mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-10-19 05:39:51 +00:00
82 lines
2.8 KiB
Go
82 lines
2.8 KiB
Go
|
/*
|
||
|
Copyright 2018 The Kubernetes Authors.
|
||
|
|
||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
you may not use this file except in compliance with the License.
|
||
|
You may obtain a copy of the License at
|
||
|
|
||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||
|
|
||
|
Unless required by applicable law or agreed to in writing, software
|
||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
See the License for the specific language governing permissions and
|
||
|
limitations under the License.
|
||
|
*/
|
||
|
|
||
|
package options
|
||
|
|
||
|
import (
|
||
|
"fmt"
|
||
|
|
||
|
"github.com/google/uuid"
|
||
|
|
||
|
"k8s.io/apiserver/pkg/server"
|
||
|
"k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||
|
"k8s.io/client-go/rest"
|
||
|
certutil "k8s.io/client-go/util/cert"
|
||
|
)
|
||
|
|
||
|
type SecureServingOptionsWithLoopback struct {
|
||
|
*SecureServingOptions
|
||
|
}
|
||
|
|
||
|
func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback {
|
||
|
return &SecureServingOptionsWithLoopback{o}
|
||
|
}
|
||
|
|
||
|
// ApplyTo fills up serving information in the server configuration.
|
||
|
func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.SecureServingInfo, loopbackClientConfig **rest.Config) error {
|
||
|
if s == nil || s.SecureServingOptions == nil || secureServingInfo == nil {
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
if err := s.SecureServingOptions.ApplyTo(secureServingInfo); err != nil {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
if *secureServingInfo == nil || loopbackClientConfig == nil {
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
|
||
|
// let the server return it when the loopback client connects.
|
||
|
certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
|
||
|
if err != nil {
|
||
|
return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
|
||
|
}
|
||
|
certProvider, err := dynamiccertificates.NewStaticSNICertKeyContent("self-signed loopback", certPem, keyPem, server.LoopbackClientServerNameOverride)
|
||
|
if err != nil {
|
||
|
return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
|
||
|
}
|
||
|
|
||
|
// Write to the front of SNICerts so that this overrides any other certs with the same name
|
||
|
(*secureServingInfo).SNICerts = append([]dynamiccertificates.SNICertKeyContentProvider{certProvider}, (*secureServingInfo).SNICerts...)
|
||
|
|
||
|
secureLoopbackClientConfig, err := (*secureServingInfo).NewLoopbackClientConfig(uuid.New().String(), certPem)
|
||
|
switch {
|
||
|
// if we failed and there's no fallback loopback client config, we need to fail
|
||
|
case err != nil && *loopbackClientConfig == nil:
|
||
|
(*secureServingInfo).SNICerts = (*secureServingInfo).SNICerts[1:]
|
||
|
return err
|
||
|
|
||
|
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
|
||
|
case err != nil && *loopbackClientConfig != nil:
|
||
|
|
||
|
default:
|
||
|
*loopbackClientConfig = secureLoopbackClientConfig
|
||
|
}
|
||
|
|
||
|
return nil
|
||
|
}
|