Merge pull request #90822 from deads2k/csr-separate-signer-flags-02

allow setting different certificates for kube-controller-managed CSR signers
2020-07-18 03:10:50 -07:00
parent 242f3d9dce 1233a6f63e
commit 05f6812c2d
12 changed files with 652 additions and 82 deletions
--- a/pkg/controller/certificates/signer/config/types.go
+++ b/pkg/controller/certificates/signer/config/types.go
@@ -28,7 +28,27 @@ type CSRSigningControllerConfiguration struct {
 	// clusterSigningCertFile is the filename containing a PEM-encoded
 	// RSA or ECDSA private key used to issue cluster-scoped certificates
 	ClusterSigningKeyFile string
+
+	// kubeletServingSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kubelet-serving signer
+	KubeletServingSignerConfiguration CSRSigningConfiguration
+	// kubeletClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet
+	KubeletClientSignerConfiguration CSRSigningConfiguration
+	// kubeAPIServerClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client
+	KubeAPIServerClientSignerConfiguration CSRSigningConfiguration
+	// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
+	LegacyUnknownSignerConfiguration CSRSigningConfiguration
+
 	// clusterSigningDuration is the length of duration signed certificates
 	// will be given.
 	ClusterSigningDuration metav1.Duration
 }
+
+// CSRSigningConfiguration holds information about a particular CSR signer
+type CSRSigningConfiguration struct {
+	// certFile is the filename containing a PEM-encoded
+	// X509 CA certificate used to issue certificates
+	CertFile string
+	// keyFile is the filename containing a PEM-encoded
+	// RSA or ECDSA private key used to issue certificates
+	KeyFile string
+}
--- a/pkg/controller/certificates/signer/config/v1alpha1/defaults.go
+++ b/pkg/controller/certificates/signer/config/v1alpha1/defaults.go
@@ -34,12 +34,6 @@ import (
 // run it in your wrapper struct of this type in its `SetDefaults_` method.
 func RecommendedDefaultCSRSigningControllerConfiguration(obj *kubectrlmgrconfigv1alpha1.CSRSigningControllerConfiguration) {
 	zero := metav1.Duration{}
-	if obj.ClusterSigningCertFile == "" {
-		obj.ClusterSigningCertFile = "/etc/kubernetes/ca/ca.pem"
-	}
-	if obj.ClusterSigningKeyFile == "" {
-		obj.ClusterSigningKeyFile = "/etc/kubernetes/ca/ca.key"
-	}
 	if obj.ClusterSigningDuration == zero {
 		obj.ClusterSigningDuration = metav1.Duration{Duration: 365 * 24 * time.Hour}
 	}
--- a/pkg/controller/certificates/signer/config/v1alpha1/zz_generated.conversion.go
+++ b/pkg/controller/certificates/signer/config/v1alpha1/zz_generated.conversion.go
@@ -35,6 +35,16 @@ func init() {
 // RegisterConversions adds conversion functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*v1alpha1.CSRSigningConfiguration)(nil), (*config.CSRSigningConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(a.(*v1alpha1.CSRSigningConfiguration), b.(*config.CSRSigningConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*config.CSRSigningConfiguration)(nil), (*v1alpha1.CSRSigningConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(a.(*config.CSRSigningConfiguration), b.(*v1alpha1.CSRSigningConfiguration), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*v1alpha1.GroupResource)(nil), (*v1.GroupResource)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_GroupResource_To_v1_GroupResource(a.(*v1alpha1.GroupResource), b.(*v1.GroupResource), scope)
 	}); err != nil {
@@ -58,9 +68,43 @@ func RegisterConversions(s *runtime.Scheme) error {
 	return nil
 }

+func autoConvert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in *v1alpha1.CSRSigningConfiguration, out *config.CSRSigningConfiguration, s conversion.Scope) error {
+	out.CertFile = in.CertFile
+	out.KeyFile = in.KeyFile
+	return nil
+}
+
+// Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration is an autogenerated conversion function.
+func Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in *v1alpha1.CSRSigningConfiguration, out *config.CSRSigningConfiguration, s conversion.Scope) error {
+	return autoConvert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in, out, s)
+}
+
+func autoConvert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in *config.CSRSigningConfiguration, out *v1alpha1.CSRSigningConfiguration, s conversion.Scope) error {
+	out.CertFile = in.CertFile
+	out.KeyFile = in.KeyFile
+	return nil
+}
+
+// Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration is an autogenerated conversion function.
+func Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in *config.CSRSigningConfiguration, out *v1alpha1.CSRSigningConfiguration, s conversion.Scope) error {
+	return autoConvert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in, out, s)
+}
+
 func autoConvert_v1alpha1_CSRSigningControllerConfiguration_To_config_CSRSigningControllerConfiguration(in *v1alpha1.CSRSigningControllerConfiguration, out *config.CSRSigningControllerConfiguration, s conversion.Scope) error {
 	out.ClusterSigningCertFile = in.ClusterSigningCertFile
 	out.ClusterSigningKeyFile = in.ClusterSigningKeyFile
+	if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeletServingSignerConfiguration, &out.KubeletServingSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeletClientSignerConfiguration, &out.KubeletClientSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeAPIServerClientSignerConfiguration, &out.KubeAPIServerClientSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.LegacyUnknownSignerConfiguration, &out.LegacyUnknownSignerConfiguration, s); err != nil {
+		return err
+	}
 	out.ClusterSigningDuration = in.ClusterSigningDuration
 	return nil
 }
@@ -68,6 +112,18 @@ func autoConvert_v1alpha1_CSRSigningControllerConfiguration_To_config_CSRSigning
 func autoConvert_config_CSRSigningControllerConfiguration_To_v1alpha1_CSRSigningControllerConfiguration(in *config.CSRSigningControllerConfiguration, out *v1alpha1.CSRSigningControllerConfiguration, s conversion.Scope) error {
 	out.ClusterSigningCertFile = in.ClusterSigningCertFile
 	out.ClusterSigningKeyFile = in.ClusterSigningKeyFile
+	if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeletServingSignerConfiguration, &out.KubeletServingSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeletClientSignerConfiguration, &out.KubeletClientSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeAPIServerClientSignerConfiguration, &out.KubeAPIServerClientSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.LegacyUnknownSignerConfiguration, &out.LegacyUnknownSignerConfiguration, s); err != nil {
+		return err
+	}
 	out.ClusterSigningDuration = in.ClusterSigningDuration
 	return nil
 }
--- a/pkg/controller/certificates/signer/config/zz_generated.deepcopy.go
+++ b/pkg/controller/certificates/signer/config/zz_generated.deepcopy.go
@@ -20,9 +20,29 @@ limitations under the License.

 package config

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CSRSigningConfiguration) DeepCopyInto(out *CSRSigningConfiguration) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSRSigningConfiguration.
+func (in *CSRSigningConfiguration) DeepCopy() *CSRSigningConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(CSRSigningConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CSRSigningControllerConfiguration) DeepCopyInto(out *CSRSigningControllerConfiguration) {
 	*out = *in
+	out.KubeletServingSignerConfiguration = in.KubeletServingSignerConfiguration
+	out.KubeletClientSignerConfiguration = in.KubeletClientSignerConfiguration
+	out.KubeAPIServerClientSignerConfiguration = in.KubeAPIServerClientSignerConfiguration
+	out.LegacyUnknownSignerConfiguration = in.LegacyUnknownSignerConfiguration
 	out.ClusterSigningDuration = in.ClusterSigningDuration
 	return
 }