Skip to content

Commit

Permalink
Merge pull request kubernetes#5104 from liggitt/secure_kubelet
Browse files Browse the repository at this point in the history
Plumb tls and cert options into kubelet start
  • Loading branch information
brendandburns committed Mar 6, 2015
2 parents ee351b3 + 02622b1 commit d475570
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 7 deletions.
4 changes: 2 additions & 2 deletions cmd/integration/integration.go
Original file line number Diff line number Diff line change
Expand Up @@ -211,13 +211,13 @@ func startComponents(manifestURL string) (apiServerURL string) {
// Kubelet (localhost)
testRootDir := makeTempDirOrDie("kubelet_integ_1.")
glog.Infof("Using %s as root dir for kubelet #1", testRootDir)
kubeletapp.SimpleRunKubelet(cl, nil, &fakeDocker1, machineList[0], testRootDir, manifestURL, "127.0.0.1", 10250, api.NamespaceDefault, empty_dir.ProbeVolumePlugins())
kubeletapp.SimpleRunKubelet(cl, nil, &fakeDocker1, machineList[0], testRootDir, manifestURL, "127.0.0.1", 10250, api.NamespaceDefault, empty_dir.ProbeVolumePlugins(), nil)
// Kubelet (machine)
// Create a second kubelet so that the guestbook example's two redis slaves both
// have a place they can schedule.
testRootDir = makeTempDirOrDie("kubelet_integ_2.")
glog.Infof("Using %s as root dir for kubelet #2", testRootDir)
kubeletapp.SimpleRunKubelet(cl, nil, &fakeDocker2, machineList[1], testRootDir, "", "127.0.0.1", 10251, api.NamespaceDefault, empty_dir.ProbeVolumePlugins())
kubeletapp.SimpleRunKubelet(cl, nil, &fakeDocker2, machineList[1], testRootDir, "", "127.0.0.1", 10251, api.NamespaceDefault, empty_dir.ProbeVolumePlugins(), nil)

return apiServer.URL
}
Expand Down
7 changes: 5 additions & 2 deletions cmd/kubelet/app/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -255,7 +255,8 @@ func SimpleRunKubelet(client *client.Client,
hostname, rootDir, manifestURL, address string,
port uint,
masterServiceNamespace string,
volumePlugins []volume.Plugin) {
volumePlugins []volume.Plugin,
tlsOptions *kubelet.TLSOptions) {
kcfg := KubeletConfig{
KubeClient: client,
EtcdClient: etcdClient,
Expand All @@ -273,6 +274,7 @@ func SimpleRunKubelet(client *client.Client,
MaxContainerCount: 5,
MasterServiceNamespace: masterServiceNamespace,
VolumePlugins: volumePlugins,
TLSOptions: tlsOptions,
}
RunKubelet(&kcfg)
}
Expand Down Expand Up @@ -318,7 +320,7 @@ func startKubelet(k *kubelet.Kubelet, podCfg *config.PodConfig, kc *KubeletConfi
// start the kubelet server
if kc.EnableServer {
go util.Forever(func() {
kubelet.ListenAndServeKubeletServer(k, net.IP(kc.Address), kc.Port, kc.EnableDebuggingHandlers)
kubelet.ListenAndServeKubeletServer(k, net.IP(kc.Address), kc.Port, kc.TLSOptions, kc.EnableDebuggingHandlers)
}, 0)
}
}
Expand Down Expand Up @@ -381,6 +383,7 @@ type KubeletConfig struct {
VolumePlugins []volume.Plugin
StreamingConnectionIdleTimeout time.Duration
Recorder record.EventRecorder
TLSOptions *kubelet.TLSOptions
}

func createAndInitKubelet(kc *KubeletConfig, pc *config.PodConfig) (*kubelet.Kubelet, error) {
Expand Down
2 changes: 1 addition & 1 deletion cmd/kubernetes/kubernetes.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ func startComponents(etcdClient tools.EtcdClient, cl *client.Client, addr net.IP
runControllerManager(machineList, cl, *nodeMilliCPU, *nodeMemory)

dockerClient := dockertools.ConnectToDockerOrDie(*dockerEndpoint)
kubeletapp.SimpleRunKubelet(cl, nil, dockerClient, machineList[0], "/tmp/kubernetes", "", "127.0.0.1", 10250, *masterServiceNamespace, kubeletapp.ProbeVolumePlugins())
kubeletapp.SimpleRunKubelet(cl, nil, dockerClient, machineList[0], "/tmp/kubernetes", "", "127.0.0.1", 10250, *masterServiceNamespace, kubeletapp.ProbeVolumePlugins(), nil)
}

func newApiClient(addr net.IP, port int) *client.Client {
Expand Down
16 changes: 14 additions & 2 deletions pkg/kubelet/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ limitations under the License.
package kubelet

import (
"crypto/tls"
"encoding/json"
"errors"
"fmt"
Expand Down Expand Up @@ -48,8 +49,14 @@ type Server struct {
mux *http.ServeMux
}

type TLSOptions struct {
Config *tls.Config
CertFile string
KeyFile string
}

// ListenAndServeKubeletServer initializes a server to respond to HTTP network requests on the Kubelet.
func ListenAndServeKubeletServer(host HostInterface, address net.IP, port uint, enableDebuggingHandlers bool) {
func ListenAndServeKubeletServer(host HostInterface, address net.IP, port uint, tlsOptions *TLSOptions, enableDebuggingHandlers bool) {
glog.V(1).Infof("Starting to listen on %s:%d", address, port)
handler := NewServer(host, enableDebuggingHandlers)
s := &http.Server{
Expand All @@ -59,7 +66,12 @@ func ListenAndServeKubeletServer(host HostInterface, address net.IP, port uint,
WriteTimeout: 5 * time.Minute,
MaxHeaderBytes: 1 << 20,
}
glog.Fatal(s.ListenAndServe())
if tlsOptions != nil {
s.TLSConfig = tlsOptions.Config
glog.Fatal(s.ListenAndServeTLS(tlsOptions.CertFile, tlsOptions.KeyFile))
} else {
glog.Fatal(s.ListenAndServe())
}
}

// HostInterface contains all the kubelet methods required by the server.
Expand Down

0 comments on commit d475570

Please sign in to comment.