Stop using insecure serving.

deploy/addons/addon-manager.yaml

@@ -26,6 +26,9 @@ spec:
   containers:
   - name: kube-addon-manager
     image: gcr.io/google-containers/kube-addon-manager:v6.4-beta.2
+    env:
+    - name: KUBECONFIG
+      value: /var/lib/localkube/kubeconfig
     imagePullPolicy: IfNotPresent
     resources:
       requests:
@@ -35,7 +38,13 @@ spec:
     - mountPath: /etc/kubernetes/
       name: addons
       readOnly: true
+    - mountPath: /var/lib/localkube
+      name: kubeconfig
+      readOnly: true
   volumes:
   - hostPath:
       path: /etc/kubernetes/
     name: addons
+  - hostPath:
+      path: /var/lib/localkube
+    name: kubeconfig

hack/jenkins/common.sh

@@ -75,6 +75,9 @@ ${SUDO_PREFIX}out/e2e-${OS_ARCH} -minikube-args="--vm-driver=${VM_DRIVER} --v=10
 result=$?
 set -e
 
+# See the KUBECONFIG file for debugging
+sudo cat $KUBECONFIG
+
 MINIKUBE_WANTREPORTERRORPROMPT=False sudo ./out/minikube-${OS_ARCH} delete \
 || MINIKUBE_WANTREPORTERRORPROMPT=False ./out/minikube-${OS_ARCH} delete \
 || true

hack/jenkins/linux_integration_tests_none.sh

@@ -30,7 +30,8 @@ OS_ARCH="linux-amd64"
 VM_DRIVER="none"
 JOB_NAME="Linux-None"
 EXTRA_BUILD_ARGS="$EXTRA_BUILD_ARGS --use-vendored-driver"
-SUDO_PREFIX="sudo "
+SUDO_PREFIX="sudo -E "
+export KUBECONFIG="/root/.kube/config"
 
 # Download files and set permissions
 source common.sh

hack/jenkins/print-debug-info.sh

@@ -20,11 +20,14 @@
 # the cluster state.
 set +e
 
+env
+${SUDO_PREFIX} cat $KUBECONFIG
+
 kubectl get pods --all-namespaces
 kubectl cluster-info dump
 
 # For the none driver
-journalctl -u localkube
+journalctl -u localkube -n 500
 ${SUDO_PREFIX}cat $KUBECONFIG
 
 cat $HOME/.kube/config

pkg/localkube/apiserver.go

@@ -41,8 +41,8 @@ func StartAPIServer(lk LocalkubeServer) func() error {
 	config.SecureServing.BindAddress = lk.APIServerAddress
 	config.SecureServing.BindPort = lk.APIServerPort
 
-	config.InsecureServing.BindAddress = lk.APIServerInsecureAddress
-	config.InsecureServing.BindPort = lk.APIServerInsecurePort
+	// 0 turns off insecure serving.
+	config.InsecureServing.BindPort = 0
 
 	config.Authentication.ClientCert.ClientCA = lk.GetCAPublicKeyCertPath()
 
@@ -86,7 +86,7 @@ func StartAPIServer(lk LocalkubeServer) func() error {
 }
 
 func readyFunc(lk LocalkubeServer) HealthCheck {
-	hostport := net.JoinHostPort(lk.APIServerInsecureAddress.String(), strconv.Itoa(lk.APIServerInsecurePort))
-	addr := "http://" + path.Join(hostport, "healthz")
-	return healthCheck(addr)
+	hostport := net.JoinHostPort("localhost", strconv.Itoa(lk.APIServerPort))
+	addr := "https://" + path.Join(hostport, "healthz")
+	return healthCheck(addr, lk)
 }

pkg/localkube/controller-manager.go

@@ -19,6 +19,7 @@ package localkube
 import (
 	controllerManager "k8s.io/kubernetes/cmd/kube-controller-manager/app"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
+	"k8s.io/minikube/pkg/util"
 )
 
 func (lk LocalkubeServer) NewControllerManagerServer() Server {
@@ -28,7 +29,7 @@ func (lk LocalkubeServer) NewControllerManagerServer() Server {
 func StartControllerManagerServer(lk LocalkubeServer) func() error {
 	config := options.NewCMServer()
 
-	config.Master = lk.GetAPIServerInsecureURL()
+	config.Kubeconfig = util.DefaultKubeConfigPath
 
 	// defaults from command
 	config.DeletingPodsQps = 0.1

pkg/localkube/kubelet.go

@@ -17,8 +17,10 @@ limitations under the License.
 package localkube
 
 import (
+	"k8s.io/apiserver/pkg/util/flag"
 	kubelet "k8s.io/kubernetes/cmd/kubelet/app"
 	"k8s.io/kubernetes/cmd/kubelet/app/options"
+	"k8s.io/minikube/pkg/util"
 )
 
 func (lk LocalkubeServer) NewKubeletServer() Server {
@@ -29,7 +31,8 @@ func StartKubeletServer(lk LocalkubeServer) func() error {
 	config := options.NewKubeletServer()
 
 	// Master details
-	config.APIServerList = []string{lk.GetAPIServerInsecureURL()}
+	config.KubeConfig = flag.NewStringFlag(util.DefaultKubeConfigPath)
+	config.RequireKubeConfig = true
 
 	// Set containerized based on the flag
 	config.Containerized = lk.Containerized

pkg/localkube/proxy.go

@@ -18,6 +18,7 @@ package localkube
 
 import (
 	kubeproxy "k8s.io/kubernetes/cmd/kube-proxy/app"
+	"k8s.io/minikube/pkg/util"
 
 	"time"
 
@@ -40,16 +41,17 @@ func StartProxyServer(lk LocalkubeServer) func() error {
 	config := &componentconfig.KubeProxyConfiguration{
 		OOMScoreAdj: &OOMScoreAdj,
 		ClientConnection: componentconfig.ClientConnectionConfiguration{
-			Burst: 10,
-			QPS:   5,
+			Burst:          10,
+			QPS:            5,
+			KubeConfigFile: util.DefaultKubeConfigPath,
 		},
 		ConfigSyncPeriod: v1.Duration{Duration: 15 * time.Minute},
 		IPTables: componentconfig.KubeProxyIPTablesConfiguration{
 			MasqueradeBit: &MasqueradeBit,
 			SyncPeriod:    v1.Duration{Duration: 30 * time.Second},
 			MinSyncPeriod: v1.Duration{Duration: 5 * time.Second},
 		},
-		BindAddress:  lk.APIServerInsecureAddress.String(),
+		BindAddress:  lk.APIServerAddress.String(),
 		Mode:         componentconfig.ProxyModeIPTables,
 		FeatureGates: lk.FeatureGates,
 		// Disable the healthz check
@@ -60,7 +62,7 @@ func StartProxyServer(lk LocalkubeServer) func() error {
 
 	return func() error {
 		// Creating this config requires the API Server to be up, so do it in the start function itself.
-		server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), lk.GetAPIServerInsecureURL())
+		server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), "")
 		if err != nil {
 			panic(err)
 		}

pkg/localkube/ready.go

@@ -17,6 +17,8 @@ limitations under the License.
 package localkube
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"io/ioutil"
 	"net/http"
 
@@ -25,10 +27,33 @@ import (
 
 type HealthCheck func() bool
 
-func healthCheck(addr string) HealthCheck {
+func healthCheck(addr string, lk LocalkubeServer) HealthCheck {
 	return func() bool {
 		glog.Infof("Performing healthcheck on %s\n", addr)
-		resp, err := http.Get(addr)
+
+		cert, err := tls.LoadX509KeyPair(lk.GetPublicKeyCertPath(), lk.GetPrivateKeyCertPath())
+		if err != nil {
+			glog.Error(err)
+			return false
+		}
+
+		// Load CA cert
+		caCert, err := ioutil.ReadFile(lk.GetCAPublicKeyCertPath())
+		if err != nil {
+			glog.Warning(err)
+			return false
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			RootCAs:      caCertPool,
+		}
+		tlsConfig.BuildNameToCertificate()
+		transport := &http.Transport{TLSClientConfig: tlsConfig}
+		client := &http.Client{Transport: transport}
+
+		resp, err := client.Get(addr)
 		if err != nil {
 			glog.Errorf("Error performing healthcheck: %s", err)
 			return false

pkg/localkube/ready_test.go

@@ -17,15 +17,21 @@ limitations under the License.
 package localkube
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
+
+	"k8s.io/minikube/pkg/minikube/tests"
 )
 
 func TestBasicHealthCheck(t *testing.T) {
 
-	tests := []struct {
+	tcs := []struct {
 		body          string
 		statusCode    int
 		shouldSucceed bool
@@ -34,17 +40,43 @@ func TestBasicHealthCheck(t *testing.T) {
 		{"notok", 200, false},
 	}
 
-	for _, tc := range tests {
+	tempDir := tests.MakeTempDir()
+	defer os.RemoveAll(tempDir)
+	lk := LocalkubeServer{LocalkubeDirectory: tempDir}
+	lk.GenerateCerts()
+
+	cert, err := tls.LoadX509KeyPair(lk.GetPublicKeyCertPath(), lk.GetPrivateKeyCertPath())
+	if err != nil {
+		t.Fatalf("Unable to load server certs.")
+	}
+
+	caCert, err := ioutil.ReadFile(lk.GetCAPublicKeyCertPath())
+	if err != nil {
+		t.Fatalf("Unable to load CA certs.")
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	tls := tls.Config{
+		Certificates: []tls.Certificate{cert},
+		ClientCAs:    caCertPool,
+	}
+
+	tls.BuildNameToCertificate()
+
+	for _, tc := range tcs {
 		// Do this in a func so we can use defer.
 		doTest := func() {
 			handler := func(w http.ResponseWriter, r *http.Request) {
 				w.WriteHeader(tc.statusCode)
 				io.WriteString(w, tc.body)
 			}
-			server := httptest.NewServer(http.HandlerFunc(handler))
+			server := httptest.NewUnstartedServer(http.HandlerFunc(handler))
 			defer server.Close()
+			server.TLS = &tls
+			server.StartTLS()
 
-			hcFunc := healthCheck(server.URL)
+			hcFunc := healthCheck(server.URL, lk)
 			result := hcFunc()
 			if result != tc.shouldSucceed {
 				t.Errorf("Expected healthcheck to return %v. Got %v", result, tc.shouldSucceed)

pkg/localkube/scheduler.go

@@ -19,6 +19,7 @@ package localkube
 import (
 	scheduler "k8s.io/kubernetes/plugin/cmd/kube-scheduler/app"
 	"k8s.io/kubernetes/plugin/cmd/kube-scheduler/app/options"
+	"k8s.io/minikube/pkg/util"
 )
 
 func (lk LocalkubeServer) NewSchedulerServer() Server {
@@ -29,7 +30,7 @@ func StartSchedulerServer(lk LocalkubeServer) func() error {
 	config := options.NewSchedulerServer()
 
 	// master details
-	config.Master = lk.GetAPIServerInsecureURL()
+	config.Kubeconfig = util.DefaultKubeConfigPath
 
 	// defaults from command
 	config.EnableProfiling = true

pkg/localkube/storage_provisioner.go

@@ -19,10 +19,8 @@ package localkube
 import (
 	"errors"
 	"fmt"
-	"net"
 	"os"
 	"path"
-	"strconv"
 	"time"
 
 	"github.com/golang/glog"
@@ -34,7 +32,8 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/pkg/api/v1"
-	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/minikube/pkg/util"
 )
 
 const (
@@ -123,12 +122,12 @@ func (lk LocalkubeServer) NewStorageProvisionerServer() Server {
 
 func StartStorageProvisioner(lk LocalkubeServer) func() error {
 
-	// Create an InClusterConfig and use it to create a client for the controller
-	// to use to communicate with Kubernetes
-	config := rest.Config{Host: net.JoinHostPort("localhost", strconv.Itoa(lk.APIServerInsecurePort))}
 	return func() error {
-
-		clientset, err := kubernetes.NewForConfig(&config)
+		config, err := clientcmd.BuildConfigFromFlags("", util.DefaultKubeConfigPath)
+		if err != nil {
+			return err
+		}
+		clientset, err := kubernetes.NewForConfig(config)
 		if err != nil {
 			glog.Fatalf("Failed to create client: %v", err)
 		}