vendor/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go - cloudstack-kubernetes-provider - Git at Google

 /*
 Copyright 2017 The Kubernetes Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */

 package options

 import (
 	"fmt"
 	"net"

 	"github.com/spf13/pflag"

 	"k8s.io/apiserver/pkg/server"
 	"k8s.io/client-go/rest"
 )

 // DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
 // No one should be using these anymore.
 // DEPRECATED: all insecure serving options are removed in a future version
 type DeprecatedInsecureServingOptions struct {
 	BindAddress net.IP
 	BindPort    int
 	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
 	// "tcp4", and "tcp6".
 	BindNetwork string

 	// Listener is the secure server network listener.
 	// either Listener or BindAddress/BindPort/BindNetwork is set,
 	// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
 	Listener net.Listener

 	// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
 	// It defaults to options.CreateListener.
 	ListenFunc func(network, addr string) (net.Listener, int, error)
 }

 // Validate ensures that the insecure port values within the range of the port.
 func (s *DeprecatedInsecureServingOptions) Validate() []error {
 	if s == nil {
 		return nil
 	}

 	errors := []error{}

 	if s.BindPort < 0 || s.BindPort > 65335 {
 		errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65335, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
 	}

 	return errors
 }

 // AddFlags adds flags related to insecure serving to the specified FlagSet.
 func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 	if s == nil {
 		return
 	}

 	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
 		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
 	// Though this flag is deprecated, we discovered security concerns over how to do health checks without it e.g. #43784
 	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
 	fs.Lookup("insecure-bind-address").Hidden = false

 	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
 		"The port on which to serve unsecured, unauthenticated access.")
 	// Though this flag is deprecated, we discovered security concerns over how to do health checks without it e.g. #43784
 	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
 	fs.Lookup("insecure-port").Hidden = false
 }

 // AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet.
 func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet) {
 	if s == nil {
 		return
 	}

 	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
 		"The IP address on which to serve the insecure --port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
 	fs.MarkDeprecated("address", "see --bind-address instead.")
 	fs.Lookup("address").Hidden = false

 	fs.IntVar(&s.BindPort, "port", s.BindPort, "The port on which to serve unsecured, unauthenticated access. Set to 0 to disable.")
 	fs.MarkDeprecated("port", "see --secure-port instead.")
 	fs.Lookup("port").Hidden = false
 }

 // ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo and kube-controller manager configuration.
 // Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer.
 func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error {
 	if s == nil {
 		return nil
 	}
 	if s.BindPort <= 0 {
 		return nil
 	}

 	if s.Listener == nil {
 		var err error
 		listen := CreateListener
 		if s.ListenFunc != nil {
 			listen = s.ListenFunc
 		}
 		addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
 		s.Listener, s.BindPort, err = listen(s.BindNetwork, addr)
 		if err != nil {
 			return fmt.Errorf("failed to create listener: %v", err)
 		}
 	}

 	*c = &server.DeprecatedInsecureServingInfo{
 		Listener: s.Listener,
 	}

 	return nil
 }

 // WithLoopback adds loopback functionality to the serving options.
 func (o *DeprecatedInsecureServingOptions) WithLoopback() *DeprecatedInsecureServingOptionsWithLoopback {
 	return &DeprecatedInsecureServingOptionsWithLoopback{o}
 }

 // DeprecatedInsecureServingOptionsWithLoopback adds loopback functionality to the DeprecatedInsecureServingOptions.
 // DEPRECATED: all insecure serving options will be removed in a future version, however note that
 // there are security concerns over how health checks can work here - see e.g. #43784
 type DeprecatedInsecureServingOptionsWithLoopback struct {
 	*DeprecatedInsecureServingOptions
 }

 // ApplyTo fills up serving information in the server configuration.
 func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingInfo **server.DeprecatedInsecureServingInfo, loopbackClientConfig **rest.Config) error {
 	if s == nil || s.DeprecatedInsecureServingOptions == nil || insecureServingInfo == nil {
 		return nil
 	}

 	if err := s.DeprecatedInsecureServingOptions.ApplyTo(insecureServingInfo); err != nil {
 		return err
 	}

 	if *insecureServingInfo == nil || loopbackClientConfig == nil {
 		return nil
 	}

 	secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig()
 	switch {
 	// if we failed and there's no fallback loopback client config, we need to fail
 	case err != nil && *loopbackClientConfig == nil:
 		return err

 		// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
 	case err != nil && *loopbackClientConfig != nil:

 	default:
 		*loopbackClientConfig = secureLoopbackClientConfig
 	}

 	return nil
 }
	/*
	Copyright 2017 The Kubernetes Authors.

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	*/

	package options

	import (
	"fmt"
	"net"

	"github.com/spf13/pflag"

	"k8s.io/apiserver/pkg/server"
	"k8s.io/client-go/rest"
	)

	// DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
	// No one should be using these anymore.
	// DEPRECATED: all insecure serving options are removed in a future version
	type DeprecatedInsecureServingOptions struct {
	BindAddress net.IP
	BindPort int
	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
	// "tcp4", and "tcp6".
	BindNetwork string

	// Listener is the secure server network listener.
	// either Listener or BindAddress/BindPort/BindNetwork is set,
	// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
	Listener net.Listener

	// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
	// It defaults to options.CreateListener.
	ListenFunc func(network, addr string) (net.Listener, int, error)
	}

	// Validate ensures that the insecure port values within the range of the port.
	func (s *DeprecatedInsecureServingOptions) Validate() []error {
	if s == nil {
	return nil
	}

	errors := []error{}

	if s.BindPort < 0 \|\| s.BindPort > 65335 {
	errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65335, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
	}

	return errors
	}

	// AddFlags adds flags related to insecure serving to the specified FlagSet.
	func (s DeprecatedInsecureServingOptions) AddFlags(fs pflag.FlagSet) {
	if s == nil {
	return
	}

	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
	"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
	// Though this flag is deprecated, we discovered security concerns over how to do health checks without it e.g. #43784
	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
	fs.Lookup("insecure-bind-address").Hidden = false

	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
	"The port on which to serve unsecured, unauthenticated access.")
	// Though this flag is deprecated, we discovered security concerns over how to do health checks without it e.g. #43784
	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
	fs.Lookup("insecure-port").Hidden = false
	}

	// AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet.
	func (s DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs pflag.FlagSet) {
	if s == nil {
	return
	}

	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
	"The IP address on which to serve the insecure --port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
	fs.MarkDeprecated("address", "see --bind-address instead.")
	fs.Lookup("address").Hidden = false

	fs.IntVar(&s.BindPort, "port", s.BindPort, "The port on which to serve unsecured, unauthenticated access. Set to 0 to disable.")
	fs.MarkDeprecated("port", "see --secure-port instead.")
	fs.Lookup("port").Hidden = false
	}

	// ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo and kube-controller manager configuration.
	// Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer.
	func (s DeprecatedInsecureServingOptions) ApplyTo(c *server.DeprecatedInsecureServingInfo) error {
	if s == nil {
	return nil
	}
	if s.BindPort <= 0 {
	return nil
	}

	if s.Listener == nil {
	var err error
	listen := CreateListener
	if s.ListenFunc != nil {
	listen = s.ListenFunc
	}
	addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
	s.Listener, s.BindPort, err = listen(s.BindNetwork, addr)
	if err != nil {
	return fmt.Errorf("failed to create listener: %v", err)
	}
	}

	*c = &server.DeprecatedInsecureServingInfo{
	Listener: s.Listener,
	}

	return nil
	}

	// WithLoopback adds loopback functionality to the serving options.
	func (o DeprecatedInsecureServingOptions) WithLoopback() DeprecatedInsecureServingOptionsWithLoopback {
	return &DeprecatedInsecureServingOptionsWithLoopback{o}
	}

	// DeprecatedInsecureServingOptionsWithLoopback adds loopback functionality to the DeprecatedInsecureServingOptions.
	// DEPRECATED: all insecure serving options will be removed in a future version, however note that
	// there are security concerns over how health checks can work here - see e.g. #43784
	type DeprecatedInsecureServingOptionsWithLoopback struct {
	*DeprecatedInsecureServingOptions
	}

	// ApplyTo fills up serving information in the server configuration.
	func (s DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingInfo server.DeprecatedInsecureServingInfo, loopbackClientConfig *rest.Config) error {
	if s == nil \|\| s.DeprecatedInsecureServingOptions == nil \|\| insecureServingInfo == nil {
	return nil
	}

	if err := s.DeprecatedInsecureServingOptions.ApplyTo(insecureServingInfo); err != nil {
	return err
	}

	if *insecureServingInfo == nil \|\| loopbackClientConfig == nil {
	return nil
	}

	secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig()
	switch {
	// if we failed and there's no fallback loopback client config, we need to fail
	case err != nil && *loopbackClientConfig == nil:
	return err

	// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
	case err != nil && *loopbackClientConfig != nil:

	default:
	*loopbackClientConfig = secureLoopbackClientConfig
	}

	return nil
	}