Skip to content

Commit

Permalink
Merge pull request kubernetes#21535 from AdoHe/restore_secure_etcd
Browse files Browse the repository at this point in the history 
restore ability to run against secured etcd
  • Loading branch information
@bgrant0607 @TrXuk
bgrant0607 authored and TrXuk committed Apr 4, 2016
1 parent bf9b7bf commit 3bc17a2
Show file tree
Hide file tree
Showing 6 changed files with 120 additions and 0 deletions.
15 changes: 15 additions & 0 deletions cmd/kube-apiserver/app/options/options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,11 @@ import (
kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
"k8s.io/kubernetes/pkg/master/ports"
etcdstorage "k8s.io/kubernetes/pkg/storage/etcd"
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
"k8s.io/kubernetes/pkg/util/config"
=======
"k8s.io/kubernetes/pkg/util"
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
utilnet "k8s.io/kubernetes/pkg/util/net"

"github.com/spf13/pflag"
Expand All @@ -58,7 +62,10 @@ type APIServer struct {
EnableLogsSupport bool
EnableProfiling bool
EnableWatchCache bool
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
EnableSwaggerUI bool
=======
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
EtcdServersOverrides []string
EtcdConfig etcdstorage.EtcdConfig
EventTTL time.Duration
Expand Down Expand Up @@ -107,7 +114,11 @@ func NewAPIServer() *APIServer {
EventTTL: 1 * time.Hour,
MasterCount: 1,
MasterServiceNamespace: api.NamespaceDefault,
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
RuntimeConfig: make(config.ConfigurationMap),
=======
RuntimeConfig: make(util.ConfigurationMap),
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
StorageVersions: registered.AllPreferredGroupVersions(),
DefaultStorageVersions: registered.AllPreferredGroupVersions(),
KubeletConfig: kubeletclient.KubeletClientConfig{
Expand Down Expand Up @@ -223,7 +234,11 @@ func (s *APIServer) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.AuthorizationConfig.WebhookConfigFile, "authorization-webhook-config-file", s.AuthorizationConfig.WebhookConfigFile, "File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query the remote service to determine access on the API server's secure port.")
fs.StringVar(&s.AdmissionControl, "admission-control", s.AdmissionControl, "Ordered list of plug-ins to do admission control of resources into cluster. Comma-delimited list of: "+strings.Join(admission.GetPlugins(), ", "))
fs.StringVar(&s.AdmissionControlConfigFile, "admission-control-config-file", s.AdmissionControlConfigFile, "File with admission control configuration.")
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
fs.StringSliceVar(&s.EtcdConfig.ServerList, "etcd-servers", s.EtcdConfig.ServerList, "List of etcd servers to watch (http://ip:port), comma separated.")
=======
fs.StringSliceVar(&s.EtcdConfig.ServerList, "etcd-servers", s.EtcdConfig.ServerList, "List of etcd servers to watch (http://ip:port), comma separated. Mutually exclusive with -etcd-config")
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
fs.StringSliceVar(&s.EtcdServersOverrides, "etcd-servers-overrides", s.EtcdServersOverrides, "Per-resource etcd servers overrides, comma separated. The individual override format: group/resource#servers, where servers are http://ip:port, semicolon separated.")
fs.StringVar(&s.EtcdConfig.Prefix, "etcd-prefix", s.EtcdConfig.Prefix, "The prefix for all resource paths in etcd.")
fs.StringVar(&s.EtcdConfig.KeyFile, "etcd-keyfile", s.EtcdConfig.KeyFile, "SSL key file used to secure etcd communication")
Expand Down
7 changes: 7 additions & 0 deletions docs/admin/kube-apiserver.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,10 @@ kube-apiserver
--cloud-provider="": The provider for cloud services. Empty string for no provider.
--cors-allowed-origins=[]: List of allowed origins for CORS, comma separated. An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled.
--delete-collection-workers=1: Number of workers spawned for DeleteCollection call. These are used to speed up namespace cleanup.
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
--enable-swagger-ui[=false]: Enables swagger ui on the apiserver at /swagger-ui
=======
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
--etcd-cafile="": SSL Certificate Authority file used to secure etcd communication
--etcd-certfile="": SSL certification file used to secure etcd communication
--etcd-keyfile="": SSL key file used to secure etcd communication
Expand Down Expand Up @@ -119,7 +122,11 @@ kube-apiserver
--watch-cache-sizes=[]: List of watch cache sizes for every resource (pods, nodes, etc.), comma separated. The individual override format: resource#size, where size is a number. It takes effect when watch-cache is enabled.
```

<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
###### Auto generated by spf13/cobra on 22-Mar-2016
=======
###### Auto generated by spf13/cobra on 6-Mar-2016
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd


Expand Down
3 changes: 3 additions & 0 deletions hack/verify-flags/known-flags.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,9 @@ etcd-quorum-read
etcd-server
etcd-servers
etcd-servers-overrides
etcd-keyfile
etcd-certfile
etcd-cafile
event-burst
event-qps
event-ttl
Expand Down
41 changes: 41 additions & 0 deletions pkg/storage/etcd/etcd_helper.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,13 +84,31 @@ func (c *EtcdConfig) newEtcdClient() (etcd.Client, error) {
Endpoints: c.ServerList,
Transport: t,
})
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
=======
if err != nil {
return nil, err
}

return cli, nil
}

func (c *EtcdConfig) newHttpTransport() (*http.Transport, error) {
info := transport.TLSInfo{
CertFile: c.CertFile,
KeyFile: c.KeyFile,
CAFile: c.CAFile,
}
cfg, err := info.ClientConfig()
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
if err != nil {
return nil, err
}

<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
return cli, nil
}

func (c *EtcdConfig) newHttpTransport() (*http.Transport, error) {
info := transport.TLSInfo{
CertFile: c.CertFile,
Expand All @@ -105,6 +123,11 @@ func (c *EtcdConfig) newHttpTransport() (*http.Transport, error) {
// Copied from etcd.DefaultTransport declaration.
// TODO: Determine if transport needs optimization
tr := utilnet.SetTransportDefaults(&http.Transport{
=======
// Copied from etcd.DefaultTransport declaration.
// TODO: Determine if transport needs optimization
tr := &http.Transport{
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
Expand All @@ -113,7 +136,11 @@ func (c *EtcdConfig) newHttpTransport() (*http.Transport, error) {
TLSHandshakeTimeout: 10 * time.Second,
MaxIdleConnsPerHost: 500,
TLSClientConfig: cfg,
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
})
=======
}
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd

return tr, nil
}
Expand All @@ -129,7 +156,11 @@ func NewEtcdStorage(client etcd.Client, codec runtime.Codec, prefix string, quor
copier: api.Scheme,
pathPrefix: path.Join("/", prefix),
quorum: quorum,
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
cache: utilcache.NewCache(maxEtcdCacheEntries),
=======
cache: util.NewCache(maxEtcdCacheEntries),
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
}
}

Expand Down Expand Up @@ -316,6 +347,7 @@ func (h *etcdHelper) Delete(ctx context.Context, key string, out runtime.Object,
panic("unable to convert output object to pointer")
}

<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
if preconditions == nil {
startTime := time.Now()
response, err := h.etcdKeysAPI.Delete(ctx, key, nil)
Expand Down Expand Up @@ -359,6 +391,15 @@ func (h *etcdHelper) Delete(ctx context.Context, key string, out runtime.Object,
}
}
return toStorageErr(err, key, 0)
=======
startTime := time.Now()
response, err := h.etcdKeysAPI.Delete(ctx, key, nil)
metrics.RecordEtcdRequestLatency("delete", getTypeName(out), startTime)
if !etcdutil.IsEtcdNotFound(err) {
// if the object that existed prior to the delete is returned by etcd, update out.
if err != nil || response.PrevNode != nil {
_, _, err = h.extractObj(response, err, out, false, true)
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
}
}
}
Expand Down
50 changes: 50 additions & 0 deletions pkg/storage/etcd/testing/certificates.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package testing

// You can use cfssl tool to generate certificates, please refer
// https://github.com/coreos/etcd/tree/master/hack/tls-setup for more details.
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
//
// ca-config.json:
// expiry was changed from 1 year to 100 years (876000h)
Expand Down Expand Up @@ -53,10 +54,32 @@ sZsxOwG7cyEEvvs+XmZ/vBLBOr59xyjwn4seQqzwZj3VYeiKLw40iQt1yT442rcP
CfdlE9wTEONvWT+kBGMt0JlalXH3jFvlfcGQdDfRmDeTJtA+uIbvJhwJuGCNHHAc
xqC+4mAGBPN/dMPXpjayHD5dOXIKLfrNpqse6jImYlY9zduvwIHRDK/zvqTyPlNZ
uR84Nw==
=======
const CAFileContent = `
-----BEGIN CERTIFICATE-----
MIIDADCCAoWgAwIBAgIUPyoDaJMWija/6scZvsZIcPjyjqswCgYIKoZIzj0EAwMw
gawxCzAJBgNVBAYTAlVTMSowKAYDVQQKEyFIb25lc3QgQWNobWVkJ3MgVXNlZCBD
ZXJ0aWZpY2F0ZXMxKTAnBgNVBAsTIEhhc3RpbHktR2VuZXJhdGVkIFZhbHVlcyBE
aXZpc29uMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRkwFwYDVQQDExBBdXRvZ2VuZXJhdGVkIENBMB4XDTE2MDIyNTEwMzYwMFoX
DTIxMDIyMzEwMzYwMFowgawxCzAJBgNVBAYTAlVTMSowKAYDVQQKEyFIb25lc3Qg
QWNobWVkJ3MgVXNlZCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAsTIEhhc3RpbHktR2Vu
ZXJhdGVkIFZhbHVlcyBEaXZpc29uMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMRkwFwYDVQQDExBBdXRvZ2VuZXJhdGVkIENBMHYw
EAYHKoZIzj0CAQYFK4EEACIDYgAEUjwvCgZPvo11v8qf+rBQRdYAt6IdMZJd3t1g
DjSySvBc3b+1WmCe911D/Zdwm/s83M4EQm8qUMeMvt60IqKIBZ6BDBbZdqQRycxJ
DuQwgyyYHQl5G52EDSJx//U1OkrOo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
AQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUp0oCeNg5O4HvABVa7/iJuLDkjAwwHwYD
VR0jBBgwFoAUp0oCeNg5O4HvABVa7/iJuLDkjAwwCgYIKoZIzj0EAwMDaQAwZgIx
AMuY6J2q53uFus7mZTEfWERXoUrTSvj2DEV+6MrmGD8VW2YaTwIGM0qzKlamb1QJ
rQIxAKtbXrfYzAjKBnrhdLD0kgf06pTQkIqBHj4zLen2K4NnVJWCSsKMua8FG+zP
jqvi0Q==
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
-----END CERTIFICATE-----
`
const CertFileContent = `
-----BEGIN CERTIFICATE-----
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
MIIELzCCAxegAwIBAgIUcjkJA3cmHeoBQggaKZmfKebFL9cwDQYJKoZIhvcNAQEL
BQAwgawxCzAJBgNVBAYTAlVTMSowKAYDVQQKEyFIb25lc3QgQWNobWVkJ3MgVXNl
ZCBDZXJ0aWZpY2F0ZXMxKTAnBgNVBAsTIEhhc3RpbHktR2VuZXJhdGVkIFZhbHVl
Expand Down Expand Up @@ -110,4 +133,31 @@ GY8c2kAwJndyx74MaJCBDVMbMwlZpzFWkBz7dj8ZnXRGVNTZNh0Ef2XAjwUdtJP3
wgGVLrn53s6eCblnXLtKr/Li+t7fS8IkQkvu5guOvI9VeVUmZhFET3GVmUxu+JTb
iQY4uBgaf8Fgay4dkOfjvlOpFDR4E7UbJpg8/cFKTrpwgOiUVyFVdQ==
-----END RSA PRIVATE KEY-----
=======
MIIC0zCCAlmgAwIBAgIUHXuZ3c9/pnUh2AOW3iiypCQpYEMwCgYIKoZIzj0EAwMw
gawxCzAJBgNVBAYTAlVTMSowKAYDVQQKEyFIb25lc3QgQWNobWVkJ3MgVXNlZCBD
ZXJ0aWZpY2F0ZXMxKTAnBgNVBAsTIEhhc3RpbHktR2VuZXJhdGVkIFZhbHVlcyBE
aXZpc29uMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRkwFwYDVQQDExBBdXRvZ2VuZXJhdGVkIENBMB4XDTE2MDIyNTEwMzYwMFoX
DTE3MDIyNDEwMzYwMFowVTEWMBQGA1UEChMNYXV0b2dlbmVyYXRlZDEVMBMGA1UE
CxMMZXRjZCBjbHVzdGVyMRUwEwYDVQQHEwx0aGUgaW50ZXJuZXQxDTALBgNVBAMT
BGV0Y2QwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ9HJgNWxMIrnns2+Sb8FUj9RBA
Fk/qP9cExp+FmbnjnOUy2poK5pGDdr88TMUAXyzV7J/rbTo6pDmWLWMEcbIgqfWY
W6BRmAaPWuQNLsP/L2k2N3NHvHZfCZK+efuDCGGjgZEwgY4wDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBQCFVaETH9zYZaw5OTHh8uuq4K84DAfBgNVHSMEGDAWgBSnSgJ4
2Dk7ge8AFVrv+Im4sOSMDDAPBgNVHREECDAGhwR/AAABMAoGCCqGSM49BAMDA2gA
MGUCMQC9+42ftFzkhujW6lTKZhf/rW3IyNmm5jXTS+RCPPB7jMqkH4Llq2PWgBR8
YQ8keX4CMGb6h8CLsgmFeVjpRjBTBuFSPSf3DQPPG2BkxPhtFek31g9lpSOjkioZ
fKv0Kz+tUw==
-----END CERTIFICATE-----
`
const KeyFileContent = `
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDBkmx3mD+yd/qh6WYBTUAFbHZLHKrBv6o4H2AnSfx2HiMQoPm+elwhR
xhWa/tV+8zCgBwYFK4EEACKhZANiAAQ9HJgNWxMIrnns2+Sb8FUj9RBAFk/qP9cE
xp+FmbnjnOUy2poK5pGDdr88TMUAXyzV7J/rbTo6pDmWLWMEcbIgqfWYW6BRmAaP
WuQNLsP/L2k2N3NHvHZfCZK+efuDCGE=
-----END EC PRIVATE KEY-----
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
`
4 changes: 4 additions & 0 deletions pkg/storage/etcd/testing/utils.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,11 @@ func newHttpTransport(t *testing.T, certFile, keyFile, caFile string) etcd.Cance
KeyFile: keyFile,
CAFile: caFile,
}
<<<<<<< bf9b7bfaf7b623e3afffacc33b9610c2f707df7d
tr, err := transport.NewTransport(tlsInfo, time.Second)
=======
tr, err := transport.NewTransport(tlsInfo)
>>>>>>> Merge pull request #21535 from AdoHe/restore_secure_etcd
if err != nil {
t.Fatal(err)
}
Expand Down

0 comments on commit 3bc17a2

Please sign in to comment.