enable https healthz listen;

Signed-off-by: shaoqiu <516595344@qq.com>
volcano-sh · Oct 10, 2022 · f05965c · f05965c
1 parent c1537d5
commit f05965c
Show file tree

Hide file tree

Showing 6 changed files with 95 additions and 2 deletions.
diff --git a/cmd/controller-manager/app/options/options.go b/cmd/controller-manager/app/options/options.go
@@ -18,6 +18,7 @@ package options
 
 import (
 	"fmt"
+	"io/ioutil"
 	"time"
 
 	"github.com/spf13/pflag"
@@ -38,6 +39,10 @@ const (
 // ServerOption is the main context object for the controllers.
 type ServerOption struct {
 	KubeClientOptions    kube.ClientOptions
+	CertFile             string
+	KeyFile              string
+	CertData             []byte
+	KeyData              []byte
 	EnableLeaderElection bool
 	LockObjectNamespace  string
 	PrintVersion         bool
@@ -59,6 +64,8 @@ type ServerOption struct {
 	DetectionPeriodOfDependsOntask time.Duration
 }
 
+type DecryptFunc func(c *ServerOption) error
+
 // NewServerOption creates a new CMServer with a default config.
 func NewServerOption() *ServerOption {
 	return &ServerOption{}
@@ -68,6 +75,10 @@ func NewServerOption() *ServerOption {
 func (s *ServerOption) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.KubeClientOptions.Master, "master", s.KubeClientOptions.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig)")
 	fs.StringVar(&s.KubeClientOptions.KubeConfig, "kubeconfig", s.KubeClientOptions.KubeConfig, "Path to kubeconfig file with authorization and master location information.")
+	fs.StringVar(&s.CertFile, "tls-cert-file", c.CertFile, ""+
+		"File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
+		"after server cert).")
+	fs.StringVar(&s.KeyFile, "tls-private-key-file", c.KeyFile, "File containing the default x509 private key matching --tls-cert-file.")
 	fs.BoolVar(&s.EnableLeaderElection, "leader-elect", s.EnableLeaderElection, "Start a leader election client and gain leadership before "+
 		"executing the main loop. Enable this when running replicated vc-controller-manager for high availability.")
 	fs.StringVar(&s.LockObjectNamespace, "lock-object-namespace", s.LockObjectNamespace, "Define the namespace of the lock object.")
@@ -91,3 +102,34 @@ func (s *ServerOption) CheckOptionOrDie() error {
 	}
 	return nil
 }
+
+// readCAFiles read data from ca file path
+func (s *ServerOption) readCAFiles() error {
+	var err error
+
+	s.CertData, err = ioutil.ReadFile(s.CertFile)
+	if err != nil {
+		return fmt.Errorf("failed to read cert file (%s): %v", s.CertFile, err)
+	}
+
+	s.KeyData, err = ioutil.ReadFile(s.KeyFile)
+	if err != nil {
+		return fmt.Errorf("failed to read key file (%s): %v", s.KeyFile, err)
+	}
+
+	return nil
+}
+
+// ParseCAFiles parse ca file by decryptFunc
+func (s *ServerOption) ParseCAFiles(decryptFunc DecryptFunc) error {
+	if err := s.readCAFiles(); err != nil {
+		return err
+	}
+
+	// users can add one function to decrypt tha data by their own way if CA data is encrypted
+	if decryptFunc != nil {
+		return decryptFunc(s)
+	}
+
+	return nil
+}
diff --git a/cmd/controller-manager/app/server.go b/cmd/controller-manager/app/server.go
@@ -56,7 +56,7 @@ func Run(opt *options.ServerOption) error {
 	}
 
 	if opt.EnableHealthz {
-		if err := helpers.StartHealthz(opt.HealthzBindAddress, "volcano-controller"); err != nil {
+		if err := helpers.StartHealthzTLS(opt.HealthzBindAddress, "volcano-controller", opt.CertData, opt.KeyData); err != nil {
 			return err
 		}
 	}

diff --git a/cmd/controller-manager/main.go b/cmd/controller-manager/main.go
@@ -56,6 +56,11 @@ func main() {
 		fmt.Fprintf(os.Stderr, "%v\n", err)
 		os.Exit(1)
 	}
+	if err := s.ParseCAFiles(nil); err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to parse CA file: %v\n", err)
+		os.Exit(1)
+	}
+
 	// The default klog flush interval is 30 seconds, which is frighteningly long.
 	go wait.Until(klog.Flush, *logFlushFreq, wait.NeverStop)
 	defer klog.Flush()

diff --git a/cmd/scheduler/app/options/options.go b/cmd/scheduler/app/options/options.go
@@ -18,6 +18,7 @@ package options
 
 import (
 	"fmt"
+	"io/ioutil"
 	"time"
 
 	"github.com/spf13/pflag"
@@ -45,6 +46,10 @@ const (
 // ServerOption is the main context object for the controller manager.
 type ServerOption struct {
 	KubeClientOptions    kube.ClientOptions
+	CertFile             string
+	KeyFile              string
+	CertData             []byte
+	KeyData              []byte
 	SchedulerNames       []string
 	SchedulerConf        string
 	SchedulePeriod       time.Duration
@@ -70,6 +75,8 @@ type ServerOption struct {
 	NodeSelector []string
 }
 
+type DecryptFunc func(c *ServerOption) error
+
 // ServerOpts server options.
 var ServerOpts *ServerOption
 
@@ -82,6 +89,10 @@ func NewServerOption() *ServerOption {
 func (s *ServerOption) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.KubeClientOptions.Master, "master", s.KubeClientOptions.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig)")
 	fs.StringVar(&s.KubeClientOptions.KubeConfig, "kubeconfig", s.KubeClientOptions.KubeConfig, "Path to kubeconfig file with authorization and master location information")
+	fs.StringVar(&s.CertFile, "tls-cert-file", c.CertFile, ""+
+		"File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
+		"after server cert).")
+	fs.StringVar(&s.KeyFile, "tls-private-key-file", c.KeyFile, "File containing the default x509 private key matching --tls-cert-file.")
 	// volcano scheduler will ignore pods with scheduler names other than specified with the option
 	fs.StringArrayVar(&s.SchedulerNames, "scheduler-name", []string{defaultSchedulerName}, "vc-scheduler will handle pods whose .spec.SchedulerName is same as scheduler-name")
 	fs.StringVar(&s.SchedulerConf, "scheduler-conf", "", "The absolute path of scheduler configuration file")
@@ -129,3 +140,34 @@ func (s *ServerOption) CheckOptionOrDie() error {
 func (s *ServerOption) RegisterOptions() {
 	ServerOpts = s
 }
+
+// readCAFiles read data from ca file path
+func (s *ServerOption) readCAFiles() error {
+	var err error
+
+	s.CertData, err = ioutil.ReadFile(s.CertFile)
+	if err != nil {
+		return fmt.Errorf("failed to read cert file (%s): %v", s.CertFile, err)
+	}
+
+	s.KeyData, err = ioutil.ReadFile(s.KeyFile)
+	if err != nil {
+		return fmt.Errorf("failed to read key file (%s): %v", s.KeyFile, err)
+	}
+
+	return nil
+}
+
+// ParseCAFiles parse ca file by decryptFunc
+func (s *ServerOption) ParseCAFiles(decryptFunc DecryptFunc) error {
+	if err := s.readCAFiles(); err != nil {
+		return err
+	}
+
+	// users can add one function to decrypt tha data by their own way if CA data is encrypted
+	if decryptFunc != nil {
+		return decryptFunc(s)
+	}
+
+	return nil
+}
diff --git a/cmd/scheduler/app/server.go b/cmd/scheduler/app/server.go
@@ -92,7 +92,7 @@ func Run(opt *options.ServerOption) error {
 	}
 
 	if opt.EnableHealthz {
-		if err := helpers.StartHealthz(opt.HealthzBindAddress, "volcano-scheduler"); err != nil {
+		if err := helpers.StartHealthzTLS(opt.HealthzBindAddress, "volcano-scheduler", opt.CertData, opt.KeyData); err != nil {
 			return err
 		}
 	}

diff --git a/cmd/scheduler/main.go b/cmd/scheduler/main.go
@@ -59,6 +59,10 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := s.ParseCAFiles(nil); err != nil {
+		klog.Fatalf("Failed to parse CA file: %v", err)
+	}
+
 	go wait.Until(klog.Flush, *logFlushFreq, wait.NeverStop)
 	defer klog.Flush()