kubernetes · deads2k · Nov 9, 2016 · Nov 9, 2016 · Nov 9, 2016 · Nov 9, 2016
diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
@@ -202,9 +202,9 @@ func Run(s *options.ServerRunOptions) error {
 	}
 
 	// Default to the private server key for service account token signing
-	if len(s.ServiceAccountKeyFiles) == 0 && s.GenericServerRunOptions.TLSPrivateKeyFile != "" {
-		if authenticator.IsValidServiceAccountKeyFile(s.GenericServerRunOptions.TLSPrivateKeyFile) {
-			s.ServiceAccountKeyFiles = []string{s.GenericServerRunOptions.TLSPrivateKeyFile}
+	if len(s.ServiceAccountKeyFiles) == 0 && s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile != "" {
+		if authenticator.IsValidServiceAccountKeyFile(s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile) {
+			s.ServiceAccountKeyFiles = []string{s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile}
 		} else {
 			glog.Warning("No TLS key provided, service account token authentication disabled")
 		}
@@ -225,7 +225,7 @@ func Run(s *options.ServerRunOptions) error {
 		Anonymous:                   s.GenericServerRunOptions.AnonymousAuth,
 		AnyToken:                    s.GenericServerRunOptions.EnableAnyToken,
 		BasicAuthFile:               s.GenericServerRunOptions.BasicAuthFile,
-		ClientCAFile:                s.GenericServerRunOptions.ClientCAFile,
+		ClientCAFile:                s.GenericServerRunOptions.SecureServingOptions.ClientCA,
 		TokenAuthFile:               s.GenericServerRunOptions.TokenAuthFile,
 		OIDCIssuerURL:               s.GenericServerRunOptions.OIDCIssuerURL,
 		OIDCClientID:                s.GenericServerRunOptions.OIDCClientID,

diff --git a/examples/apiserver/apiserver.go b/examples/apiserver/apiserver.go
@@ -56,7 +56,7 @@ func newStorageFactory() genericapiserver.StorageFactory {
 }
 
 func NewServerRunOptions() *genericoptions.ServerRunOptions {
-	serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions()
+	serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions().WithSecureServingOptions()
 	serverOptions.InsecurePort = InsecurePort
 	return serverOptions
 }

diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go
@@ -121,7 +121,7 @@ func Run(s *options.ServerRunOptions) error {
 		Anonymous:           s.GenericServerRunOptions.AnonymousAuth,
 		AnyToken:            s.GenericServerRunOptions.EnableAnyToken,
 		BasicAuthFile:       s.GenericServerRunOptions.BasicAuthFile,
-		ClientCAFile:        s.GenericServerRunOptions.ClientCAFile,
+		ClientCAFile:        s.GenericServerRunOptions.SecureServingOptions.ClientCA,
 		TokenAuthFile:       s.GenericServerRunOptions.TokenAuthFile,
 		OIDCIssuerURL:       s.GenericServerRunOptions.OIDCIssuerURL,
 		OIDCClientID:        s.GenericServerRunOptions.OIDCClientID,

diff --git a/pkg/genericapiserver/config.go b/pkg/genericapiserver/config.go
@@ -222,7 +222,6 @@ func NewConfig() *Config {
 	defaultOptions := options.NewServerRunOptions()
 	// unset fields that can be overridden to avoid setting values so that we won't end up with lingering values.
 	// TODO we probably want to run the defaults the other way.  A default here drives it in the CLI flags
-	defaultOptions.SecurePort = 0
 	defaultOptions.InsecurePort = 0
 	defaultOptions.AuditLogPath = ""
 	return config.ApplyOptions(defaultOptions)
@@ -239,28 +238,28 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
 		}
 	}
 
-	if options.SecurePort > 0 {
+	if options.SecureServingOptions != nil && options.SecureServingOptions.ServingOptions.BindPort > 0 {
 		secureServingInfo := &SecureServingInfo{
 			ServingInfo: ServingInfo{
-				BindAddress: net.JoinHostPort(options.BindAddress.String(), strconv.Itoa(options.SecurePort)),
+				BindAddress: net.JoinHostPort(options.SecureServingOptions.ServingOptions.BindAddress.String(), strconv.Itoa(options.SecureServingOptions.ServingOptions.BindPort)),
 			},
 			ServerCert: GeneratableKeyCert{
 				CertKey: CertKey{
-					CertFile: options.TLSCertFile,
-					KeyFile:  options.TLSPrivateKeyFile,
+					CertFile: options.SecureServingOptions.ServerCert.CertKey.CertFile,
+					KeyFile:  options.SecureServingOptions.ServerCert.CertKey.KeyFile,
 				},
 			},
 			SNICerts: []NamedCertKey{},
-			ClientCA: options.ClientCAFile,
+			ClientCA: options.SecureServingOptions.ClientCA,
 		}
-		if options.TLSCertFile == "" && options.TLSPrivateKeyFile == "" {
+		if options.SecureServingOptions.ServerCert.CertKey.CertFile == "" && options.SecureServingOptions.ServerCert.CertKey.KeyFile == "" {
 			secureServingInfo.ServerCert.Generate = true
-			secureServingInfo.ServerCert.CertFile = path.Join(options.CertDirectory, "apiserver.crt")
-			secureServingInfo.ServerCert.KeyFile = path.Join(options.CertDirectory, "apiserver.key")
+			secureServingInfo.ServerCert.CertFile = path.Join(options.SecureServingOptions.ServerCert.CertDirectory, options.SecureServingOptions.ServerCert.PairName+".crt")
+			secureServingInfo.ServerCert.KeyFile = path.Join(options.SecureServingOptions.ServerCert.CertDirectory, options.SecureServingOptions.ServerCert.PairName+".key")
 		}
 
 		secureServingInfo.SNICerts = nil
-		for _, nkc := range options.SNICertKeys {
+		for _, nkc := range options.SecureServingOptions.SNICertKeys {
 			secureServingInfo.SNICerts = append(secureServingInfo.SNICerts, NamedCertKey{
 				CertKey: CertKey{
 					KeyFile:  nkc.KeyFile,
@@ -271,7 +270,7 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
 		}
 
 		c.SecureServingInfo = secureServingInfo
-		c.ReadWritePort = options.SecurePort
+		c.ReadWritePort = options.SecureServingOptions.ServingOptions.BindPort
 	}
 
 	if options.InsecurePort > 0 {
@@ -480,8 +479,8 @@ func DefaultAndValidateRunOptions(options *options.ServerRunOptions) {
 	// If advertise-address is not specified, use bind-address. If bind-address
 	// is not usable (unset, 0.0.0.0, or loopback), we will use the host's default
 	// interface as valid public addr for master (see: util/net#ValidPublicAddrForMaster)
-	if options.AdvertiseAddress == nil || options.AdvertiseAddress.IsUnspecified() {
-		hostIP, err := utilnet.ChooseBindAddress(options.BindAddress)
+	if options.SecureServingOptions != nil && (options.AdvertiseAddress == nil || options.AdvertiseAddress.IsUnspecified()) {
+		hostIP, err := utilnet.ChooseBindAddress(options.SecureServingOptions.ServingOptions.BindAddress)
 		if err != nil {
 			glog.Fatalf("Unable to find suitable network address.error='%v' . "+
 				"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)

diff --git a/pkg/genericapiserver/options/server_run_options.go b/pkg/genericapiserver/options/server_run_options.go
@@ -54,7 +54,8 @@ var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABA
 
 // ServerRunOptions contains the options while running a generic api server.
 type ServerRunOptions struct {
-	Etcd *EtcdOptions
+	Etcd                 *EtcdOptions
+	SecureServingOptions *SecureServingOptions
 
 	AdmissionControl           string
 	AdmissionControlConfigFile string
@@ -70,9 +71,6 @@ type ServerRunOptions struct {
 
 	AnonymousAuth                bool
 	BasicAuthFile                string
-	BindAddress                  net.IP
-	CertDirectory                string
-	ClientCAFile                 string
 	CloudConfigFile              string
 	CloudProvider                string
 	CorsAllowedOriginList        []string
@@ -106,7 +104,6 @@ type ServerRunOptions struct {
 	RequestHeaderClientCAFile    string
 	RequestHeaderAllowedNames    []string
 	RuntimeConfig                config.ConfigurationMap
-	SecurePort                   int
 	ServiceClusterIPRange        net.IPNet // TODO: make this a list
 	ServiceNodePortRange         utilnet.PortRange
 	StorageVersions              string
@@ -116,9 +113,6 @@ type ServerRunOptions struct {
 	DefaultStorageVersions string
 	TargetRAMMB            int
 	TLSCAFile              string
-	TLSCertFile            string
-	TLSPrivateKeyFile      string
-	SNICertKeys            []config.NamedCertKey
 	TokenAuthFile          string
 	EnableAnyToken         bool
 	WatchCacheSizes        []string
@@ -131,8 +125,6 @@ func NewServerRunOptions() *ServerRunOptions {
 		AuthorizationMode:                        "AlwaysAllow",
 		AuthorizationWebhookCacheAuthorizedTTL:   5 * time.Minute,
 		AuthorizationWebhookCacheUnauthorizedTTL: 30 * time.Second,
-		BindAddress:                              net.ParseIP("0.0.0.0"),
-		CertDirectory:                            "/var/run/kubernetes",
 		DefaultStorageMediaType:                  "application/json",
 		DefaultStorageVersions:                   registered.AllPreferredGroupVersions(),
 		DeleteCollectionWorkers:                  1,
@@ -147,7 +139,6 @@ func NewServerRunOptions() *ServerRunOptions {
 		MaxRequestsInFlight:                      400,
 		MinRequestTimeout:                        1800,
 		RuntimeConfig:                            make(config.ConfigurationMap),
-		SecurePort:                               6443,
 		ServiceNodePortRange:                     DefaultServiceNodePortRange,
 		StorageVersions:                          registered.AllPreferredGroupVersions(),
 	}
@@ -157,6 +148,10 @@ func (o *ServerRunOptions) WithEtcdOptions() *ServerRunOptions {
 	o.Etcd = NewDefaultEtcdOptions()
 	return o
 }
+func (o *ServerRunOptions) WithSecureServingOptions() *ServerRunOptions {
+	o.SecureServingOptions = NewDefaultSecureServingOptions()
+	return o
+}
 
 // StorageGroupsToEncodingVersion returns a map from group name to group version,
 // computed from s.StorageVersions flag.
@@ -223,15 +218,16 @@ func (s *ServerRunOptions) NewSelfClientConfig(token string) (*restclient.Config
 		Burst: 100,
 	}
 
-	// Use secure port if the TLSCAFile is specified
-	if s.SecurePort > 0 && len(s.TLSCAFile) > 0 {
-		host := s.BindAddress.String()
+	// Use secure port if the ServerCA is specified
+	if s.SecureServingOptions != nil && s.SecureServingOptions.ServingOptions.BindPort > 0 && len(s.SecureServingOptions.ServerCA) > 0 {
+		host := s.SecureServingOptions.ServingOptions.BindAddress.String()
 		if host == "0.0.0.0" {
 			host = "localhost"
 		}
-		clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.SecurePort))
-		clientConfig.CAFile = s.TLSCAFile
+		clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.SecureServingOptions.ServingOptions.BindPort))
+		clientConfig.CAFile = s.SecureServingOptions.ServerCA
 		clientConfig.BearerToken = token
+
 	} else if s.InsecurePort > 0 {
 		clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
 	} else {
@@ -291,24 +287,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 		"If set, the file that will be used to admit requests to the secure port of the API server "+
 		"via http basic authentication.")
 
-	fs.IPVar(&s.BindAddress, "public-address-override", s.BindAddress,
-		"DEPRECATED: see --bind-address instead.")
-	fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
-
-	fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+
-		"The IP address on which to listen for the --secure-port port. The "+
-		"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
-		"clients. If blank, all interfaces will be used (0.0.0.0).")
-
-	fs.StringVar(&s.CertDirectory, "cert-dir", s.CertDirectory, ""+
-		"The directory where the TLS certs are located (by default /var/run/kubernetes). "+
-		"If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.")
-
-	fs.StringVar(&s.ClientCAFile, "client-ca-file", s.ClientCAFile, ""+
-		"If set, any request presenting a client certificate signed by one of "+
-		"the authorities in the client-ca-file is authenticated with an identity "+
-		"corresponding to the CommonName of the client certificate.")
-
 	fs.StringVar(&s.CloudProvider, "cloud-provider", s.CloudProvider,
 		"The provider for cloud services. Empty string for no provider.")
 
@@ -444,10 +422,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 		"apis/<groupVersion>/<resource> can be used to turn on/off specific resources. api/all and "+
 		"api/legacy are special keys to control all and legacy api versions respectively.")
 
-	fs.IntVar(&s.SecurePort, "secure-port", s.SecurePort, ""+
-		"The port on which to serve HTTPS with authentication and authorization. If 0, "+
-		"don't serve HTTPS at all.")
-
 	fs.IPNetVar(&s.ServiceClusterIPRange, "service-cluster-ip-range", s.ServiceClusterIPRange, ""+
 		"A CIDR notation IP range from which to assign service cluster IPs. This must not "+
 		"overlap with any IP ranges assigned to nodes for pods.")
@@ -477,28 +451,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 		"It defaults to a list of preferred versions of all registered groups, "+
 		"which is derived from the KUBE_API_VERSIONS environment variable.")
 
-	fs.StringVar(&s.TLSCAFile, "tls-ca-file", s.TLSCAFile, "If set, this "+
-		"certificate authority will used for secure access from Admission "+
-		"Controllers. This must be a valid PEM-encoded CA bundle.")
-
-	fs.StringVar(&s.TLSCertFile, "tls-cert-file", s.TLSCertFile, ""+
-		"File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
-		"after server cert). If HTTPS serving is enabled, and --tls-cert-file and "+
-		"--tls-private-key-file are not provided, a self-signed certificate and key "+
-		"are generated for the public address and saved to /var/run/kubernetes.")
-
-	fs.StringVar(&s.TLSPrivateKeyFile, "tls-private-key-file", s.TLSPrivateKeyFile,
-		"File containing the default x509 private key matching --tls-cert-file.")
-
-	fs.Var(config.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+
-		"A pair of x509 certificate and private key file paths, optionally suffixed with a list of "+
-		"domain patterns which are fully qualified domain names, possibly with prefixed wildcard "+
-		"segments. If no domain patterns are provided, the names of the certificate are "+
-		"extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns "+
-		"trump over extracted names. For multiple key/certificate pairs, use the "+
-		"--tls-sni-cert-key multiple times. "+
-		"Examples: \"example.key,example.crt\" or \"*.foo.com,foo.com:foo.key,foo.crt\".")
-
 	fs.StringVar(&s.TokenAuthFile, "token-auth-file", s.TokenAuthFile, ""+
 		"If set, the file that will be used to secure the secure port of the API server "+
 		"via token authentication.")