-
Notifications
You must be signed in to change notification settings - Fork 0
/
options.go
104 lines (88 loc) · 3.02 KB
/
options.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package nodeauthorizer
import (
"errors"
"fmt"
"os"
"time"
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/model/components"
"k8s.io/kops/upup/pkg/fi/loader"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// OptionsBuilder fills in the default options for the node-authorizer
type OptionsBuilder struct {
Context *components.OptionsContext
}
var _ loader.OptionsBuilder = &OptionsBuilder{}
var (
// DefaultPort is the default port to listen on
DefaultPort = 10443
// DefaultTimeout is the max time we are willing to wait before erroring
DefaultTimeout = &metav1.Duration{Duration: 20 * time.Second}
// DefaultTokenTTL is the default expiration on a bootstrap token
DefaultTokenTTL = &metav1.Duration{Duration: 5 * time.Minute}
)
// BuildOptions generates the configurations used to create node authorizer
func (b *OptionsBuilder) BuildOptions(o interface{}) error {
cs, ok := o.(*kops.ClusterSpec)
if !ok {
return errors.New("expected a ClusterSpec object")
}
if cs.NodeAuthorization != nil {
na := cs.NodeAuthorization
// NodeAuthorizerSpec
if na.NodeAuthorizer != nil {
if na.NodeAuthorizer.Authorizer == "" {
switch kops.CloudProviderID(cs.CloudProvider) {
case kops.CloudProviderAWS:
na.NodeAuthorizer.Authorizer = "aws"
default:
na.NodeAuthorizer.Authorizer = "alwaysallow"
}
}
if na.NodeAuthorizer.Image == "" {
na.NodeAuthorizer.Image = GetNodeAuthorizerImage()
}
if na.NodeAuthorizer.Port == 0 {
na.NodeAuthorizer.Port = DefaultPort
}
if na.NodeAuthorizer.Timeout == nil {
na.NodeAuthorizer.Timeout = DefaultTimeout
}
if na.NodeAuthorizer.TokenTTL == nil {
na.NodeAuthorizer.TokenTTL = DefaultTokenTTL
}
if na.NodeAuthorizer.NodeURL == "" {
na.NodeAuthorizer.NodeURL = fmt.Sprintf("https://node-authorizer-internal.%s:%d", b.Context.ClusterName, na.NodeAuthorizer.Port)
}
if na.NodeAuthorizer.Features == nil {
features := []string{"verify-registration", "verify-ip"}
switch kops.CloudProviderID(cs.CloudProvider) {
case kops.CloudProviderAWS:
features = append(features, "verify-signature")
}
na.NodeAuthorizer.Features = &features
}
}
}
return nil
}
// GetNodeAuthorizerImage returns the image to use for the node-authorizer
func GetNodeAuthorizerImage() string {
if v := os.Getenv("NODE_AUTHORIZER_IMAGE"); v != "" {
return v
}
return "quay.io/gambol99/node-authorizer:v0.0.4@sha256:078b948b8207e43d35885f181713de3d3c0491fe40661d198f9bc00136cff271"
}