Merge pull request #95856 from knight42/refactor/disable-apiserver-insecure-port
refactor(apiserver): disable insecure port
This commit is contained in:
Kubernetes Prow Robot
@@ -45,6 +45,7 @@ kube::util::wait_for_url() {
|
||||
local wait=${3:-1}
|
||||
local times=${4:-30}
|
||||
local maxtime=${5:-1}
|
||||
local extra_args=${6:-}
|
||||
|
||||
command -v curl >/dev/null || {
|
||||
kube::log::usage "curl must be installed"
|
||||
@@ -54,7 +55,9 @@ kube::util::wait_for_url() {
|
||||
local i
|
||||
for i in $(seq 1 "${times}"); do
|
||||
local out
|
||||
if out=$(curl --max-time "${maxtime}" -gkfs "${url}" 2>/dev/null); then
|
||||
# shellcheck disable=SC2086
|
||||
# Disabling because "${extra_args}" needs to allow for expansion here
|
||||
if out=$(curl --max-time "${maxtime}" -gkfs $extra_args "${url}" 2>/dev/null); then
|
||||
kube::log::status "On try ${i}, ${prefix}: ${out}"
|
||||
return 0
|
||||
fi
|
||||
@@ -64,6 +67,17 @@ kube::util::wait_for_url() {
|
||||
return 1
|
||||
}
|
||||
|
||||
kube::util::wait_for_url_with_bearer_token() {
|
||||
local url=$1
|
||||
local token=$2
|
||||
local prefix=${3:-}
|
||||
local wait=${4:-1}
|
||||
local times=${5:-30}
|
||||
local maxtime=${6:-1}
|
||||
|
||||
kube::util::wait_for_url "${url}" "${prefix}" "${wait}" "${times}" "${maxtime}" "--oauth2-bearer ${token}"
|
||||
}
|
||||
|
||||
# Example: kube::util::wait_for_success 120 5 "kubectl get nodes|grep localhost"
|
||||
# arguments: wait time, sleep time, shell command
|
||||
# returns 0 if the shell command get output, 1 otherwise.
|
||||
|
||||
@@ -56,9 +56,7 @@ function run_kube_apiserver() {
|
||||
ENABLE_FEATURE_GATES="ServerSideApply=true"
|
||||
|
||||
"${KUBE_OUTPUT_HOSTBIN}/kube-apiserver" \
|
||||
--insecure-bind-address="127.0.0.1" \
|
||||
--bind-address="127.0.0.1" \
|
||||
--insecure-port="${API_PORT}" \
|
||||
--authorization-mode="${AUTHORIZATION_MODE}" \
|
||||
--secure-port="${SECURE_API_PORT}" \
|
||||
--feature-gates="${ENABLE_FEATURE_GATES}" \
|
||||
@@ -73,7 +71,7 @@ function run_kube_apiserver() {
|
||||
--token-auth-file=hack/testdata/auth-tokens.csv 1>&2 &
|
||||
export APISERVER_PID=$!
|
||||
|
||||
kube::util::wait_for_url "http://127.0.0.1:${API_PORT}/healthz" "apiserver"
|
||||
kube::util::wait_for_url_with_bearer_token "https://127.0.0.1:${SECURE_API_PORT}/healthz" "admin-token" "apiserver"
|
||||
}
|
||||
|
||||
# Runs run_kube_controller_manager
|
||||
@@ -85,11 +83,33 @@ function run_kube_controller_manager() {
|
||||
make -C "${KUBE_ROOT}" WHAT="cmd/kube-controller-manager"
|
||||
|
||||
# Start controller manager
|
||||
kube::log::status 'Generate kubeconfig for controller-manager'
|
||||
local config
|
||||
config="$(mktemp controller-manager.kubeconfig.XXXXX)"
|
||||
cat <<EOF > "$config"
|
||||
kind: Config
|
||||
users:
|
||||
- name: controller-manager
|
||||
user:
|
||||
token: admin-token
|
||||
clusters:
|
||||
- cluster:
|
||||
server: https://127.0.0.1:${SECURE_API_PORT}
|
||||
insecure-skip-tls-verify: true
|
||||
name: local
|
||||
contexts:
|
||||
- context:
|
||||
cluster: local
|
||||
user: controller-manager
|
||||
name: local-context
|
||||
current-context: local-context
|
||||
EOF
|
||||
|
||||
kube::log::status "Starting controller-manager"
|
||||
"${KUBE_OUTPUT_HOSTBIN}/kube-controller-manager" \
|
||||
--port="${CTLRMGR_PORT}" \
|
||||
--kube-api-content-type="${KUBE_TEST_API_TYPE-}" \
|
||||
--master="127.0.0.1:${API_PORT}" 1>&2 &
|
||||
--kubeconfig="${config}" 1>&2 &
|
||||
export CTLRMGR_PID=$!
|
||||
|
||||
kube::util::wait_for_url "http://127.0.0.1:${CTLRMGR_PORT}/healthz" "controller-manager"
|
||||
@@ -101,7 +121,7 @@ function run_kube_controller_manager() {
|
||||
# Exports:
|
||||
# SUPPORTED_RESOURCES(Array of all resources supported by the apiserver).
|
||||
function create_node() {
|
||||
kubectl create -f - -s "http://127.0.0.1:${API_PORT}" << __EOF__
|
||||
kubectl create -f - << __EOF__
|
||||
{
|
||||
"kind": "Node",
|
||||
"apiVersion": "v1",
|
||||
|
||||
@@ -61,22 +61,22 @@ echo "dummy_token,admin,admin" > "${TMP_DIR}/tokenauth.csv"
|
||||
# Start kube-apiserver
|
||||
kube::log::status "Starting kube-apiserver"
|
||||
"${KUBE_OUTPUT_HOSTBIN}/kube-apiserver" \
|
||||
--insecure-bind-address="${API_HOST}" \
|
||||
--bind-address="${API_HOST}" \
|
||||
--insecure-port="${API_PORT}" \
|
||||
--secure-port="${API_PORT}" \
|
||||
--etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
|
||||
--advertise-address="10.10.10.10" \
|
||||
--cert-dir="${TMP_DIR}/certs" \
|
||||
--runtime-config="api/all=true" \
|
||||
--token-auth-file="${TMP_DIR}/tokenauth.csv" \
|
||||
--service-account-issuer="https://kubernetes.devault.svc/" \
|
||||
--authorization-mode=RBAC \
|
||||
--service-account-issuer="https://kubernetes.default.svc/" \
|
||||
--service-account-signing-key-file="${KUBE_ROOT}/staging/src/k8s.io/client-go/util/cert/testdata/dontUseThisKey.pem" \
|
||||
--logtostderr \
|
||||
--v=2 \
|
||||
--service-cluster-ip-range="10.0.0.0/24" >"${API_LOGFILE}" 2>&1 &
|
||||
APISERVER_PID=$!
|
||||
|
||||
if ! kube::util::wait_for_url "${API_HOST}:${API_PORT}/healthz" "apiserver: "; then
|
||||
if ! kube::util::wait_for_url "https://${API_HOST}:${API_PORT}/healthz" "apiserver: "; then
|
||||
kube::log::error "Here are the last 10 lines from kube-apiserver (${API_LOGFILE})"
|
||||
kube::log::error "=== BEGIN OF LOG ==="
|
||||
tail -10 "${API_LOGFILE}" >&2 || :
|
||||
@@ -86,7 +86,7 @@ fi
|
||||
|
||||
kube::log::status "Updating " "${OPENAPI_ROOT_DIR}"
|
||||
|
||||
curl -w "\n" -fs "${API_HOST}:${API_PORT}/openapi/v2" | jq -S '.info.version="unversioned"' > "${OPENAPI_ROOT_DIR}/swagger.json"
|
||||
curl -w "\n" -kfs --oauth2-bearer dummy_token "https://${API_HOST}:${API_PORT}/openapi/v2" | jq -S '.info.version="unversioned"' > "${OPENAPI_ROOT_DIR}/swagger.json"
|
||||
|
||||
kube::log::status "SUCCESS"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user