split insecure serving options

cmd/kube-apiserver/app/server.go

@@ -51,6 +51,7 @@ import (
 	generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi"
 	"k8s.io/kubernetes/pkg/genericapiserver"
 	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
 	"k8s.io/kubernetes/pkg/master"
 	"k8s.io/kubernetes/pkg/registry/cachesize"
 	"k8s.io/kubernetes/pkg/serviceaccount"
@@ -246,7 +247,7 @@ func Run(s *options.ServerRunOptions) error {
 	}
 
 	privilegedLoopbackToken := uuid.NewRandom().String()
-	selfClientConfig, err := s.GenericServerRunOptions.NewSelfClientConfig(privilegedLoopbackToken)
+	selfClientConfig, err := genericoptions.NewSelfClientConfig(s.GenericServerRunOptions.SecureServingOptions, s.GenericServerRunOptions.InsecureServingOptions, privilegedLoopbackToken)
 	if err != nil {
 		glog.Fatalf("Failed to create clientset: %v", err)
 	}

examples/apiserver/apiserver.go

@@ -55,8 +55,8 @@ func newStorageFactory() genericapiserver.StorageFactory {
 }
 
 func NewServerRunOptions() *genericoptions.ServerRunOptions {
-	serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions().WithSecureServingOptions()
-	serverOptions.InsecurePort = InsecurePort
+	serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions().WithSecureServingOptions().WithInsecureServingOptions()
+	serverOptions.InsecureServingOptions.BindPort = InsecurePort
 	return serverOptions
 }
 

federation/cmd/federation-apiserver/app/server.go

@@ -39,6 +39,7 @@ import (
 	"k8s.io/kubernetes/pkg/generated/openapi"
 	"k8s.io/kubernetes/pkg/genericapiserver"
 	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
 	"k8s.io/kubernetes/pkg/registry/cachesize"
 	"k8s.io/kubernetes/pkg/registry/generic"
 	"k8s.io/kubernetes/pkg/registry/generic/registry"
@@ -136,7 +137,7 @@ func Run(s *options.ServerRunOptions) error {
 	}
 
 	privilegedLoopbackToken := uuid.NewRandom().String()
-	selfClientConfig, err := s.GenericServerRunOptions.NewSelfClientConfig(privilegedLoopbackToken)
+	selfClientConfig, err := genericoptions.NewSelfClientConfig(s.GenericServerRunOptions.SecureServingOptions, s.GenericServerRunOptions.InsecureServingOptions, privilegedLoopbackToken)
 	if err != nil {
 		glog.Fatalf("Failed to create clientset: %v", err)
 	}

pkg/genericapiserver/config.go

@@ -222,7 +222,6 @@ func NewConfig() *Config {
 	defaultOptions := options.NewServerRunOptions()
 	// unset fields that can be overridden to avoid setting values so that we won't end up with lingering values.
 	// TODO we probably want to run the defaults the other way.  A default here drives it in the CLI flags
-	defaultOptions.InsecurePort = 0
 	defaultOptions.AuditLogPath = ""
 	return config.ApplyOptions(defaultOptions)
 }
@@ -273,9 +272,9 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
 		c.ReadWritePort = options.SecureServingOptions.ServingOptions.BindPort
 	}
 
-	if options.InsecurePort > 0 {
+	if options.InsecureServingOptions != nil && options.InsecureServingOptions.BindPort > 0 {
 		insecureServingInfo := &ServingInfo{
-			BindAddress: net.JoinHostPort(options.InsecureBindAddress.String(), strconv.Itoa(options.InsecurePort)),
+			BindAddress: net.JoinHostPort(options.InsecureServingOptions.BindAddress.String(), strconv.Itoa(options.InsecureServingOptions.BindPort)),
 		}
 		c.InsecureServingInfo = insecureServingInfo
 	}

pkg/genericapiserver/options/server_run_options.go

@@ -17,9 +17,7 @@ limitations under the License.
 package options
 
 import (
-	"errors"
 	"net"
-	"strconv"
 	"strings"
 	"time"
 
@@ -28,7 +26,6 @@ import (
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	"k8s.io/kubernetes/pkg/apimachinery/registered"
 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
-	"k8s.io/kubernetes/pkg/client/restclient"
 	"k8s.io/kubernetes/pkg/util/config"
 	utilnet "k8s.io/kubernetes/pkg/util/net"
 
@@ -54,8 +51,9 @@ var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABA
 
 // ServerRunOptions contains the options while running a generic api server.
 type ServerRunOptions struct {
-	EtcdOptions          *EtcdOptions
-	SecureServingOptions *SecureServingOptions
+	EtcdOptions            *EtcdOptions
+	SecureServingOptions   *SecureServingOptions
+	InsecureServingOptions *ServingOptions
 
 	AdmissionControl           string
 	AdmissionControlConfigFile string
@@ -85,8 +83,6 @@ type ServerRunOptions struct {
 	EnableSwaggerUI              bool
 	EnableWatchCache             bool
 	ExternalHost                 string
-	InsecureBindAddress          net.IP
-	InsecurePort                 int
 	KeystoneURL                  string
 	KeystoneCAFile               string
 	KubernetesServiceNodePort    int
@@ -131,8 +127,6 @@ func NewServerRunOptions() *ServerRunOptions {
 		EnableGarbageCollection:                  true,
 		EnableProfiling:                          true,
 		EnableWatchCache:                         true,
-		InsecureBindAddress:                      net.ParseIP("127.0.0.1"),
-		InsecurePort:                             8080,
 		LongRunningRequestRE:                     DefaultLongRunningRequestRE,
 		MasterCount:                              1,
 		MasterServiceNamespace:                   api.NamespaceDefault,
@@ -148,11 +142,17 @@ func (o *ServerRunOptions) WithEtcdOptions() *ServerRunOptions {
 	o.EtcdOptions = NewDefaultEtcdOptions()
 	return o
 }
+
 func (o *ServerRunOptions) WithSecureServingOptions() *ServerRunOptions {
 	o.SecureServingOptions = NewDefaultSecureServingOptions()
 	return o
 }
 
+func (o *ServerRunOptions) WithInsecureServingOptions() *ServerRunOptions {
+	o.InsecureServingOptions = NewDefaultInsecureServingOptions()
+	return o
+}
+
 // StorageGroupsToEncodingVersion returns a map from group name to group version,
 // computed from s.StorageVersions flag.
 func (s *ServerRunOptions) StorageGroupsToEncodingVersion() (map[string]unversioned.GroupVersion, error) {
@@ -201,42 +201,13 @@ func mergeGroupVersionIntoMap(gvList string, dest map[string]unversioned.GroupVe
 
 // Returns a clientset which can be used to talk to this apiserver.
 func (s *ServerRunOptions) NewSelfClient(token string) (clientset.Interface, error) {
-	clientConfig, err := s.NewSelfClientConfig(token)
+	clientConfig, err := NewSelfClientConfig(s.SecureServingOptions, s.InsecureServingOptions, token)
 	if err != nil {
 		return nil, err
 	}
 	return clientset.NewForConfig(clientConfig)
 }
 
-// Returns a clientconfig which can be used to talk to this apiserver.
-func (s *ServerRunOptions) NewSelfClientConfig(token string) (*restclient.Config, error) {
-	clientConfig := &restclient.Config{
-		// Increase QPS limits. The client is currently passed to all admission plugins,
-		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
-		// for more details. Once #22422 is fixed, we may want to remove it.
-		QPS:   50,
-		Burst: 100,
-	}
-
-	// Use secure port if the ServerCA is specified
-	if s.SecureServingOptions != nil && s.SecureServingOptions.ServingOptions.BindPort > 0 && len(s.SecureServingOptions.ServerCA) > 0 {
-		host := s.SecureServingOptions.ServingOptions.BindAddress.String()
-		if host == "0.0.0.0" {
-			host = "localhost"
-		}
-		clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.SecureServingOptions.ServingOptions.BindPort))
-		clientConfig.CAFile = s.SecureServingOptions.ServerCA
-		clientConfig.BearerToken = token
-
-	} else if s.InsecurePort > 0 {
-		clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
-	} else {
-		return nil, errors.New("Unable to set url for apiserver local client")
-	}
-
-	return clientConfig, nil
-}
-
 // AddFlags adds flags for a specific APIServer to the specified FlagSet
 func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 	// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
@@ -333,22 +304,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.ExternalHost, "external-hostname", s.ExternalHost,
 		"The hostname to use when generating externalized URLs for this master (e.g. Swagger API Docs).")
 
-	fs.IPVar(&s.InsecureBindAddress, "insecure-bind-address", s.InsecureBindAddress, ""+
-		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
-		"Defaults to localhost.")
-	fs.IPVar(&s.InsecureBindAddress, "address", s.InsecureBindAddress,
-		"DEPRECATED: see --insecure-bind-address instead.")
-	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
-
-	fs.IntVar(&s.InsecurePort, "insecure-port", s.InsecurePort, ""+
-		"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
-		"that firewall rules are set up such that this port is not reachable from outside of "+
-		"the cluster and that port 443 on the cluster's public address is proxied to this "+
-		"port. This is performed by nginx in the default setup.")
-
-	fs.IntVar(&s.InsecurePort, "port", s.InsecurePort, "DEPRECATED: see --insecure-port instead.")
-	fs.MarkDeprecated("port", "see --insecure-port instead.")
-
 	fs.StringVar(&s.KeystoneURL, "experimental-keystone-url", s.KeystoneURL,
 		"If passed, activates the keystone authentication plugin.")
 

pkg/genericapiserver/options/serving_options.go

@@ -17,11 +17,14 @@ limitations under the License.
 package options
 
 import (
+	"errors"
 	"fmt"
 	"net"
+	"strconv"
 
 	"github.com/spf13/pflag"
 
+	"k8s.io/kubernetes/pkg/client/restclient"
 	"k8s.io/kubernetes/pkg/util/config"
 )
 
@@ -76,23 +79,37 @@ func NewDefaultSecureServingOptions() *SecureServingOptions {
 	}
 }
 
-func (s *SecureServingOptions) Validate() []error {
-	errors := []error{}
-	if s == nil {
-		return errors
+func (s *SecureServingOptions) NewSelfClientConfig(token string) *restclient.Config {
+	if s == nil || s.ServingOptions.BindPort <= 0 && len(s.ServerCA) == 0 {
+		return nil
+	}
+	clientConfig := &restclient.Config{
+		// Increase QPS limits. The client is currently passed to all admission plugins,
+		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
+		// for more details. Once #22422 is fixed, we may want to remove it.
+		QPS:   50,
+		Burst: 100,
 	}
 
-	errors = append(errors, s.ServingOptions.Validate("secure-port")...)
-	return errors
+	// Use secure port if the ServerCA is specified
+	host := s.ServingOptions.BindAddress.String()
+	if host == "0.0.0.0" {
+		host = "localhost"
+	}
+	clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.ServingOptions.BindPort))
+	clientConfig.CAFile = s.ServerCA
+	clientConfig.BearerToken = token
+
+	return clientConfig
 }
 
-func (s ServingOptions) Validate(portArg string) []error {
+func (s *SecureServingOptions) Validate() []error {
 	errors := []error{}
-
-	if s.BindPort < 0 || s.BindPort > 65535 {
-		errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
+	if s == nil {
+		return errors
 	}
 
+	errors = append(errors, s.ServingOptions.Validate("secure-port")...)
 	return errors
 }
 
@@ -145,3 +162,70 @@ func (s *SecureServingOptions) AddDeprecatedSecureServingFlags(fs *pflag.FlagSet
 	fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
 
 }
+
+func NewDefaultInsecureServingOptions() *ServingOptions {
+	return &ServingOptions{
+		BindAddress: net.ParseIP("127.0.0.1"),
+		BindPort:    8080,
+	}
+}
+
+func (s ServingOptions) Validate(portArg string) []error {
+	errors := []error{}
+
+	if s.BindPort < 0 || s.BindPort > 65535 {
+		errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
+	}
+
+	return errors
+}
+
+func (s *ServingOptions) NewSelfClientConfig(token string) *restclient.Config {
+	if s == nil || s.BindPort <= 0 {
+		return nil
+	}
+	clientConfig := &restclient.Config{
+		// Increase QPS limits. The client is currently passed to all admission plugins,
+		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
+		// for more details. Once #22422 is fixed, we may want to remove it.
+		QPS:   50,
+		Burst: 100,
+	}
+
+	clientConfig.Host = net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort))
+
+	return clientConfig
+}
+
+func (s *ServingOptions) AddInsecureServingFlags(fs *pflag.FlagSet) {
+	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
+		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
+		"Defaults to localhost.")
+
+	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
+		"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
+		"that firewall rules are set up such that this port is not reachable from outside of "+
+		"the cluster and that port 443 on the cluster's public address is proxied to this "+
+		"port. This is performed by nginx in the default setup.")
+}
+
+func (s *ServingOptions) AddDeprecatedInsecureServingFlags(fs *pflag.FlagSet) {
+	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
+		"DEPRECATED: see --insecure-bind-address instead.")
+	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
+
+	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
+	fs.MarkDeprecated("port", "see --insecure-port instead.")
+}
+
+// Returns a clientconfig which can be used to talk to this apiserver.
+func NewSelfClientConfig(secureServingOptions *SecureServingOptions, insecureServingOptions *ServingOptions, token string) (*restclient.Config, error) {
+	if cfg := secureServingOptions.NewSelfClientConfig(token); cfg != nil {
+		return cfg, nil
+	}
+	if cfg := insecureServingOptions.NewSelfClientConfig(token); cfg != nil {
+		return cfg, nil
+	}
+
+	return nil, errors.New("Unable to set url for apiserver local client")
+}

pkg/genericapiserver/validation/universal_validation.go

@@ -52,16 +52,15 @@ func verifyServiceNodePort(options *options.ServerRunOptions) []error {
 func verifySecureAndInsecurePort(options *options.ServerRunOptions) []error {
 	errors := []error{}
 	errors = append(errors, options.SecureServingOptions.Validate()...)
+	errors = append(errors, options.InsecureServingOptions.Validate("insecure-port")...)
 
-	if options.InsecurePort < 0 || options.InsecurePort > 65535 {
-		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure port.", options.InsecurePort))
-	}
-
-	if (options.SecureServingOptions == nil || options.SecureServingOptions.ServingOptions.BindPort == 0) && options.InsecurePort == 0 {
+	if (options.SecureServingOptions == nil || options.SecureServingOptions.ServingOptions.BindPort == 0) &&
+		(options.InsecureServingOptions == nil || options.InsecureServingOptions.BindPort == 0) {
 		glog.Fatalf("--secure-port and --insecure-port cannot be turned off at the same time.")
 	}
 
-	if options.SecureServingOptions != nil && options.SecureServingOptions.ServingOptions.BindPort == options.InsecurePort {
+	if options.SecureServingOptions != nil && options.InsecureServingOptions != nil &&
+		options.SecureServingOptions.ServingOptions.BindPort == options.InsecureServingOptions.BindPort {
 		errors = append(errors, fmt.Errorf("--secure-port and --insecure-port cannot use the same port."))
 	}
 	return errors

test/integration/examples/apiserver_test.go

@@ -63,7 +63,7 @@ func TestRunSecureServer(t *testing.T) {
 	stopCh := make(chan struct{})
 	go func() {
 		options := apiserver.NewServerRunOptions()
-		options.InsecurePort = 0
+		options.InsecureServingOptions.BindPort = 0
 		options.SecureServingOptions.ServingOptions.BindPort = apiserver.SecurePort
 		if err := apiserver.Run(options, stopCh); err != nil {
 			t.Fatalf("Error in bringing up the server: %v", err)