diff --git a/cmd/controller-manager/app/options/options.go b/cmd/controller-manager/app/options/options.go index f8586288c57..c663dc9929f 100644 --- a/cmd/controller-manager/app/options/options.go +++ b/cmd/controller-manager/app/options/options.go @@ -18,6 +18,7 @@ package options import ( "fmt" + "io/ioutil" "time" "github.com/spf13/pflag" @@ -38,6 +39,10 @@ const ( // ServerOption is the main context object for the controllers. type ServerOption struct { KubeClientOptions kube.ClientOptions + CertFile string + KeyFile string + CertData []byte + KeyData []byte EnableLeaderElection bool LockObjectNamespace string PrintVersion bool @@ -59,6 +64,8 @@ type ServerOption struct { DetectionPeriodOfDependsOntask time.Duration } +type DecryptFunc func(c *ServerOption) error + // NewServerOption creates a new CMServer with a default config. func NewServerOption() *ServerOption { return &ServerOption{} @@ -68,6 +75,10 @@ func NewServerOption() *ServerOption { func (s *ServerOption) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&s.KubeClientOptions.Master, "master", s.KubeClientOptions.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig)") fs.StringVar(&s.KubeClientOptions.KubeConfig, "kubeconfig", s.KubeClientOptions.KubeConfig, "Path to kubeconfig file with authorization and master location information.") + fs.StringVar(&s.CertFile, "tls-cert-file", c.CertFile, ""+ + "File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated "+ + "after server cert).") + fs.StringVar(&s.KeyFile, "tls-private-key-file", c.KeyFile, "File containing the default x509 private key matching --tls-cert-file.") fs.BoolVar(&s.EnableLeaderElection, "leader-elect", s.EnableLeaderElection, "Start a leader election client and gain leadership before "+ "executing the main loop. Enable this when running replicated vc-controller-manager for high availability.") fs.StringVar(&s.LockObjectNamespace, "lock-object-namespace", s.LockObjectNamespace, "Define the namespace of the lock object.") @@ -91,3 +102,34 @@ func (s *ServerOption) CheckOptionOrDie() error { } return nil } + +// readCAFiles read data from ca file path +func (s *ServerOption) readCAFiles() error { + var err error + + s.CertData, err = ioutil.ReadFile(s.CertFile) + if err != nil { + return fmt.Errorf("failed to read cert file (%s): %v", s.CertFile, err) + } + + s.KeyData, err = ioutil.ReadFile(s.KeyFile) + if err != nil { + return fmt.Errorf("failed to read key file (%s): %v", s.KeyFile, err) + } + + return nil +} + +// ParseCAFiles parse ca file by decryptFunc +func (s *ServerOption) ParseCAFiles(decryptFunc DecryptFunc) error { + if err := s.readCAFiles(); err != nil { + return err + } + + // users can add one function to decrypt tha data by their own way if CA data is encrypted + if decryptFunc != nil { + return decryptFunc(s) + } + + return nil +} diff --git a/cmd/controller-manager/app/server.go b/cmd/controller-manager/app/server.go index 34747dc9a65..71a73fa552d 100644 --- a/cmd/controller-manager/app/server.go +++ b/cmd/controller-manager/app/server.go @@ -56,7 +56,7 @@ func Run(opt *options.ServerOption) error { } if opt.EnableHealthz { - if err := helpers.StartHealthz(opt.HealthzBindAddress, "volcano-controller"); err != nil { + if err := helpers.StartHealthzTLS(opt.HealthzBindAddress, "volcano-controller", opt.CertData, opt.KeyData); err != nil { return err } } diff --git a/cmd/controller-manager/main.go b/cmd/controller-manager/main.go index cc3627f2a10..f6e9d608258 100644 --- a/cmd/controller-manager/main.go +++ b/cmd/controller-manager/main.go @@ -56,6 +56,11 @@ func main() { fmt.Fprintf(os.Stderr, "%v\n", err) os.Exit(1) } + if err := s.ParseCAFiles(nil); err != nil { + fmt.Fprintf(os.Stderr, "Failed to parse CA file: %v\n", err) + os.Exit(1) + } + // The default klog flush interval is 30 seconds, which is frighteningly long. go wait.Until(klog.Flush, *logFlushFreq, wait.NeverStop) defer klog.Flush() diff --git a/cmd/scheduler/app/options/options.go b/cmd/scheduler/app/options/options.go index 4720c62e643..411b3f67df7 100644 --- a/cmd/scheduler/app/options/options.go +++ b/cmd/scheduler/app/options/options.go @@ -18,6 +18,7 @@ package options import ( "fmt" + "io/ioutil" "time" "github.com/spf13/pflag" @@ -45,6 +46,10 @@ const ( // ServerOption is the main context object for the controller manager. type ServerOption struct { KubeClientOptions kube.ClientOptions + CertFile string + KeyFile string + CertData []byte + KeyData []byte SchedulerNames []string SchedulerConf string SchedulePeriod time.Duration @@ -70,6 +75,8 @@ type ServerOption struct { NodeSelector []string } +type DecryptFunc func(c *ServerOption) error + // ServerOpts server options. var ServerOpts *ServerOption @@ -82,6 +89,10 @@ func NewServerOption() *ServerOption { func (s *ServerOption) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&s.KubeClientOptions.Master, "master", s.KubeClientOptions.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig)") fs.StringVar(&s.KubeClientOptions.KubeConfig, "kubeconfig", s.KubeClientOptions.KubeConfig, "Path to kubeconfig file with authorization and master location information") + fs.StringVar(&s.CertFile, "tls-cert-file", c.CertFile, ""+ + "File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated "+ + "after server cert).") + fs.StringVar(&s.KeyFile, "tls-private-key-file", c.KeyFile, "File containing the default x509 private key matching --tls-cert-file.") // volcano scheduler will ignore pods with scheduler names other than specified with the option fs.StringArrayVar(&s.SchedulerNames, "scheduler-name", []string{defaultSchedulerName}, "vc-scheduler will handle pods whose .spec.SchedulerName is same as scheduler-name") fs.StringVar(&s.SchedulerConf, "scheduler-conf", "", "The absolute path of scheduler configuration file") @@ -129,3 +140,34 @@ func (s *ServerOption) CheckOptionOrDie() error { func (s *ServerOption) RegisterOptions() { ServerOpts = s } + +// readCAFiles read data from ca file path +func (s *ServerOption) readCAFiles() error { + var err error + + s.CertData, err = ioutil.ReadFile(s.CertFile) + if err != nil { + return fmt.Errorf("failed to read cert file (%s): %v", s.CertFile, err) + } + + s.KeyData, err = ioutil.ReadFile(s.KeyFile) + if err != nil { + return fmt.Errorf("failed to read key file (%s): %v", s.KeyFile, err) + } + + return nil +} + +// ParseCAFiles parse ca file by decryptFunc +func (s *ServerOption) ParseCAFiles(decryptFunc DecryptFunc) error { + if err := s.readCAFiles(); err != nil { + return err + } + + // users can add one function to decrypt tha data by their own way if CA data is encrypted + if decryptFunc != nil { + return decryptFunc(s) + } + + return nil +} diff --git a/cmd/scheduler/app/server.go b/cmd/scheduler/app/server.go index 746a9e16b9a..9b558e9880d 100644 --- a/cmd/scheduler/app/server.go +++ b/cmd/scheduler/app/server.go @@ -92,7 +92,7 @@ func Run(opt *options.ServerOption) error { } if opt.EnableHealthz { - if err := helpers.StartHealthz(opt.HealthzBindAddress, "volcano-scheduler"); err != nil { + if err := helpers.StartHealthzTLS(opt.HealthzBindAddress, "volcano-scheduler", opt.CertData, opt.KeyData); err != nil { return err } } diff --git a/cmd/scheduler/main.go b/cmd/scheduler/main.go index b8d07258ae2..5105c4227a0 100644 --- a/cmd/scheduler/main.go +++ b/cmd/scheduler/main.go @@ -59,6 +59,10 @@ func main() { os.Exit(1) } + if err := s.ParseCAFiles(nil); err != nil { + klog.Fatalf("Failed to parse CA file: %v", err) + } + go wait.Until(klog.Flush, *logFlushFreq, wait.NeverStop) defer klog.Flush()