Skip to content

Commit

Permalink
introduce --tls-min-version flag to karmada-webhook
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlory
carlory committed Jan 19, 2022
1 parent 0d98cc3 commit f8c8d7e
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 7 deletions.
11 changes: 8 additions & 3 deletions cmd/webhook/app/options/options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,10 @@ import (
)

const (
defaultBindAddress = "0.0.0.0"
defaultPort = 8443
defaultCertDir = "/tmp/k8s-webhook-server/serving-certs"
defaultBindAddress = "0.0.0.0"
defaultPort = 8443
defaultCertDir = "/tmp/k8s-webhook-server/serving-certs"
defaultTLSMinVersion = "VersionTLS13"
)

// Options contains everything necessary to create and run webhook server.
Expand All @@ -22,6 +23,9 @@ type Options struct {
// if not set, webhook server would look up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs.
// The server key and certificate must be named `tls.key` and `tls.crt`, respectively.
CertDir string
// TLSMinVersion contains the minimum TLS version that is acceptable. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
// Default is VersionTLS13.
TLSMinVersion string
// KubeAPIQPS is the QPS to use while talking with karmada-apiserver.
KubeAPIQPS float32
// KubeAPIBurst is the burst to allow while talking with karmada-apiserver.
Expand All @@ -41,6 +45,7 @@ func (o *Options) AddFlags(flags *pflag.FlagSet) {
"The secure port on which to serve HTTPS.")
flags.StringVar(&o.CertDir, "cert-dir", defaultCertDir,
"The directory that contains the server key(named tls.key) and certificate(named tls.crt).")
flags.StringVar(&o.TLSMinVersion, "tls-min-version", defaultTLSMinVersion, "Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.")
flags.Float32Var(&o.KubeAPIQPS, "kube-api-qps", 40.0, "QPS to use while talking with karmada-apiserver. Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags.")
flags.IntVar(&o.KubeAPIBurst, "kube-api-burst", 60, "Burst to use while talking with karmada-apiserver. Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags.")
}
11 changes: 7 additions & 4 deletions cmd/webhook/app/webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,10 +70,13 @@ func Run(ctx context.Context, opts *options.Options) error {
config.QPS, config.Burst = opts.KubeAPIQPS, opts.KubeAPIBurst

hookManager, err := controllerruntime.NewManager(config, controllerruntime.Options{
Scheme: gclient.NewSchema(),
Host: opts.BindAddress,
Port: opts.SecurePort,
CertDir: opts.CertDir,
Scheme: gclient.NewSchema(),
WebhookServer: &webhook.Server{
Host: opts.BindAddress,
Port: opts.SecurePort,
CertDir: opts.CertDir,
TLSMinVersion: opts.TLSMinVersion,
},
LeaderElection: false,
})
if err != nil {
Expand Down

0 comments on commit f8c8d7e

Please sign in to comment.