// Run runs the CMServer. This should never exit.
func (s *CMServer) Run(_ []string) error {
s.verifyMinionFlags()
if len(s.ClientConfig.Host) == 0 {
glog.Fatal("usage: controller-manager --master <master>")
}
kubeClient, err := client.New(&s.ClientConfig)
if err != nil {
glog.Fatalf("Invalid API configuration: %v", err)
}
go func() {
if s.EnableProfiling {
mux := http.NewServeMux()
mux.HandleFunc("/debug/pprof/", pprof.Index)
mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
}
http.ListenAndServe(net.JoinHostPort(s.Address.String(), strconv.Itoa(s.Port)), nil)
}()
endpoints := service.NewEndpointController(kubeClient)
go util.Forever(func() { endpoints.SyncServiceEndpoints() }, time.Second*10)
controllerManager := replicationControllerPkg.NewReplicationManager(kubeClient)
controllerManager.Run(replicationControllerPkg.DefaultSyncPeriod)
kubeletClient, err := client.NewKubeletClient(&s.KubeletConfig)
if err != nil {
glog.Fatalf("Failure to start kubelet client: %v", err)
}
cloud := cloudprovider.InitCloudProvider(s.CloudProvider, s.CloudConfigFile)
nodeResources := &api.NodeResources{
Capacity: api.ResourceList{
api.ResourceCPU: *resource.NewMilliQuantity(s.NodeMilliCPU, resource.DecimalSI),
api.ResourceMemory: s.NodeMemory,
},
}
nodeController := nodeControllerPkg.NewNodeController(cloud, s.MinionRegexp, s.MachineList, nodeResources,
kubeClient, kubeletClient, s.RegisterRetryCount, s.PodEvictionTimeout)
nodeController.Run(s.NodeSyncPeriod, s.SyncNodeList, s.SyncNodeStatus)
resourceQuotaManager := resourcequota.NewResourceQuotaManager(kubeClient)
resourceQuotaManager.Run(s.ResourceQuotaSyncPeriod)
select {}
return nil
}
func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextMapper kapi.RequestContextMapper, kubeClient *kclient.Client) (*MasterConfig, error) {
if options.KubernetesMasterConfig == nil {
return nil, errors.New("insufficient information to build KubernetesMasterConfig")
}
// Connect and setup etcd interfaces
etcdClient, err := etcd.GetAndTestEtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
}
ketcdHelper, err := master.NewEtcdHelper(etcdClient, options.EtcdStorageConfig.KubernetesStorageVersion, options.EtcdStorageConfig.KubernetesStoragePrefix)
if err != nil {
return nil, fmt.Errorf("Error setting up Kubernetes server storage: %v", err)
}
kubeletClientConfig := configapi.GetKubeletClientConfig(options)
kubeletClient, err := kclient.NewKubeletClient(kubeletClientConfig)
if err != nil {
return nil, fmt.Errorf("unable to configure Kubelet client: %v", err)
}
// in-order list of plug-ins that should intercept admission decisions
// TODO: Push node environment support to upstream in future
_, portString, err := net.SplitHostPort(options.ServingInfo.BindAddress)
if err != nil {
return nil, err
}
port, err := strconv.Atoi(portString)
if err != nil {
return nil, err
}
portRange, err := util.ParsePortRange(options.KubernetesMasterConfig.ServicesNodePortRange)
if err != nil {
return nil, err
}
podEvictionTimeout, err := time.ParseDuration(options.KubernetesMasterConfig.PodEvictionTimeout)
if err != nil {
return nil, fmt.Errorf("unable to parse PodEvictionTimeout: %v", err)
}
server := app.NewAPIServer()
server.EventTTL = 2 * time.Hour
server.PortalNet = util.IPNet(flagtypes.DefaultIPNet(options.KubernetesMasterConfig.ServicesSubnet))
server.ServiceNodePorts = *portRange
server.AdmissionControl = strings.Join([]string{
"NamespaceExists", "NamespaceLifecycle", "OriginPodNodeEnvironment", "LimitRanger", "ServiceAccount", "SecurityContextConstraint", "ResourceQuota",
}, ",")
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubernetesMasterConfig.APIServerArguments, server.AddFlags); len(err) > 0 {
return nil, kerrors.NewAggregate(err)
}
cmserver := cmapp.NewCMServer()
cmserver.PodEvictionTimeout = podEvictionTimeout
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubernetesMasterConfig.ControllerArguments, cmserver.AddFlags); len(err) > 0 {
return nil, kerrors.NewAggregate(err)
}
cloud, err := cloudprovider.InitCloudProvider(cmserver.CloudProvider, cmserver.CloudConfigFile)
if err != nil {
return nil, err
}
admissionController := admission.NewFromPlugins(kubeClient, strings.Split(server.AdmissionControl, ","), server.AdmissionControlConfigFile)
m := &master.Config{
PublicAddress: net.ParseIP(options.KubernetesMasterConfig.MasterIP),
ReadWritePort: port,
ReadOnlyPort: port,
EtcdHelper: ketcdHelper,
EventTTL: server.EventTTL,
//MinRequestTimeout: server.MinRequestTimeout,
PortalNet: (*net.IPNet)(&server.PortalNet),
ServiceNodePorts: server.ServiceNodePorts,
RequestContextMapper: requestContextMapper,
KubeletClient: kubeletClient,
APIPrefix: KubeAPIPrefix,
EnableCoreControllers: true,
MasterCount: options.KubernetesMasterConfig.MasterCount,
Authorizer: apiserver.NewAlwaysAllowAuthorizer(),
AdmissionControl: admissionController,
DisableV1Beta1: true,
DisableV1Beta2: true,
DisableV1Beta3: !configapi.HasKubernetesAPILevel(*options.KubernetesMasterConfig, "v1beta3"),
EnableV1: configapi.HasKubernetesAPILevel(*options.KubernetesMasterConfig, "v1"),
}
kmaster := &MasterConfig{
Options: *options.KubernetesMasterConfig,
KubeClient: kubeClient,
Master: m,
ControllerManager: cmserver,
CloudProvider: cloud,
}
return kmaster, nil
}
func NewTestDeployOpenshift(t *testing.T) *testDeployOpenshift {
t.Logf("Starting test openshift")
openshift := &testDeployOpenshift{
stop: make(chan struct{}),
}
openshift.lock.Lock()
defer openshift.lock.Unlock()
etcdClient := testutil.NewEtcdClient()
etcdHelper, _ := master.NewEtcdHelper(etcdClient, latest.Version, etcdtest.PathPrefix())
osMux := http.NewServeMux()
openshift.server = httptest.NewServer(osMux)
kubeClient := client.NewOrDie(&client.Config{Host: openshift.server.URL, Version: klatest.Version})
osClient := osclient.NewOrDie(&client.Config{Host: openshift.server.URL, Version: latest.Version})
openshift.Client = osClient
openshift.KubeClient = kubeClient
kubeletClient, err := kclient.NewKubeletClient(&kclient.KubeletConfig{Port: 10250})
if err != nil {
t.Fatalf("Unable to configure Kubelet client: %v", err)
}
handlerContainer := master.NewHandlerContainer(osMux)
_ = master.New(&master.Config{
EtcdHelper: etcdHelper,
KubeletClient: kubeletClient,
APIPrefix: "/api",
AdmissionControl: admit.NewAlwaysAdmit(),
RestfulContainer: handlerContainer,
DisableV1: false,
})
interfaces, _ := latest.InterfacesFor(latest.Version)
imageStorage := imageetcd.NewREST(etcdHelper)
imageRegistry := image.NewRegistry(imageStorage)
imageStreamStorage, imageStreamStatus := imagestreametcd.NewREST(
etcdHelper,
imagestream.DefaultRegistryFunc(func() (string, bool) {
return "registry:3000", true
}),
&fakeSubjectAccessReviewRegistry{},
)
imageStreamRegistry := imagestream.NewRegistry(imageStreamStorage, imageStreamStatus)
imageStreamMappingStorage := imagestreammapping.NewREST(imageRegistry, imageStreamRegistry)
imageStreamImageStorage := imagestreamimage.NewREST(imageRegistry, imageStreamRegistry)
//imageStreamImageRegistry := imagestreamimage.NewRegistry(imageStreamImageStorage)
imageStreamTagStorage := imagestreamtag.NewREST(imageRegistry, imageStreamRegistry)
//imageStreamTagRegistry := imagestreamtag.NewRegistry(imageStreamTagStorage)
deployConfigStorage := deployconfigetcd.NewStorage(etcdHelper)
deployConfigRegistry := deployconfigregistry.NewRegistry(deployConfigStorage)
deployConfigGenerator := &deployconfiggenerator.DeploymentConfigGenerator{
Client: deployconfiggenerator.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
ISFn: imageStreamRegistry.GetImageStream,
LISFn2: imageStreamRegistry.ListImageStreams,
},
}
storage := map[string]rest.Storage{
"images": imageStorage,
"imageStreams": imageStreamStorage,
"imageStreamImages": imageStreamImageStorage,
"imageStreamMappings": imageStreamMappingStorage,
"imageStreamTags": imageStreamTagStorage,
"deploymentConfigs": deployConfigStorage,
"generateDeploymentConfigs": deployconfiggenerator.NewREST(deployConfigGenerator, latest.Codec),
}
for k, v := range storage {
storage[strings.ToLower(k)] = v
}
version := &apiserver.APIGroupVersion{
Root: "/oapi",
Version: "v1",
Storage: storage,
Codec: latest.Codec,
Mapper: latest.RESTMapper,
Creater: kapi.Scheme,
Typer: kapi.Scheme,
Convertor: kapi.Scheme,
Linker: interfaces.MetadataAccessor,
Admit: admit.NewAlwaysAdmit(),
Context: kapi.NewRequestContextMapper(),
}
if err := version.InstallREST(handlerContainer); err != nil {
t.Fatalf("unable to install REST: %v", err)
}
dccFactory := deployconfigcontroller.DeploymentConfigControllerFactory{
Client: osClient,
KubeClient: kubeClient,
Codec: latest.Codec,
}
dccFactory.Create().Run()
cccFactory := configchangecontroller.DeploymentConfigChangeControllerFactory{
Client: osClient,
KubeClient: kubeClient,
Codec: latest.Codec,
}
cccFactory.Create().Run()
iccFactory := imagechangecontroller.ImageChangeControllerFactory{
Client: osClient,
}
iccFactory.Create().Run()
return openshift
}
func NewTestBuildOpenshift(t *testing.T) *testBuildOpenshift {
openshift := &testBuildOpenshift{
stop: make(chan struct{}),
}
openshift.lock.Lock()
defer openshift.lock.Unlock()
etcdClient := testutil.NewEtcdClient()
etcdHelper, _ := master.NewEtcdHelper(etcdClient, latest.Version, etcdtest.PathPrefix())
osMux := http.NewServeMux()
openshift.server = httptest.NewServer(osMux)
kubeClient := client.NewOrDie(&client.Config{Host: openshift.server.URL, Version: klatest.Version})
osClient := osclient.NewOrDie(&client.Config{Host: openshift.server.URL, Version: latest.Version})
openshift.Client = osClient
openshift.KubeClient = kubeClient
kubeletClient, err := kclient.NewKubeletClient(&kclient.KubeletConfig{Port: 10250})
if err != nil {
t.Fatalf("Unable to configure Kubelet client: %v", err)
}
handlerContainer := master.NewHandlerContainer(osMux)
_ = master.New(&master.Config{
EtcdHelper: etcdHelper,
KubeletClient: kubeletClient,
APIPrefix: "/api",
AdmissionControl: admit.NewAlwaysAdmit(),
RestfulContainer: handlerContainer,
DisableV1: false,
})
interfaces, _ := latest.InterfacesFor(latest.Version)
buildStorage := buildetcd.NewStorage(etcdHelper)
buildRegistry := buildregistry.NewRegistry(buildStorage)
buildConfigStorage := buildconfigetcd.NewStorage(etcdHelper)
buildConfigRegistry := buildconfigregistry.NewRegistry(buildConfigStorage)
imageStorage := imageetcd.NewREST(etcdHelper)
imageRegistry := image.NewRegistry(imageStorage)
imageStreamStorage, imageStreamStatus := imagestreametcd.NewREST(
etcdHelper,
imagestream.DefaultRegistryFunc(func() (string, bool) {
return "registry:3000", true
}),
&fakeSubjectAccessReviewRegistry{},
)
imageStreamRegistry := imagestream.NewRegistry(imageStreamStorage, imageStreamStatus)
imageStreamImageStorage := imagestreamimage.NewREST(imageRegistry, imageStreamRegistry)
imageStreamImageRegistry := imagestreamimage.NewRegistry(imageStreamImageStorage)
imageStreamTagStorage := imagestreamtag.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagRegistry := imagestreamtag.NewRegistry(imageStreamTagStorage)
buildGenerator := &buildgenerator.BuildGenerator{
Client: buildgenerator.Client{
GetBuildConfigFunc: buildConfigRegistry.GetBuildConfig,
UpdateBuildConfigFunc: buildConfigRegistry.UpdateBuildConfig,
GetBuildFunc: buildRegistry.GetBuild,
CreateBuildFunc: buildRegistry.CreateBuild,
GetImageStreamFunc: imageStreamRegistry.GetImageStream,
GetImageStreamImageFunc: imageStreamImageRegistry.GetImageStreamImage,
GetImageStreamTagFunc: imageStreamTagRegistry.GetImageStreamTag,
},
}
buildConfigWebHooks := buildconfigregistry.NewWebHookREST(
buildConfigRegistry,
buildclient.NewOSClientBuildConfigInstantiatorClient(osClient),
map[string]webhook.Plugin{
"generic": generic.New(),
"github": github.New(),
},
)
storage := map[string]rest.Storage{
"builds": buildStorage,
"buildConfigs": buildConfigStorage,
"buildConfigs/webhooks": buildConfigWebHooks,
"builds/clone": buildclonestorage.NewStorage(buildGenerator),
"buildConfigs/instantiate": buildinstantiatestorage.NewStorage(buildGenerator),
"imageStreams": imageStreamStorage,
"imageStreams/status": imageStreamStatus,
"imageStreamTags": imageStreamTagStorage,
"imageStreamImages": imageStreamImageStorage,
}
for k, v := range storage {
storage[strings.ToLower(k)] = v
}
version := &apiserver.APIGroupVersion{
Root: "/oapi",
Version: "v1",
Storage: storage,
Codec: latest.Codec,
Mapper: latest.RESTMapper,
Creater: kapi.Scheme,
Typer: kapi.Scheme,
Convertor: kapi.Scheme,
Linker: interfaces.MetadataAccessor,
Admit: admit.NewAlwaysAdmit(),
Context: kapi.NewRequestContextMapper(),
}
if err := version.InstallREST(handlerContainer); err != nil {
t.Fatalf("unable to install REST: %v", err)
}
bcFactory := buildcontrollerfactory.BuildControllerFactory{
OSClient: osClient,
KubeClient: kubeClient,
BuildUpdater: buildclient.NewOSClientBuildClient(osClient),
DockerBuildStrategy: &buildstrategy.DockerBuildStrategy{
Image: "test-docker-builder",
Codec: latest.Codec,
},
SourceBuildStrategy: &buildstrategy.SourceBuildStrategy{
Image: "test-sti-builder",
TempDirectoryCreator: buildstrategy.STITempDirectoryCreator,
Codec: latest.Codec,
},
Stop: openshift.stop,
}
bcFactory.Create().Run()
bpcFactory := buildcontrollerfactory.BuildPodControllerFactory{
OSClient: osClient,
KubeClient: kubeClient,
BuildUpdater: buildclient.NewOSClientBuildClient(osClient),
Stop: openshift.stop,
}
bpcFactory.Create().Run()
return openshift
}
func main() {
flag.Parse()
util.InitLogs()
defer util.FlushLogs()
verflag.PrintAndExitIfRequested()
verifyPortalFlags()
if (*etcdConfigFile != "" && len(etcdServerList) != 0) || (*etcdConfigFile == "" && len(etcdServerList) == 0) {
glog.Fatalf("specify either -etcd_servers or -etcd_config")
}
capabilities.Initialize(capabilities.Capabilities{
AllowPrivileged: *allowPrivileged,
})
cloud := cloudprovider.InitCloudProvider(*cloudProvider, *cloudConfigFile)
kubeletClient, err := client.NewKubeletClient(&kubeletConfig)
if err != nil {
glog.Fatalf("Failure to start kubelet client: %v", err)
}
_, v1beta3 := runtimeConfig["api/v1beta3"]
// TODO: expose same flags as client.BindClientConfigFlags but for a server
clientConfig := &client.Config{
Host: net.JoinHostPort(address.String(), strconv.Itoa(int(*port))),
Version: *storageVersion,
}
client, err := client.New(clientConfig)
if err != nil {
glog.Fatalf("Invalid server address: %v", err)
}
helper, err := newEtcd(*etcdConfigFile, etcdServerList)
if err != nil {
glog.Fatalf("Invalid storage version or misconfigured etcd: %v", err)
}
n := net.IPNet(portalNet)
authenticator, err := apiserver.NewAuthenticatorFromTokenFile(*tokenAuthFile)
if err != nil {
glog.Fatalf("Invalid Authentication Config: %v", err)
}
authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(*authorizationMode, *authorizationPolicyFile)
if err != nil {
glog.Fatalf("Invalid Authorization Config: %v", err)
}
admissionControlPluginNames := strings.Split(*admissionControl, ",")
admissionController := admission.NewFromPlugins(client, admissionControlPluginNames, *admissionControlConfigFile)
config := &master.Config{
Client: client,
Cloud: cloud,
EtcdHelper: helper,
HealthCheckMinions: *healthCheckMinions,
EventTTL: *eventTTL,
KubeletClient: kubeletClient,
PortalNet: &n,
EnableLogsSupport: *enableLogsSupport,
EnableUISupport: true,
EnableSwaggerSupport: true,
APIPrefix: *apiPrefix,
CorsAllowedOriginList: corsAllowedOriginList,
ReadOnlyPort: *readOnlyPort,
ReadWritePort: *port,
PublicAddress: *publicAddressOverride,
Authenticator: authenticator,
Authorizer: authorizer,
AdmissionControl: admissionController,
EnableV1Beta3: v1beta3,
MasterServiceNamespace: *masterServiceNamespace,
}
m := master.New(config)
// We serve on 3 ports. See docs/reaching_the_api.md
roLocation := ""
if *readOnlyPort != 0 {
roLocation = net.JoinHostPort(config.PublicAddress, strconv.Itoa(config.ReadOnlyPort))
}
secureLocation := ""
if *securePort != 0 {
secureLocation = net.JoinHostPort(config.PublicAddress, strconv.Itoa(*securePort))
}
rwLocation := net.JoinHostPort(address.String(), strconv.Itoa(int(*port)))
// See the flag commentary to understand our assumptions when opening the read-only and read-write ports.
if roLocation != "" {
// Allow 1 read-only request per second, allow up to 20 in a burst before enforcing.
rl := util.NewTokenBucketRateLimiter(1.0, 20)
readOnlyServer := &http.Server{
Addr: roLocation,
Handler: apiserver.RecoverPanics(apiserver.ReadOnly(apiserver.RateLimit(rl, m.InsecureHandler))),
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
MaxHeaderBytes: 1 << 20,
}
glog.Infof("Serving read-only insecurely on %s", roLocation)
go func() {
defer util.HandleCrash()
for {
if err := readOnlyServer.ListenAndServe(); err != nil {
glog.Errorf("Unable to listen for read only traffic (%v); will try again.", err)
}
time.Sleep(15 * time.Second)
}
}()
}
if secureLocation != "" {
secureServer := &http.Server{
Addr: secureLocation,
Handler: apiserver.RecoverPanics(m.Handler),
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
MaxHeaderBytes: 1 << 20,
TLSConfig: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// Populate PeerCertificates in requests, but don't reject connections without certificates
// This allows certificates to be validated by authenticators, while still allowing other auth types
ClientAuth: tls.RequestClientCert,
},
}
glog.Infof("Serving securely on %s", secureLocation)
go func() {
defer util.HandleCrash()
for {
if *tlsCertFile == "" && *tlsPrivateKeyFile == "" {
*tlsCertFile = "/var/run/kubernetes/apiserver.crt"
*tlsPrivateKeyFile = "/var/run/kubernetes/apiserver.key"
if err := util.GenerateSelfSignedCert(config.PublicAddress, *tlsCertFile, *tlsPrivateKeyFile); err != nil {
glog.Errorf("Unable to generate self signed cert: %v", err)
} else {
glog.Infof("Using self-signed cert (%s, %s)", *tlsCertFile, *tlsPrivateKeyFile)
}
}
if err := secureServer.ListenAndServeTLS(*tlsCertFile, *tlsPrivateKeyFile); err != nil {
glog.Errorf("Unable to listen for secure (%v); will try again.", err)
}
time.Sleep(15 * time.Second)
}
}()
}
s := &http.Server{
Addr: rwLocation,
Handler: apiserver.RecoverPanics(m.InsecureHandler),
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
MaxHeaderBytes: 1 << 20,
}
glog.Infof("Serving insecurely on %s", rwLocation)
glog.Fatal(s.ListenAndServe())
}
// Run runs the specified APIServer. This should never exit.
func (s *APIServer) Run(_ []string) error {
s.verifyClusterIPFlags()
// If advertise-address is not specified, use bind-address. If bind-address
// is also unset (or 0.0.0.0), setDefaults() in pkg/master/master.go will
// do the right thing and use the host's default interface.
if s.AdvertiseAddress == nil || net.IP(s.AdvertiseAddress).IsUnspecified() {
s.AdvertiseAddress = s.BindAddress
}
if (s.EtcdConfigFile != "" && len(s.EtcdServerList) != 0) || (s.EtcdConfigFile == "" && len(s.EtcdServerList) == 0) {
glog.Fatalf("specify either --etcd-servers or --etcd-config")
}
capabilities.Initialize(capabilities.Capabilities{
AllowPrivileged: s.AllowPrivileged,
// TODO(vmarmol): Implement support for HostNetworkSources.
HostNetworkSources: []string{},
})
cloud, err := cloudprovider.InitCloudProvider(s.CloudProvider, s.CloudConfigFile)
if err != nil {
glog.Fatalf("Cloud provider could not be initialized: %v", err)
}
kubeletClient, err := client.NewKubeletClient(&s.KubeletConfig)
if err != nil {
glog.Fatalf("Failure to start kubelet client: %v", err)
}
// "api/all=false" allows users to selectively enable specific api versions.
disableAllAPIs := false
allAPIFlagValue, ok := s.RuntimeConfig["api/all"]
if ok && allAPIFlagValue == "false" {
disableAllAPIs = true
}
// "api/legacy=false" allows users to disable legacy api versions.
disableLegacyAPIs := false
legacyAPIFlagValue, ok := s.RuntimeConfig["api/legacy"]
if ok && legacyAPIFlagValue == "false" {
disableLegacyAPIs = true
}
_ = disableLegacyAPIs // hush the compiler while we don't have legacy APIs to disable.
// v1beta3 is disabled by default. Users can enable it using "api/v1beta3=true"
enableV1beta3 := s.getRuntimeConfigValue("api/v1beta3", false)
// "api/v1={true|false} allows users to enable/disable v1 API.
// This takes preference over api/all and api/legacy, if specified.
disableV1 := disableAllAPIs
disableV1 = !s.getRuntimeConfigValue("api/v1", !disableV1)
// TODO: expose same flags as client.BindClientConfigFlags but for a server
clientConfig := &client.Config{
Host: net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort)),
Version: s.StorageVersion,
}
client, err := client.New(clientConfig)
if err != nil {
glog.Fatalf("Invalid server address: %v", err)
}
helper, err := newEtcd(s.EtcdConfigFile, s.EtcdServerList, s.StorageVersion, s.EtcdPathPrefix)
if err != nil {
glog.Fatalf("Invalid storage version or misconfigured etcd: %v", err)
}
// TODO Is this the right place for migration to happen? Must *both* old and
// new etcd prefix params be supplied for this to be valid?
if s.OldEtcdPathPrefix != "" {
if err = helper.MigrateKeys(s.OldEtcdPathPrefix); err != nil {
glog.Fatalf("Migration of old etcd keys failed: %v", err)
}
}
n := net.IPNet(s.ServiceClusterIPRange)
// Default to the private server key for service account token signing
if s.ServiceAccountKeyFile == "" && s.TLSPrivateKeyFile != "" {
if apiserver.IsValidServiceAccountKeyFile(s.TLSPrivateKeyFile) {
s.ServiceAccountKeyFile = s.TLSPrivateKeyFile
} else {
glog.Warning("no RSA key provided, service account token authentication disabled")
}
}
authenticator, err := apiserver.NewAuthenticator(s.BasicAuthFile, s.ClientCAFile, s.TokenAuthFile, s.ServiceAccountKeyFile, s.ServiceAccountLookup, helper)
if err != nil {
glog.Fatalf("Invalid Authentication Config: %v", err)
}
authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(s.AuthorizationMode, s.AuthorizationPolicyFile)
if err != nil {
glog.Fatalf("Invalid Authorization Config: %v", err)
}
admissionControlPluginNames := strings.Split(s.AdmissionControl, ",")
admissionController := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile)
if len(s.ExternalHost) == 0 {
// TODO: extend for other providers
if s.CloudProvider == "gce" {
instances, supported := cloud.Instances()
if !supported {
glog.Fatalf("gce cloud provider has no instances. this shouldn't happen. exiting.")
}
name, err := os.Hostname()
if err != nil {
glog.Fatalf("failed to get hostname: %v", err)
}
addrs, err := instances.NodeAddresses(name)
if err != nil {
glog.Warningf("unable to obtain external host address from cloud provider: %v", err)
} else {
for _, addr := range addrs {
if addr.Type == api.NodeExternalIP {
s.ExternalHost = addr.Address
}
}
}
}
}
var installSSH master.InstallSSHKey
if cloud != nil {
if instances, supported := cloud.Instances(); supported {
installSSH = instances.AddSSHKeyToAllInstances
}
}
config := &master.Config{
EtcdHelper: helper,
EventTTL: s.EventTTL,
KubeletClient: kubeletClient,
ServiceClusterIPRange: &n,
EnableCoreControllers: true,
EnableLogsSupport: s.EnableLogsSupport,
EnableUISupport: true,
EnableSwaggerSupport: true,
EnableProfiling: s.EnableProfiling,
EnableIndex: true,
APIPrefix: s.APIPrefix,
CorsAllowedOriginList: s.CorsAllowedOriginList,
ReadWritePort: s.SecurePort,
PublicAddress: net.IP(s.AdvertiseAddress),
Authenticator: authenticator,
SupportsBasicAuth: len(s.BasicAuthFile) > 0,
Authorizer: authorizer,
AdmissionControl: admissionController,
EnableV1Beta3: enableV1beta3,
DisableV1: disableV1,
MasterServiceNamespace: s.MasterServiceNamespace,
ClusterName: s.ClusterName,
ExternalHost: s.ExternalHost,
MinRequestTimeout: s.MinRequestTimeout,
SSHUser: s.SSHUser,
SSHKeyfile: s.SSHKeyfile,
InstallSSHKey: installSSH,
ServiceNodePortRange: s.ServiceNodePortRange,
}
m := master.New(config)
// We serve on 2 ports. See docs/accessing_the_api.md
secureLocation := ""
if s.SecurePort != 0 {
secureLocation = net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.SecurePort))
}
insecureLocation := net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
// See the flag commentary to understand our assumptions when opening the read-only and read-write ports.
var sem chan bool
if s.MaxRequestsInFlight > 0 {
sem = make(chan bool, s.MaxRequestsInFlight)
}
longRunningRE := regexp.MustCompile(s.LongRunningRequestRE)
if secureLocation != "" {
secureServer := &http.Server{
Addr: secureLocation,
Handler: apiserver.MaxInFlightLimit(sem, longRunningRE, apiserver.RecoverPanics(m.Handler)),
ReadTimeout: ReadWriteTimeout,
WriteTimeout: ReadWriteTimeout,
MaxHeaderBytes: 1 << 20,
TLSConfig: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
},
}
if len(s.ClientCAFile) > 0 {
clientCAs, err := util.CertPoolFromFile(s.ClientCAFile)
if err != nil {
glog.Fatalf("unable to load client CA file: %v", err)
}
// Populate PeerCertificates in requests, but don't reject connections without certificates
// This allows certificates to be validated by authenticators, while still allowing other auth types
secureServer.TLSConfig.ClientAuth = tls.RequestClientCert
// Specify allowed CAs for client certificates
secureServer.TLSConfig.ClientCAs = clientCAs
}
glog.Infof("Serving securely on %s", secureLocation)
go func() {
defer util.HandleCrash()
for {
if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" {
s.TLSCertFile = path.Join(s.CertDirectory, "apiserver.crt")
s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "apiserver.key")
// TODO (cjcullen): Is PublicAddress the right address to sign a cert with?
alternateIPs := []net.IP{config.ServiceReadWriteIP}
alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}
// It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless
// alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME")
if err := util.GenerateSelfSignedCert(config.PublicAddress.String(), s.TLSCertFile, s.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil {
glog.Errorf("Unable to generate self signed cert: %v", err)
} else {
glog.Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile)
}
}
// err == systemd.SdNotifyNoSocket when not running on a systemd system
if err := systemd.SdNotify("READY=1\n"); err != nil && err != systemd.SdNotifyNoSocket {
glog.Errorf("Unable to send systemd daemon sucessful start message: %v\n", err)
}
if err := secureServer.ListenAndServeTLS(s.TLSCertFile, s.TLSPrivateKeyFile); err != nil {
glog.Errorf("Unable to listen for secure (%v); will try again.", err)
}
time.Sleep(15 * time.Second)
}
}()
}
http := &http.Server{
Addr: insecureLocation,
Handler: apiserver.RecoverPanics(m.InsecureHandler),
ReadTimeout: ReadWriteTimeout,
WriteTimeout: ReadWriteTimeout,
MaxHeaderBytes: 1 << 20,
}
if secureLocation == "" {
// err == systemd.SdNotifyNoSocket when not running on a systemd system
if err := systemd.SdNotify("READY=1\n"); err != nil && err != systemd.SdNotifyNoSocket {
glog.Errorf("Unable to send systemd daemon sucessful start message: %v\n", err)
}
}
glog.Infof("Serving insecurely on %s", insecureLocation)
glog.Fatal(http.ListenAndServe())
return nil
}
// Run runs the specified APIServer. This should never exit.
func (s *APIServer) Run(_ []string) error {
s.verifyPortalFlags()
if (s.EtcdConfigFile != "" && len(s.EtcdServerList) != 0) || (s.EtcdConfigFile == "" && len(s.EtcdServerList) == 0) {
glog.Fatalf("specify either --etcd-servers or --etcd-config")
}
capabilities.Initialize(capabilities.Capabilities{
AllowPrivileged: s.AllowPrivileged,
// TODO(vmarmol): Implement support for HostNetworkSources.
HostNetworkSources: []string{},
})
cloud, err := cloudprovider.InitCloudProvider(s.CloudProvider, s.CloudConfigFile)
if err != nil {
glog.Fatalf("Cloud provider could not be initialized: %v", err)
}
kubeletClient, err := client.NewKubeletClient(&s.KubeletConfig)
if err != nil {
glog.Fatalf("Failure to start kubelet client: %v", err)
}
// "api/all=false" allows users to selectively enable specific api versions.
disableAllAPIs := false
allAPIFlagValue, ok := s.RuntimeConfig["api/all"]
if ok && allAPIFlagValue == "false" {
disableAllAPIs = true
}
// "api/legacy=false" allows users to disable legacy api versions.
// Right now, v1beta1 and v1beta2 are considered legacy.
disableLegacyAPIs := false
legacyAPIFlagValue, ok := s.RuntimeConfig["api/legacy"]
if ok && legacyAPIFlagValue == "false" {
disableLegacyAPIs = true
}
// "api/v1beta1={true|false} allows users to enable/disable v1beta1 API.
// This takes preference over api/all and api/legacy, if specified.
disableV1beta1 := disableAllAPIs || disableLegacyAPIs
disableV1beta1 = !s.getRuntimeConfigValue("api/v1beta1", !disableV1beta1)
// "api/v1beta2={true|false} allows users to enable/disable v1beta2 API.
// This takes preference over api/all and api/legacy, if specified.
disableV1beta2 := disableAllAPIs || disableLegacyAPIs
disableV1beta2 = !s.getRuntimeConfigValue("api/v1beta2", !disableV1beta2)
// "api/v1beta3={true|false} allows users to enable/disable v1beta3 API.
// This takes preference over api/all and api/legacy, if specified.
disableV1beta3 := disableAllAPIs
disableV1beta3 = !s.getRuntimeConfigValue("api/v1beta3", !disableV1beta3)
// V1 is disabled by default. Users can enable it using "api/v1={true}".
_, enableV1 := s.RuntimeConfig["api/v1"]
// TODO: expose same flags as client.BindClientConfigFlags but for a server
clientConfig := &client.Config{
Host: net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort)),
Version: s.StorageVersion,
}
client, err := client.New(clientConfig)
if err != nil {
glog.Fatalf("Invalid server address: %v", err)
}
helper, err := newEtcd(s.EtcdConfigFile, s.EtcdServerList, s.StorageVersion, s.EtcdPathPrefix)
if err != nil {
glog.Fatalf("Invalid storage version or misconfigured etcd: %v", err)
}
// TODO Is this the right place for migration to happen? Must *both* old and
// new etcd prefix params be supplied for this to be valid?
if s.OldEtcdPathPrefix != "" {
if err = helper.MigrateKeys(s.OldEtcdPathPrefix); err != nil {
glog.Fatalf("Migration of old etcd keys failed: %v", err)
}
}
n := net.IPNet(s.PortalNet)
// Default to the private server key for service account token signing
if s.ServiceAccountKeyFile == "" && s.TLSPrivateKeyFile != "" {
s.ServiceAccountKeyFile = s.TLSPrivateKeyFile
}
authenticator, err := apiserver.NewAuthenticator(s.BasicAuthFile, s.ClientCAFile, s.TokenAuthFile, s.ServiceAccountKeyFile, s.ServiceAccountLookup, helper)
if err != nil {
glog.Fatalf("Invalid Authentication Config: %v", err)
}
authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(s.AuthorizationMode, s.AuthorizationPolicyFile)
if err != nil {
glog.Fatalf("Invalid Authorization Config: %v", err)
}
admissionControlPluginNames := strings.Split(s.AdmissionControl, ",")
admissionController := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile)
if len(s.ExternalHost) == 0 {
// TODO: extend for other providers
if s.CloudProvider == "gce" {
instances, supported := cloud.Instances()
if !supported {
glog.Fatalf("gce cloud provider has no instances. this shouldn't happen. exiting.")
}
name, err := os.Hostname()
if err != nil {
glog.Fatalf("failed to get hostname: %v", err)
}
addrs, err := instances.NodeAddresses(name)
if err != nil {
glog.Warningf("unable to obtain external host address from cloud provider: %v", err)
} else {
for _, addr := range addrs {
if addr.Type == api.NodeExternalIP {
s.ExternalHost = addr.Address
}
}
}
}
}
config := &master.Config{
EtcdHelper: helper,
EventTTL: s.EventTTL,
KubeletClient: kubeletClient,
PortalNet: &n,
EnableCoreControllers: true,
EnableLogsSupport: s.EnableLogsSupport,
EnableUISupport: true,
EnableSwaggerSupport: true,
EnableProfiling: s.EnableProfiling,
EnableIndex: true,
APIPrefix: s.APIPrefix,
CorsAllowedOriginList: s.CorsAllowedOriginList,
ReadOnlyPort: s.ReadOnlyPort,
ReadWritePort: s.SecurePort,
PublicAddress: net.IP(s.BindAddress),
Authenticator: authenticator,
SupportsBasicAuth: len(s.BasicAuthFile) > 0,
Authorizer: authorizer,
AdmissionControl: admissionController,
DisableV1Beta1: disableV1beta1,
DisableV1Beta2: disableV1beta2,
DisableV1Beta3: disableV1beta3,
EnableV1: enableV1,
MasterServiceNamespace: s.MasterServiceNamespace,
ClusterName: s.ClusterName,
ExternalHost: s.ExternalHost,
}
m := master.New(config)
// We serve on 3 ports. See docs/accessing_the_api.md
roLocation := ""
if s.ReadOnlyPort != 0 {
roLocation = net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.ReadOnlyPort))
}
secureLocation := ""
if s.SecurePort != 0 {
secureLocation = net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.SecurePort))
}
insecureLocation := net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
// See the flag commentary to understand our assumptions when opening the read-only and read-write ports.
var sem chan bool
if s.MaxRequestsInFlight > 0 {
sem = make(chan bool, s.MaxRequestsInFlight)
}
longRunningRE := regexp.MustCompile(s.LongRunningRequestRE)
if roLocation != "" {
// Default settings allow 1 read-only request per second, allow up to 20 in a burst before enforcing.
rl := util.NewTokenBucketRateLimiter(s.APIRate, s.APIBurst)
readOnlyServer := &http.Server{
Addr: roLocation,
Handler: apiserver.MaxInFlightLimit(sem, longRunningRE, apiserver.RecoverPanics(apiserver.ReadOnly(apiserver.RateLimit(rl, m.InsecureHandler)))),
ReadTimeout: ReadWriteTimeout,
WriteTimeout: ReadWriteTimeout,
MaxHeaderBytes: 1 << 20,
}
glog.Infof("Serving read-only insecurely on %s", roLocation)
go func() {
defer util.HandleCrash()
for {
if err := readOnlyServer.ListenAndServe(); err != nil {
glog.Errorf("Unable to listen for read only traffic (%v); will try again.", err)
}
time.Sleep(15 * time.Second)
}
}()
}
if secureLocation != "" {
secureServer := &http.Server{
Addr: secureLocation,
Handler: apiserver.MaxInFlightLimit(sem, longRunningRE, apiserver.RecoverPanics(m.Handler)),
ReadTimeout: ReadWriteTimeout,
WriteTimeout: ReadWriteTimeout,
MaxHeaderBytes: 1 << 20,
TLSConfig: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
},
}
if len(s.ClientCAFile) > 0 {
clientCAs, err := util.CertPoolFromFile(s.ClientCAFile)
if err != nil {
glog.Fatalf("unable to load client CA file: %v", err)
}
// Populate PeerCertificates in requests, but don't reject connections without certificates
// This allows certificates to be validated by authenticators, while still allowing other auth types
secureServer.TLSConfig.ClientAuth = tls.RequestClientCert
// Specify allowed CAs for client certificates
secureServer.TLSConfig.ClientCAs = clientCAs
}
glog.Infof("Serving securely on %s", secureLocation)
go func() {
defer util.HandleCrash()
for {
if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" {
s.TLSCertFile = path.Join(s.CertDirectory, "apiserver.crt")
s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "apiserver.key")
if err := util.GenerateSelfSignedCert(config.PublicAddress.String(), s.TLSCertFile, s.TLSPrivateKeyFile); err != nil {
glog.Errorf("Unable to generate self signed cert: %v", err)
} else {
glog.Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile)
}
}
if err := secureServer.ListenAndServeTLS(s.TLSCertFile, s.TLSPrivateKeyFile); err != nil {
glog.Errorf("Unable to listen for secure (%v); will try again.", err)
}
time.Sleep(15 * time.Second)
}
}()
}
http := &http.Server{
Addr: insecureLocation,
Handler: apiserver.RecoverPanics(m.InsecureHandler),
ReadTimeout: ReadWriteTimeout,
WriteTimeout: ReadWriteTimeout,
MaxHeaderBytes: 1 << 20,
}
glog.Infof("Serving insecurely on %s", insecureLocation)
glog.Fatal(http.ListenAndServe())
return nil
}
func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
defaultRegistry := env("OPENSHIFT_DEFAULT_REGISTRY", "${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT}")
svcCache := service.NewServiceResolverCache(c.KubeClient().Services(kapi.NamespaceDefault).Get)
defaultRegistryFunc, err := svcCache.Defer(defaultRegistry)
if err != nil {
glog.Fatalf("OPENSHIFT_DEFAULT_REGISTRY variable is invalid %q: %v", defaultRegistry, err)
}
kubeletClient, err := kclient.NewKubeletClient(c.KubeletClientConfig)
if err != nil {
glog.Fatalf("Unable to configure Kubelet client: %v", err)
}
buildStorage := buildetcd.NewStorage(c.EtcdHelper)
buildRegistry := buildregistry.NewRegistry(buildStorage)
buildConfigStorage := buildconfigetcd.NewStorage(c.EtcdHelper)
buildConfigRegistry := buildconfigregistry.NewRegistry(buildConfigStorage)
deployConfigStorage := deployconfigetcd.NewStorage(c.EtcdHelper)
deployConfigRegistry := deployconfigregistry.NewRegistry(deployConfigStorage)
routeEtcd := routeetcd.New(c.EtcdHelper)
hostSubnetStorage := hostsubnetetcd.NewREST(c.EtcdHelper)
clusterNetworkStorage := clusternetworketcd.NewREST(c.EtcdHelper)
userStorage := useretcd.NewREST(c.EtcdHelper)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage := identityetcd.NewREST(c.EtcdHelper)
identityRegistry := identityregistry.NewRegistry(identityStorage)
userIdentityMappingStorage := useridentitymapping.NewREST(userRegistry, identityRegistry)
policyStorage := policyetcd.NewStorage(c.EtcdHelper)
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage := policybindingetcd.NewStorage(c.EtcdHelper)
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage := clusterpolicystorage.NewStorage(c.EtcdHelper)
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage := clusterpolicybindingstorage.NewStorage(c.EtcdHelper)
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
roleStorage := rolestorage.NewVirtualStorage(policyRegistry)
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyRegistry, policyBindingRegistry, clusterPolicyRegistry, clusterPolicyBindingRegistry)
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
subjectAccessReviewStorage := subjectaccessreview.NewREST(c.Authorizer)
subjectAccessReviewRegistry := subjectaccessreview.NewRegistry(subjectAccessReviewStorage)
imageStorage := imageetcd.NewREST(c.EtcdHelper)
imageRegistry := image.NewRegistry(imageStorage)
imageStreamStorage, imageStreamStatusStorage := imagestreametcd.NewREST(c.EtcdHelper, imagestream.DefaultRegistryFunc(defaultRegistryFunc), subjectAccessReviewRegistry)
imageStreamRegistry := imagestream.NewRegistry(imageStreamStorage, imageStreamStatusStorage)
imageStreamMappingStorage := imagestreammapping.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagStorage := imagestreamtag.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagRegistry := imagestreamtag.NewRegistry(imageStreamTagStorage)
imageStreamImageStorage := imagestreamimage.NewREST(imageRegistry, imageStreamRegistry)
imageStreamImageRegistry := imagestreamimage.NewRegistry(imageStreamImageStorage)
routeAllocator := c.RouteAllocator()
buildGenerator := &buildgenerator.BuildGenerator{
Client: buildgenerator.Client{
GetBuildConfigFunc: buildConfigRegistry.GetBuildConfig,
UpdateBuildConfigFunc: buildConfigRegistry.UpdateBuildConfig,
GetBuildFunc: buildRegistry.GetBuild,
CreateBuildFunc: buildRegistry.CreateBuild,
GetImageStreamFunc: imageStreamRegistry.GetImageStream,
GetImageStreamImageFunc: imageStreamImageRegistry.GetImageStreamImage,
GetImageStreamTagFunc: imageStreamTagRegistry.GetImageStreamTag,
},
ServiceAccounts: c.KubeClient(),
Secrets: c.KubeClient(),
}
// TODO: with sharding, this needs to be changed
deployConfigGenerator := &deployconfiggenerator.DeploymentConfigGenerator{
Client: deployconfiggenerator.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
ISFn: imageStreamRegistry.GetImageStream,
LISFn2: imageStreamRegistry.ListImageStreams,
},
}
_, kclient := c.DeploymentConfigControllerClients()
deployRollback := &deployrollback.RollbackGenerator{}
deployRollbackClient := deployrollback.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
RCFn: clientDeploymentInterface{kclient}.GetDeployment,
GRFn: deployRollback.GenerateRollback,
}
projectStorage := projectproxy.NewREST(kclient.Namespaces(), c.ProjectAuthorizationCache)
namespace, templateName, err := configapi.ParseNamespaceAndName(c.Options.ProjectConfig.ProjectRequestTemplate)
if err != nil {
glog.Errorf("Error parsing project request template value: %v", err)
// we can continue on, the storage that gets created will be valid, it simply won't work properly. There's no reason to kill the master
}
projectRequestStorage := projectrequeststorage.NewREST(c.Options.ProjectConfig.ProjectRequestMessage, namespace, templateName, c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient)
bcClient := c.BuildConfigWebHookClient()
buildConfigWebHooks := buildconfigregistry.NewWebHookREST(
buildConfigRegistry,
buildclient.NewOSClientBuildConfigInstantiatorClient(bcClient),
map[string]webhook.Plugin{
"generic": generic.New(),
"github": github.New(),
},
)
storage := map[string]rest.Storage{
"builds": buildStorage,
"buildConfigs": buildConfigStorage,
"buildConfigs/webhooks": buildConfigWebHooks,
"builds/clone": buildclonestorage.NewStorage(buildGenerator),
"buildConfigs/instantiate": buildinstantiatestorage.NewStorage(buildGenerator),
"builds/log": buildlogregistry.NewREST(buildRegistry, c.BuildLogClient(), kubeletClient),
"images": imageStorage,
"imageStreams": imageStreamStorage,
"imageStreams/status": imageStreamStatusStorage,
"imageStreamImages": imageStreamImageStorage,
"imageStreamMappings": imageStreamMappingStorage,
"imageStreamTags": imageStreamTagStorage,
"deploymentConfigs": deployConfigStorage,
"generateDeploymentConfigs": deployconfiggenerator.NewREST(deployConfigGenerator, c.EtcdHelper.Codec),
"deploymentConfigRollbacks": deployrollback.NewREST(deployRollbackClient, c.EtcdHelper.Codec),
"processedTemplates": templateregistry.NewREST(),
"templates": templateetcd.NewREST(c.EtcdHelper),
"routes": routeregistry.NewREST(routeEtcd, routeAllocator),
"projects": projectStorage,
"projectRequests": projectRequestStorage,
"hostSubnets": hostSubnetStorage,
"clusterNetworks": clusterNetworkStorage,
"users": userStorage,
"identities": identityStorage,
"userIdentityMappings": userIdentityMappingStorage,
"oAuthAuthorizeTokens": authorizetokenetcd.NewREST(c.EtcdHelper),
"oAuthAccessTokens": accesstokenetcd.NewREST(c.EtcdHelper),
"oAuthClients": clientetcd.NewREST(c.EtcdHelper),
"oAuthClientAuthorizations": clientauthetcd.NewREST(c.EtcdHelper),
"resourceAccessReviews": resourceaccessreviewregistry.NewREST(c.Authorizer),
"subjectAccessReviews": subjectAccessReviewStorage,
"policies": policyStorage,
"policyBindings": policyBindingStorage,
"roles": roleStorage,
"roleBindings": roleBindingStorage,
"clusterPolicies": clusterPolicyStorage,
"clusterPolicyBindings": clusterPolicyBindingStorage,
"clusterRoleBindings": clusterRoleBindingStorage,
"clusterRoles": clusterRoleStorage,
}
return storage
}
func main() {
flag.Parse()
util.InitLogs()
defer util.FlushLogs()
verflag.PrintAndExitIfRequested()
verifyPortalFlags()
if (*etcdConfigFile != "" && len(etcdServerList) != 0) || (*etcdConfigFile == "" && len(etcdServerList) == 0) {
glog.Fatalf("specify either -etcd_servers or -etcd_config")
}
capabilities.Initialize(capabilities.Capabilities{
AllowPrivileged: *allowPrivileged,
})
cloud := cloudprovider.InitCloudProvider(*cloudProvider, *cloudConfigFile)
kubeletClient, err := client.NewKubeletClient(&kubeletConfig)
if err != nil {
glog.Fatalf("Failure to start kubelet client: %v", err)
}
// TODO: expose same flags as client.BindClientConfigFlags but for a server
clientConfig := &client.Config{
Host: net.JoinHostPort(address.String(), strconv.Itoa(int(*port))),
Version: *storageVersion,
}
client, err := client.New(clientConfig)
if err != nil {
glog.Fatalf("Invalid server address: %v", err)
}
helper, err := newEtcd(*etcdConfigFile, etcdServerList)
if err != nil {
glog.Fatalf("Invalid storage version or misconfigured etcd: %v", err)
}
n := net.IPNet(portalNet)
authenticator, err := apiserver.NewAuthenticatorFromTokenFile(*tokenAuthFile)
if err != nil {
glog.Fatalf("Invalid Authentication Config: %v", err)
}
authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(*authorizationMode, *authorizationPolicyFile)
if err != nil {
glog.Fatalf("Invalid Authorization Config: %v", err)
}
config := &master.Config{
Client: client,
Cloud: cloud,
EtcdHelper: helper,
HealthCheckMinions: *healthCheckMinions,
EventTTL: *eventTTL,
KubeletClient: kubeletClient,
PortalNet: &n,
EnableLogsSupport: *enableLogsSupport,
EnableUISupport: true,
APIPrefix: *apiPrefix,
CorsAllowedOriginList: corsAllowedOriginList,
ReadOnlyPort: *readOnlyPort,
ReadWritePort: *port,
PublicAddress: *publicAddressOverride,
Authenticator: authenticator,
Authorizer: authorizer,
}
m := master.New(config)
// We serve on 3 ports. See docs/reaching_the_api.md
roLocation := ""
if *readOnlyPort != 0 {
roLocation = net.JoinHostPort(config.PublicAddress, strconv.Itoa(config.ReadOnlyPort))
}
secureLocation := ""
if *securePort != 0 {
secureLocation = net.JoinHostPort(config.PublicAddress, strconv.Itoa(*securePort))
}
rwLocation := net.JoinHostPort(address.String(), strconv.Itoa(int(*port)))
// See the flag commentary to understand our assumptions when opening the read-only and read-write ports.
if roLocation != "" {
// Allow 1 read-only request per second, allow up to 20 in a burst before enforcing.
rl := util.NewTokenBucketRateLimiter(1.0, 20)
readOnlyServer := &http.Server{
Addr: roLocation,
Handler: apiserver.RecoverPanics(apiserver.ReadOnly(apiserver.RateLimit(rl, m.InsecureHandler))),
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
MaxHeaderBytes: 1 << 20,
}
glog.Infof("Serving read-only insecurely on %s", roLocation)
go func() {
defer util.HandleCrash()
for {
if err := readOnlyServer.ListenAndServe(); err != nil {
glog.Errorf("Unable to listen for read only traffic (%v); will try again.", err)
}
time.Sleep(15 * time.Second)
}
}()
}
if secureLocation != "" {
secureServer := &http.Server{
Addr: secureLocation,
Handler: apiserver.RecoverPanics(m.Handler),
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
MaxHeaderBytes: 1 << 20,
}
glog.Infof("Serving securely on %s", secureLocation)
go func() {
defer util.HandleCrash()
for {
if err := secureServer.ListenAndServeTLS(*tlsCertFile, *tlsPrivateKeyFile); err != nil {
glog.Errorf("Unable to listen for secure (%v); will try again.", err)
}
time.Sleep(15 * time.Second)
}
}()
}
s := &http.Server{
Addr: rwLocation,
Handler: apiserver.RecoverPanics(m.InsecureHandler),
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
MaxHeaderBytes: 1 << 20,
}
glog.Infof("Serving insecurely on %s", rwLocation)
glog.Fatal(s.ListenAndServe())
}