error {

 	// Start the controller manager HTTP server
 	stopCh := make(chan struct{})
+	if c.Generic.SecureServing != nil {
+		if err := genericcontrollermanager.Serve(&c.Generic, c.Generic.SecureServing.Serve, stopCh); err != nil {
+			return err
+		}
+	}
 	if c.Generic.InsecureServing != nil {
 		if err := genericcontrollermanager.Serve(&c.Generic, c.Generic.InsecureServing.Serve, stopCh); err != nil {
 			return err
--- a/cmd/cloud-controller-manager/app/options/options.go
+++ b/cmd/cloud-controller-manager/app/options/options.go
@ -54,6 +54,9 @@ func NewCloudControllerManagerOptions() *CloudControllerManagerOptions {
 	}
 	s.Generic.ComponentConfig.LeaderElection.LeaderElect = true

+	s.Generic.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes"
+	s.Generic.SecureServing.ServerCert.PairName = "cloud-controller-manager"
+
 	return &s
 }

--- a/cmd/cloud-controller-manager/app/options/options_test.go
+++ b/cmd/cloud-controller-manager/app/options/options_test.go
@ -26,6 +26,7 @@ import (

 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
@ -63,6 +64,9 @@ func TestAddFlags(t *testing.T) {
 		"--route-reconciliation-period=30s",
 		"--min-resync-period=100m",
 		"--use-service-account-credentials=false",
+		"--cert-dir=/a/b/c",
+		"--bind-address=192.168.4.21",
+		"--secure-port=10001",
 	}
 	f.Parse(args)

@ -139,6 +143,14 @@ func TestAddFlags(t *testing.T) {
 				CIDRAllocatorType:         "RangeAllocator",
 				Controllers:               []string{"*"},
 			},
+			SecureServing: &apiserveroptions.SecureServingOptions{
+				BindPort:    10001,
+				BindAddress: net.ParseIP("192.168.4.21"),
+				ServerCert: apiserveroptions.GeneratableKeyCert{
+					CertDirectory: "/a/b/c",
+					PairName:      "cloud-controller-manager",
+				},
+			},
 			InsecureServing: &cmoptions.InsecureServingOptions{
 				BindAddress: net.ParseIP("192.168.4.10"),
 				BindPort:    int(10000),
--- a/cmd/controller-manager/app/config.go
+++ b/cmd/controller-manager/app/config.go
@ -17,6 +17,7 @@ limitations under the License.
 package app

 import (
+	apiserver "k8s.io/apiserver/pkg/server"
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
@ -28,6 +29,8 @@ type Config struct {
 	// TODO: split up the component config. This is not generic.
 	ComponentConfig componentconfig.KubeControllerManagerConfiguration

+	SecureServing *apiserver.SecureServingInfo
+	// TODO: remove deprecated insecure serving
 	InsecureServing *InsecureServingInfo

 	// the general kube client
--- a/cmd/controller-manager/app/options/options.go
+++ b/cmd/controller-manager/app/options/options.go
@ -26,6 +26,7 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/client-go/kubernetes"
 	clientset "k8s.io/client-go/kubernetes"
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
@ -44,9 +45,12 @@ type GenericControllerManagerOptions struct {
 	// TODO: turn ComponentConfig into modular option structs. This is not generic.
 	ComponentConfig componentconfig.KubeControllerManagerConfiguration

+	SecureServing *apiserveroptions.SecureServingOptions
+	// TODO: remove insecure serving mode
 	InsecureServing *InsecureServingOptions
-	Master          string
-	Kubeconfig      string
+
+	Master     string
+	Kubeconfig string
 }

 const (
@ -65,6 +69,7 @@ const (
 func NewGenericControllerManagerOptions(componentConfig componentconfig.KubeControllerManagerConfiguration) GenericControllerManagerOptions {
 	o := GenericControllerManagerOptions{
 		ComponentConfig: componentConfig,
+		SecureServing:   apiserveroptions.NewSecureServingOptions(),
 		InsecureServing: &InsecureServingOptions{
 			BindAddress: net.ParseIP(componentConfig.Address),
 			BindPort:    int(componentConfig.Port),
@ -72,6 +77,10 @@ func NewGenericControllerManagerOptions(componentConfig componentconfig.KubeCont
 		},
 	}

+	// disable secure serving for now
+	// TODO: enable HTTPS by default
+	o.SecureServing.BindPort = 0
+
 	return o
 }

@ -163,6 +172,7 @@ func (o *GenericControllerManagerOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.Int32Var(&o.ComponentConfig.KubeAPIBurst, "kube-api-burst", o.ComponentConfig.KubeAPIBurst, "Burst to use while talking with kubernetes apiserver.")
 	fs.DurationVar(&o.ComponentConfig.ControllerStartInterval.Duration, "controller-start-interval", o.ComponentConfig.ControllerStartInterval.Duration, "Interval between starting controller managers.")

+	o.SecureServing.AddFlags(fs)
 	o.InsecureServing.AddFlags(fs)
 	o.InsecureServing.AddDeprecatedFlags(fs)
 }
@ -171,6 +181,9 @@ func (o *GenericControllerManagerOptions) AddFlags(fs *pflag.FlagSet) {
 func (o *GenericControllerManagerOptions) ApplyTo(c *genericcontrollermanager.Config, userAgent string) error {
 	c.ComponentConfig = o.ComponentConfig

+	if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil {
+		return err
+	}
 	if err := o.InsecureServing.ApplyTo(&c.InsecureServing, &c.ComponentConfig); err != nil {
 		return err
 	}
@ -199,6 +212,7 @@ func (o *GenericControllerManagerOptions) ApplyTo(c *genericcontrollermanager.Co
 // Validate checks GenericControllerManagerOptions and return a slice of found errors.
 func (o *GenericControllerManagerOptions) Validate() []error {
 	errors := []error{}
+	errors = append(errors, o.SecureServing.Validate()...)
 	errors = append(errors, o.InsecureServing.Validate()...)

 	// TODO: validate component config, master and kubeconfig
--- a/cmd/kube-controller-manager/app/controllermanager.go
+++ b/cmd/kube-controller-manager/app/controllermanager.go
@ -123,6 +123,11 @@ func Run(c *config.CompletedConfig) error {

 	// Start the controller manager HTTP server
 	stopCh := make(chan struct{})
+	if c.Generic.SecureServing != nil {
+		if err := genericcontrollerconfig.Serve(&c.Generic, c.Generic.SecureServing.Serve, stopCh); err != nil {
+			return err
+		}
+	}
 	if c.Generic.InsecureServing != nil {
 		if err := genericcontrollerconfig.Serve(&c.Generic, c.Generic.InsecureServing.Serve, stopCh); err != nil {
 			return err
--- a/cmd/kube-controller-manager/app/options/options.go
+++ b/cmd/kube-controller-manager/app/options/options.go
@ -52,6 +52,9 @@ func NewKubeControllerManagerOptions() *KubeControllerManagerOptions {
 		Generic: cmoptions.NewGenericControllerManagerOptions(componentConfig),
 	}

+	s.Generic.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes"
+	s.Generic.SecureServing.ServerCert.PairName = "kube-controller-manager"
+
 	gcIgnoredResources := make([]componentconfig.GroupResource, 0, len(garbagecollector.DefaultIgnoredResources()))
 	for r := range garbagecollector.DefaultIgnoredResources() {
 		gcIgnoredResources = append(gcIgnoredResources, componentconfig.GroupResource{Group: r.Group, Resource: r.Resource})
--- a/cmd/kube-controller-manager/app/options/options_test.go
+++ b/cmd/kube-controller-manager/app/options/options_test.go
@ -27,6 +27,7 @@ import (

 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
@ -104,6 +105,9 @@ func TestAddFlags(t *testing.T) {
 		"--terminated-pod-gc-threshold=12000",
 		"--unhealthy-zone-threshold=0.6",
 		"--use-service-account-credentials=true",
+		"--cert-dir=/a/b/c",
+		"--bind-address=192.168.4.21",
+		"--secure-port=10001",
 	}
 	f.Parse(args)
 	// Sort GCIgnoredResources because it's built from a map, which means the
@ -205,6 +209,14 @@ func TestAddFlags(t *testing.T) {
 				HorizontalPodAutoscalerUseRESTClients: true,
 				UseServiceAccountCredentials:          true,
 			},
+			SecureServing: &apiserveroptions.SecureServingOptions{
+				BindPort:    10001,
+				BindAddress: net.ParseIP("192.168.4.21"),
+				ServerCert: apiserveroptions.GeneratableKeyCert{
+					CertDirectory: "/a/b/c",
+					PairName:      "kube-controller-manager",
+				},
+			},
 			InsecureServing: &cmoptions.InsecureServingOptions{
 				BindAddress: net.ParseIP("192.168.4.10"),
 				BindPort:    int(10000),
--- a/pkg/master/ports/ports.go
+++ b/pkg/master/ports/ports.go
@ -28,7 +28,7 @@ const (
 	SchedulerPort = 10251
 	// InsecureKubeControllerManagerPort is the default port for the controller manager status server.
 	// May be overridden by a flag at startup.
-	InsecureControllerManagerPort = 10252
+	InsecureKubeControllerManagerPort = 10252
 	// InsecureCloudControllerManagerPort is the default port for the cloud controller manager server.
 	// This value may be overridden by a flag at startup.
 	InsecureCloudControllerManagerPort = 10253