// MakeEtcdClient creates an etcd client based on the provided config. func MakeEtcdClient(etcdClientInfo configapi.EtcdConnectionInfo) (etcdclient.Client, error) { tlsConfig, err := restclient.TLSConfigFor(&restclient.Config{ TLSClientConfig: restclient.TLSClientConfig{ CertFile: etcdClientInfo.ClientCert.CertFile, KeyFile: etcdClientInfo.ClientCert.KeyFile, CAFile: etcdClientInfo.CA, }, }) if err != nil { return nil, err } transport := knet.SetTransportDefaults(&http.Transport{ TLSClientConfig: tlsConfig, Dial: (&net.Dialer{ // default from http.DefaultTransport Timeout: 30 * time.Second, // Lower the keep alive for connections. KeepAlive: 1 * time.Second, }).Dial, // Because watches are very bursty, defends against long delays in watch reconnections. MaxIdleConnsPerHost: 500, }) cfg := etcdclient.Config{ Endpoints: etcdClientInfo.URLs, // TODO: Determine if transport needs optimization Transport: transport, } return etcdclient.New(cfg) }
func (p *UpgradeAwareSingleHostReverseProxy) dialBackend(req *http.Request) (net.Conn, error) { dialAddr := netutil.CanonicalAddr(req.URL) switch p.backendAddr.Scheme { case "http": return net.Dial("tcp", dialAddr) case "https": tlsConfig, err := restclient.TLSConfigFor(p.clientConfig) if err != nil { return nil, err } tlsConn, err := tls.Dial("tcp", dialAddr, tlsConfig) if err != nil { return nil, err } hostToVerify, _, err := net.SplitHostPort(dialAddr) if err != nil { return nil, err } err = tlsConn.VerifyHostname(hostToVerify) return tlsConn, err default: return nil, fmt.Errorf("unknown scheme: %s", p.backendAddr.Scheme) } }
// EtcdClient creates an etcd client based on the provided config. func EtcdClient(etcdClientInfo configapi.EtcdConnectionInfo) (*etcdclient.Client, error) { tlsConfig, err := restclient.TLSConfigFor(&restclient.Config{ TLSClientConfig: restclient.TLSClientConfig{ CertFile: etcdClientInfo.ClientCert.CertFile, KeyFile: etcdClientInfo.ClientCert.KeyFile, CAFile: etcdClientInfo.CA, }, }) if err != nil { return nil, err } transport := knet.SetTransportDefaults(&http.Transport{ TLSClientConfig: tlsConfig, Dial: (&net.Dialer{ // default from http.DefaultTransport Timeout: 30 * time.Second, // Lower the keep alive for connections. KeepAlive: 1 * time.Second, }).Dial, // Because watches are very bursty, defends against long delays in watch reconnections. MaxIdleConnsPerHost: 500, }) etcdClient := etcdclient.NewClient(etcdClientInfo.URLs) etcdClient.SetTransport(transport) etcdClient.CheckRetry = NeverRetryOnFailure return etcdClient, nil }
// maybeWrapForConnectionUpgrades wraps the roundtripper for upgrades. The bool indicates if it was wrapped func (r *proxyHandler) maybeWrapForConnectionUpgrades(rt http.RoundTripper, req *http.Request) (http.RoundTripper, bool, error) { connectionHeader := req.Header.Get("Connection") if len(connectionHeader) == 0 { return rt, false, nil } cfg := r.getRESTConfig() tlsConfig, err := restclient.TLSConfigFor(cfg) if err != nil { return nil, true, err } upgradeRoundTripper := spdy.NewRoundTripper(tlsConfig) wrappedRT, err := restclient.HTTPWrappersForConfig(cfg, upgradeRoundTripper) if err != nil { return nil, true, err } return wrappedRT, true, nil }
// NewExecutor connects to the provided server and upgrades the connection to // multiplexed bidirectional streams. The current implementation uses SPDY, // but this could be replaced with HTTP/2 once it's available, or something else. // TODO: the common code between this and portforward could be abstracted. func NewExecutor(config *restclient.Config, method string, url *url.URL) (StreamExecutor, error) { tlsConfig, err := restclient.TLSConfigFor(config) if err != nil { return nil, err } upgradeRoundTripper := spdy.NewRoundTripper(tlsConfig) wrapper, err := restclient.HTTPWrappersForConfig(config, upgradeRoundTripper) if err != nil { return nil, err } return &streamExecutor{ upgrader: upgradeRoundTripper, transport: wrapper, method: method, url: url, }, nil }
func makeTransport(config *schedulerapi.ExtenderConfig) (http.RoundTripper, error) { var cfg restclient.Config if config.TLSConfig != nil { cfg.TLSClientConfig = *config.TLSConfig } if config.EnableHttps { hasCA := len(cfg.CAFile) > 0 || len(cfg.CAData) > 0 if !hasCA { cfg.Insecure = true } } tlsConfig, err := restclient.TLSConfigFor(&cfg) if err != nil { return nil, err } if tlsConfig != nil { return utilnet.SetTransportDefaults(&http.Transport{ TLSClientConfig: tlsConfig, }), nil } return utilnet.SetTransportDefaults(&http.Transport{}), nil }
// getClients returns a Kube client, OpenShift client, and registry client. func getClients(f *clientcmd.Factory, caBundle string) (*client.Client, *kclient.Client, *http.Client, error) { clientConfig, err := f.OpenShiftClientConfig.ClientConfig() if err != nil { return nil, nil, nil, err } var ( token string osClient *client.Client kClient *kclient.Client registryClient *http.Client ) switch { case len(clientConfig.BearerToken) > 0: osClient, kClient, err = f.Clients() if err != nil { return nil, nil, nil, err } token = clientConfig.BearerToken default: err = errors.New("You must use a client config with a token") return nil, nil, nil, err } // copy the config registryClientConfig := *clientConfig // zero out everything we don't want to use registryClientConfig.BearerToken = "" registryClientConfig.CertFile = "" registryClientConfig.CertData = []byte{} registryClientConfig.KeyFile = "" registryClientConfig.KeyData = []byte{} // we have to set a username to something for the Docker login // but it's not actually used registryClientConfig.Username = "******" // set the "password" to be the token registryClientConfig.Password = token tlsConfig, err := restclient.TLSConfigFor(®istryClientConfig) if err != nil { return nil, nil, nil, err } // if the user specified a CA on the command line, add it to the // client config's CA roots if len(caBundle) > 0 { data, err := ioutil.ReadFile(caBundle) if err != nil { return nil, nil, nil, err } if tlsConfig.RootCAs == nil { tlsConfig.RootCAs = x509.NewCertPool() } tlsConfig.RootCAs.AppendCertsFromPEM(data) } transport := knet.SetTransportDefaults(&http.Transport{ TLSClientConfig: tlsConfig, }) wrappedTransport, err := restclient.HTTPWrappersForConfig(®istryClientConfig, transport) if err != nil { return nil, nil, nil, err } registryClient = &http.Client{ Transport: wrappedTransport, } return osClient, kClient, registryClient, nil }
func (h *hawkularSink) init() error { h.reg = make(map[string]*metrics.MetricDefinition) h.models = make(map[string]*metrics.MetricDefinition) h.modifiers = make([]metrics.Modifier, 0) h.filters = make([]Filter, 0) h.batchSize = batchSizeDefault p := metrics.Parameters{ Tenant: "heapster", Url: h.uri.String(), Concurrency: concurrencyDefault, } opts := h.uri.Query() if v, found := opts["tenant"]; found { p.Tenant = v[0] } if v, found := opts["labelToTenant"]; found { h.labelTenant = v[0] } if v, found := opts[nodeId]; found { h.labelNodeId = v[0] } if v, found := opts["useServiceAccount"]; found { if b, _ := strconv.ParseBool(v[0]); b { // If a readable service account token exists, then use it if contents, err := ioutil.ReadFile(defaultServiceAccountFile); err == nil { p.Token = string(contents) } } } // Authentication / Authorization parameters tC := &tls.Config{} if v, found := opts["auth"]; found { if _, f := opts["caCert"]; f { return fmt.Errorf("Both auth and caCert files provided, combination is not supported") } if len(v[0]) > 0 { // Authfile kubeConfig, err := kubeClientCmd.NewNonInteractiveDeferredLoadingClientConfig(&kubeClientCmd.ClientConfigLoadingRules{ ExplicitPath: v[0]}, &kubeClientCmd.ConfigOverrides{}).ClientConfig() if err != nil { return err } tC, err = kube_client.TLSConfigFor(kubeConfig) if err != nil { return err } } } if u, found := opts["user"]; found { if _, wrong := opts["useServiceAccount"]; wrong { return fmt.Errorf("If user and password are used, serviceAccount cannot be used") } if p, f := opts["pass"]; f { h.modifiers = append(h.modifiers, func(req *http.Request) error { req.SetBasicAuth(u[0], p[0]) return nil }) } } if v, found := opts["caCert"]; found { caCert, err := ioutil.ReadFile(v[0]) if err != nil { return err } caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) tC.RootCAs = caCertPool } if v, found := opts["insecure"]; found { _, f := opts["caCert"] _, f2 := opts["auth"] if f || f2 { return fmt.Errorf("Insecure can't be defined with auth or caCert") } insecure, err := strconv.ParseBool(v[0]) if err != nil { return err } tC.InsecureSkipVerify = insecure } p.TLSConfig = tC // Filters if v, found := opts["filter"]; found { filters, err := parseFilters(v) if err != nil { return err } h.filters = filters } // Concurrency limitations if v, found := opts["concurrencyLimit"]; found { cs, err := strconv.Atoi(v[0]) if err != nil || cs < 0 { return fmt.Errorf("Supplied concurrency value of %s is invalid", v[0]) } p.Concurrency = cs } if v, found := opts["batchSize"]; found { bs, err := strconv.Atoi(v[0]) if err != nil || bs < 0 { return fmt.Errorf("Supplied batchSize value of %s is invalid", v[0]) } h.batchSize = bs } c, err := metrics.NewHawkularClient(p) if err != nil { return err } h.client = c glog.Infof("Initialised Hawkular Sink with parameters %v", p) return nil }
// init initializes the Hawkular dataSource. Almost equal to the Heapster initialization func (hs *hawkularSource) init() error { hs.modifiers = make([]metrics.Modifier, 0) p := metrics.Parameters{ Tenant: "heapster", // This data is stored by the heapster - for no-namespace hits Url: hs.uri.String(), } opts := hs.uri.Query() if v, found := opts["tenant"]; found { p.Tenant = v[0] } if v, found := opts["useServiceAccount"]; found { if b, _ := strconv.ParseBool(v[0]); b { accountFile := defaultServiceAccountFile if file, f := opts["serviceAccountFile"]; f { accountFile = file[0] } // If a readable service account token exists, then use it if contents, err := ioutil.ReadFile(accountFile); err == nil { p.Token = string(contents) } else { glog.Errorf("Could not read contents of %s, no token authentication is used\n", defaultServiceAccountFile) } } } // Authentication / Authorization parameters tC := &tls.Config{} if v, found := opts["auth"]; found { if _, f := opts["caCert"]; f { return fmt.Errorf("Both auth and caCert files provided, combination is not supported") } if len(v[0]) > 0 { // Authfile kubeConfig, err := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(&clientcmd.ClientConfigLoadingRules{ ExplicitPath: v[0]}, &clientcmd.ConfigOverrides{}).ClientConfig() if err != nil { return err } tC, err = restclient.TLSConfigFor(kubeConfig) if err != nil { return err } } } if u, found := opts["user"]; found { if _, wrong := opts["useServiceAccount"]; wrong { return fmt.Errorf("If user and password are used, serviceAccount cannot be used") } if p, f := opts["pass"]; f { hs.modifiers = append(hs.modifiers, func(req *http.Request) error { req.SetBasicAuth(u[0], p[0]) return nil }) } } if v, found := opts["caCert"]; found { caCert, err := ioutil.ReadFile(v[0]) if err != nil { return err } caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) tC.RootCAs = caCertPool } if v, found := opts["insecure"]; found { insecure, err := strconv.ParseBool(v[0]) if err != nil { return err } tC.InsecureSkipVerify = insecure } p.TLSConfig = tC c, err := metrics.NewHawkularClient(p) if err != nil { return err } hs.client = c glog.Infof("Initialised Hawkular Source with parameters %v", p) return nil }