mirror of
https://github.com/k3s-io/k3s.git
synced 2026-05-28 04:34:19 -04:00
3f5eec4c4e
mux is replaced with a simple wrapper around http.ServeMux with middleware chain support Unfortunately github.com/rootless-containers/rootlesskit/pkg/parent still uses it so we can't drop the indirect dep yet. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
73 lines
3.2 KiB
Go
73 lines
3.2 KiB
Go
package handlers
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"path/filepath"
|
|
|
|
"github.com/k3s-io/k3s/pkg/cli/cmds"
|
|
"github.com/k3s-io/k3s/pkg/daemons/config"
|
|
"github.com/k3s-io/k3s/pkg/nodepassword"
|
|
"github.com/k3s-io/k3s/pkg/server/auth"
|
|
"github.com/k3s-io/k3s/pkg/util/mux"
|
|
"github.com/k3s-io/k3s/pkg/version"
|
|
"k8s.io/apiserver/pkg/authentication/user"
|
|
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
|
|
)
|
|
|
|
const (
|
|
staticURL = "/static/"
|
|
)
|
|
|
|
var (
|
|
// When starting, each agent sequentially makes requests for certs, config, and apiservers, and will poll the readyz endpoint
|
|
// before starting kube-proxy. These limits effectively cap the number of agents that can join simultaneously.
|
|
// Agents will automatically retry with jitter when rate-limited.
|
|
maxNonMutatingAgentRequests = 20 // max concurrent get/list/watch requests
|
|
maxMutatingAgentRequests = 10 // max concurrent other requests; cert generation with client-provided private key uses post.
|
|
)
|
|
|
|
func NewHandler(ctx context.Context, control *config.Control, cfg *cmds.Server) http.Handler {
|
|
nodeAuth := nodepassword.GetNodeAuthValidator(ctx, control)
|
|
|
|
prefix := "/v1-" + version.Program
|
|
authed := mux.NewRouter()
|
|
authed.NotFoundHandler = APIServer(control, cfg)
|
|
authed.Use(auth.HasRole(control, version.Program+":agent", user.NodesGroup, bootstrapapi.BootstrapDefaultGroup), auth.RequestInfo(), auth.MaxInFlight(maxNonMutatingAgentRequests, maxMutatingAgentRequests))
|
|
authed.Handle(prefix+"/serving-kubelet.crt", ServingKubeletCert(control, nodeAuth))
|
|
authed.Handle(prefix+"/client-kubelet.crt", ClientKubeletCert(control, nodeAuth))
|
|
authed.Handle(prefix+"/client-kube-proxy.crt", ClientKubeProxyCert(control))
|
|
authed.Handle(prefix+"/client-"+version.Program+"-controller.crt", ClientControllerCert(control))
|
|
authed.Handle(prefix+"/client-ca.crt", File(control.Runtime.ClientCA))
|
|
authed.Handle(prefix+"/server-ca.crt", File(control.Runtime.ServerCA))
|
|
authed.Handle(prefix+"/apiservers", APIServers(control))
|
|
authed.Handle(prefix+"/config", Config(control, cfg))
|
|
authed.Handle(prefix+"/readyz", Readyz(control))
|
|
|
|
nodeAuthed := mux.NewRouter()
|
|
nodeAuthed.NotFoundHandler = authed
|
|
nodeAuthed.Use(auth.HasRole(control, user.NodesGroup))
|
|
nodeAuthed.Handle(prefix+"/connect", control.Runtime.Tunnel)
|
|
|
|
serverAuthed := mux.NewRouter()
|
|
serverAuthed.NotFoundHandler = nodeAuthed
|
|
serverAuthed.Use(auth.HasRole(control, version.Program+":server"))
|
|
serverAuthed.Handle(prefix+"/encrypt/status", EncryptionStatus(control))
|
|
serverAuthed.Handle(prefix+"/encrypt/config", EncryptionConfig(ctx, control))
|
|
serverAuthed.Handle(prefix+"/cert/cacerts", CACertReplace(control))
|
|
serverAuthed.Handle(prefix+"/server-bootstrap", Bootstrap(control))
|
|
serverAuthed.Handle(prefix+"/token", TokenRequest(ctx, control))
|
|
|
|
systemAuthed := mux.NewRouter()
|
|
systemAuthed.NotFoundHandler = serverAuthed
|
|
systemAuthed.Use(auth.HasRole(control, user.SystemPrivilegedGroup))
|
|
systemAuthed.Handle("CONNECT /", control.Runtime.Tunnel)
|
|
|
|
router := mux.NewRouter()
|
|
router.NotFoundHandler = systemAuthed
|
|
router.Handle(staticURL, Static(staticURL, filepath.Join(control.DataDir, "static")))
|
|
router.Handle("/cacerts", CACerts(control))
|
|
router.Handle("/ping", Ping())
|
|
|
|
return router
|
|
}
|