mirror of https://github.com/k3s-io/k3s
381 lines
12 KiB
Go
381 lines
12 KiB
Go
/*
|
|
Copyright 2014 Google Inc. All rights reserved.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package client
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"os"
|
|
"path"
|
|
"reflect"
|
|
gruntime "runtime"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/GoogleCloudPlatform/kubernetes/pkg/api/latest"
|
|
"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"
|
|
"github.com/GoogleCloudPlatform/kubernetes/pkg/version"
|
|
)
|
|
|
|
// Config holds the common attributes that can be passed to a Kubernetes client on
|
|
// initialization.
|
|
type Config struct {
|
|
// Host must be a host string, a host:port pair, or a URL to the base of the API.
|
|
Host string
|
|
// Prefix is the sub path of the server. If not specified, the client will set
|
|
// a default value. Use "/" to indicate the server root should be used
|
|
Prefix string
|
|
// Version is the API version to talk to. Must be provided when initializing
|
|
// a RESTClient directly. When initializing a Client, will be set with the default
|
|
// code version.
|
|
Version string
|
|
// LegacyBehavior defines whether the RESTClient should follow conventions that
|
|
// existed prior to v1beta3 in Kubernetes - namely, namespace (if specified)
|
|
// not being part of the path, and resource names allowing mixed case. Set to
|
|
// true when using Kubernetes v1beta1 or v1beta2.
|
|
LegacyBehavior bool
|
|
// Codec specifies the encoding and decoding behavior for runtime.Objects passed
|
|
// to a RESTClient or Client. Required when initializing a RESTClient, optional
|
|
// when initializing a Client.
|
|
Codec runtime.Codec
|
|
|
|
// Server requires Basic authentication
|
|
Username string
|
|
Password string
|
|
|
|
// Server requires Bearer authentication. This client will not attempt to use
|
|
// refresh tokens for an OAuth2 flow.
|
|
// TODO: demonstrate an OAuth2 compatible client.
|
|
BearerToken string
|
|
|
|
// TLSClientConfig contains settings to enable transport layer security
|
|
TLSClientConfig
|
|
|
|
// Server should be accessed without verifying the TLS
|
|
// certificate. For testing only.
|
|
Insecure bool
|
|
|
|
// UserAgent is an optional field that specifies the caller of this request.
|
|
UserAgent string
|
|
|
|
// Transport may be used for custom HTTP behavior. This attribute may not
|
|
// be specified with the TLS client certificate options.
|
|
Transport http.RoundTripper
|
|
}
|
|
|
|
type KubeletConfig struct {
|
|
// ToDo: Add support for different kubelet instances exposing different ports
|
|
Port uint
|
|
EnableHttps bool
|
|
|
|
// TLSClientConfig contains settings to enable transport layer security
|
|
TLSClientConfig
|
|
|
|
// HTTPTimeout is used by the client to timeout http requests to Kubelet.
|
|
HTTPTimeout time.Duration
|
|
}
|
|
|
|
// TLSClientConfig contains settings to enable transport layer security
|
|
type TLSClientConfig struct {
|
|
// Server requires TLS client certificate authentication
|
|
CertFile string
|
|
// Server requires TLS client certificate authentication
|
|
KeyFile string
|
|
// Trusted root certificates for server
|
|
CAFile string
|
|
|
|
// CertData holds PEM-encoded bytes (typically read from a client certificate file).
|
|
// CertData takes precedence over CertFile
|
|
CertData []byte
|
|
// KeyData holds PEM-encoded bytes (typically read from a client certificate key file).
|
|
// KeyData takes precedence over KeyFile
|
|
KeyData []byte
|
|
// CAData holds PEM-encoded bytes (typically read from a root certificates bundle).
|
|
// CAData takes precedence over CAFile
|
|
CAData []byte
|
|
}
|
|
|
|
// New creates a Kubernetes client for the given config. This client works with pods,
|
|
// replication controllers and services. It allows operations such as list, get, update
|
|
// and delete on these objects. An error is returned if the provided configuration
|
|
// is not valid.
|
|
func New(c *Config) (*Client, error) {
|
|
config := *c
|
|
if err := SetKubernetesDefaults(&config); err != nil {
|
|
return nil, err
|
|
}
|
|
client, err := RESTClientFor(&config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &Client{client}, nil
|
|
}
|
|
|
|
func MatchesServerVersion(c *Config) error {
|
|
client, err := New(c)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
clientVersion := version.Get()
|
|
serverVersion, err := client.ServerVersion()
|
|
if err != nil {
|
|
return fmt.Errorf("couldn't read version from server: %v\n", err)
|
|
}
|
|
if s := *serverVersion; !reflect.DeepEqual(clientVersion, s) {
|
|
return fmt.Errorf("server version (%#v) differs from client version (%#v)!\n", s, clientVersion)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// NewOrDie creates a Kubernetes client and panics if the provided API version is not recognized.
|
|
func NewOrDie(c *Config) *Client {
|
|
client, err := New(c)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return client
|
|
}
|
|
|
|
// SetKubernetesDefaults sets default values on the provided client config for accessing the
|
|
// Kubernetes API or returns an error if any of the defaults are impossible or invalid.
|
|
func SetKubernetesDefaults(config *Config) error {
|
|
if config.Prefix == "" {
|
|
config.Prefix = "/api"
|
|
}
|
|
if len(config.UserAgent) == 0 {
|
|
config.UserAgent = DefaultKubernetesUserAgent()
|
|
}
|
|
if len(config.Version) == 0 {
|
|
config.Version = defaultVersionFor(config)
|
|
}
|
|
version := config.Version
|
|
versionInterfaces, err := latest.InterfacesFor(version)
|
|
if err != nil {
|
|
return fmt.Errorf("API version '%s' is not recognized (valid values: %s)", version, strings.Join(latest.Versions, ", "))
|
|
}
|
|
if config.Codec == nil {
|
|
config.Codec = versionInterfaces.Codec
|
|
}
|
|
config.LegacyBehavior = (version == "v1beta1" || version == "v1beta2")
|
|
return nil
|
|
}
|
|
|
|
// RESTClientFor returns a RESTClient that satisfies the requested attributes on a client Config
|
|
// object. Note that a RESTClient may require fields that are optional when initializing a Client.
|
|
// A RESTClient created by this method is generic - it expects to operate on an API that follows
|
|
// the Kubernetes conventions, but may not be the Kubernetes API.
|
|
func RESTClientFor(config *Config) (*RESTClient, error) {
|
|
if len(config.Version) == 0 {
|
|
return nil, fmt.Errorf("version is required when initializing a RESTClient")
|
|
}
|
|
if config.Codec == nil {
|
|
return nil, fmt.Errorf("Codec is required when initializing a RESTClient")
|
|
}
|
|
|
|
baseURL, err := defaultServerUrlFor(config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
client := NewRESTClient(baseURL, config.Version, config.Codec, config.LegacyBehavior)
|
|
|
|
transport, err := TransportFor(config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if transport != http.DefaultTransport {
|
|
client.Client = &http.Client{Transport: transport}
|
|
}
|
|
return client, nil
|
|
}
|
|
|
|
// TransportFor returns an http.RoundTripper that will provide the authentication
|
|
// or transport level security defined by the provided Config. Will return the
|
|
// default http.DefaultTransport if no special case behavior is needed.
|
|
func TransportFor(config *Config) (http.RoundTripper, error) {
|
|
hasCA := len(config.CAFile) > 0 || len(config.CAData) > 0
|
|
hasCert := len(config.CertFile) > 0 || len(config.CertData) > 0
|
|
|
|
// Set transport level security
|
|
if config.Transport != nil && (hasCA || hasCert || config.Insecure) {
|
|
return nil, fmt.Errorf("using a custom transport with TLS certificate options or the insecure flag is not allowed")
|
|
}
|
|
|
|
tlsConfig, err := TLSConfigFor(config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var transport http.RoundTripper
|
|
if config.Transport != nil {
|
|
transport = config.Transport
|
|
} else {
|
|
if tlsConfig != nil {
|
|
transport = &http.Transport{
|
|
TLSClientConfig: tlsConfig,
|
|
Proxy: http.ProxyFromEnvironment,
|
|
Dial: (&net.Dialer{
|
|
Timeout: 30 * time.Second,
|
|
KeepAlive: 30 * time.Second,
|
|
}).Dial,
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
}
|
|
} else {
|
|
transport = http.DefaultTransport
|
|
}
|
|
}
|
|
|
|
transport, err = HTTPWrappersForConfig(config, transport)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// TODO: use the config context to wrap a transport
|
|
|
|
return transport, nil
|
|
}
|
|
|
|
// HTTPWrappersForConfig wraps a round tripper with any relevant layered behavior from the
|
|
// config. Exposed to allow more clients that need HTTP-like behavior but then must hijack
|
|
// the underlying connection (like WebSocket or HTTP2 clients). Pure HTTP clients should use
|
|
// the higher level TransportFor or RESTClientFor methods.
|
|
func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTripper, error) {
|
|
// Set authentication wrappers
|
|
hasBasicAuth := config.Username != "" || config.Password != ""
|
|
if hasBasicAuth && config.BearerToken != "" {
|
|
return nil, fmt.Errorf("username/password or bearer token may be set, but not both")
|
|
}
|
|
switch {
|
|
case config.BearerToken != "":
|
|
rt = NewBearerAuthRoundTripper(config.BearerToken, rt)
|
|
case hasBasicAuth:
|
|
rt = NewBasicAuthRoundTripper(config.Username, config.Password, rt)
|
|
}
|
|
if len(config.UserAgent) > 0 {
|
|
rt = NewUserAgentRoundTripper(config.UserAgent, rt)
|
|
}
|
|
return rt, nil
|
|
}
|
|
|
|
// DefaultServerURL converts a host, host:port, or URL string to the default base server API path
|
|
// to use with a Client at a given API version following the standard conventions for a
|
|
// Kubernetes API.
|
|
func DefaultServerURL(host, prefix, version string, defaultTLS bool) (*url.URL, error) {
|
|
if host == "" {
|
|
return nil, fmt.Errorf("host must be a URL or a host:port pair")
|
|
}
|
|
if version == "" {
|
|
return nil, fmt.Errorf("version must be set")
|
|
}
|
|
base := host
|
|
hostURL, err := url.Parse(base)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if hostURL.Scheme == "" {
|
|
scheme := "http://"
|
|
if defaultTLS {
|
|
scheme = "https://"
|
|
}
|
|
hostURL, err = url.Parse(scheme + base)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if hostURL.Path != "" && hostURL.Path != "/" {
|
|
return nil, fmt.Errorf("host must be a URL or a host:port pair: %s", base)
|
|
}
|
|
}
|
|
|
|
// If the user specified a URL without a path component (http://server.com), automatically
|
|
// append the default prefix
|
|
if hostURL.Path == "" {
|
|
if prefix == "" {
|
|
prefix = "/"
|
|
}
|
|
hostURL.Path = prefix
|
|
}
|
|
|
|
// Add the version to the end of the path
|
|
hostURL.Path = path.Join(hostURL.Path, version)
|
|
|
|
return hostURL, nil
|
|
}
|
|
|
|
// IsConfigTransportTLS returns true iff the provided config will result in a protected
|
|
// connection to the server when it is passed to client.New() or client.RESTClientFor().
|
|
// Use to determine when to send credentials over the wire.
|
|
//
|
|
// Note: the Insecure flag is ignored when testing for this value, so MITM attacks are
|
|
// still possible.
|
|
func IsConfigTransportTLS(config Config) bool {
|
|
// determination of TLS transport does not logically require a version to be specified
|
|
// modify the copy of the config we got to satisfy preconditions for defaultServerUrlFor
|
|
config.Version = defaultVersionFor(&config)
|
|
|
|
baseURL, err := defaultServerUrlFor(&config)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
return baseURL.Scheme == "https"
|
|
}
|
|
|
|
// defaultServerUrlFor is shared between IsConfigTransportTLS and RESTClientFor. It
|
|
// requires Host and Version to be set prior to being called.
|
|
func defaultServerUrlFor(config *Config) (*url.URL, error) {
|
|
// TODO: move the default to secure when the apiserver supports TLS by default
|
|
// config.Insecure is taken to mean "I want HTTPS but don't bother checking the certs against a CA."
|
|
hasCA := len(config.CAFile) != 0 || len(config.CAData) != 0
|
|
hasCert := len(config.CertFile) != 0 || len(config.CertData) != 0
|
|
defaultTLS := hasCA || hasCert || config.Insecure
|
|
host := config.Host
|
|
if host == "" {
|
|
host = "localhost"
|
|
}
|
|
return DefaultServerURL(host, config.Prefix, config.Version, defaultTLS)
|
|
}
|
|
|
|
// defaultVersionFor is shared between defaultServerUrlFor and RESTClientFor
|
|
func defaultVersionFor(config *Config) string {
|
|
version := config.Version
|
|
if version == "" {
|
|
// Clients default to the preferred code API version
|
|
// TODO: implement version negotiation (highest version supported by server)
|
|
version = latest.Version
|
|
}
|
|
return version
|
|
}
|
|
|
|
// DefaultKubernetesUserAgent returns the default user agent that clients can use.
|
|
func DefaultKubernetesUserAgent() string {
|
|
commit := version.Get().GitCommit
|
|
if len(commit) > 7 {
|
|
commit = commit[:7]
|
|
}
|
|
if len(commit) == 0 {
|
|
commit = "unknown"
|
|
}
|
|
version := version.Get().GitVersion
|
|
seg := strings.SplitN(version, "-", 2)
|
|
version = seg[0]
|
|
return fmt.Sprintf("%s/%s (%s/%s) kubernetes/%s", path.Base(os.Args[0]), version, gruntime.GOOS, gruntime.GOARCH, commit)
|
|
}
|