Merge pull request #90822 from deads2k/csr-separate-signer-flags-02

allow setting different certificates for kube-controller-managed CSR signers
This commit is contained in:
Kubernetes Prow Robot
2020-07-18 03:10:50 -07:00
committed by GitHub
12 changed files with 652 additions and 82 deletions

View File

@@ -28,7 +28,27 @@ type CSRSigningControllerConfiguration struct {
// clusterSigningCertFile is the filename containing a PEM-encoded
// RSA or ECDSA private key used to issue cluster-scoped certificates
ClusterSigningKeyFile string
// kubeletServingSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kubelet-serving signer
KubeletServingSignerConfiguration CSRSigningConfiguration
// kubeletClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet
KubeletClientSignerConfiguration CSRSigningConfiguration
// kubeAPIServerClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client
KubeAPIServerClientSignerConfiguration CSRSigningConfiguration
// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
LegacyUnknownSignerConfiguration CSRSigningConfiguration
// clusterSigningDuration is the length of duration signed certificates
// will be given.
ClusterSigningDuration metav1.Duration
}
// CSRSigningConfiguration holds information about a particular CSR signer
type CSRSigningConfiguration struct {
// certFile is the filename containing a PEM-encoded
// X509 CA certificate used to issue certificates
CertFile string
// keyFile is the filename containing a PEM-encoded
// RSA or ECDSA private key used to issue certificates
KeyFile string
}

View File

@@ -34,12 +34,6 @@ import (
// run it in your wrapper struct of this type in its `SetDefaults_` method.
func RecommendedDefaultCSRSigningControllerConfiguration(obj *kubectrlmgrconfigv1alpha1.CSRSigningControllerConfiguration) {
zero := metav1.Duration{}
if obj.ClusterSigningCertFile == "" {
obj.ClusterSigningCertFile = "/etc/kubernetes/ca/ca.pem"
}
if obj.ClusterSigningKeyFile == "" {
obj.ClusterSigningKeyFile = "/etc/kubernetes/ca/ca.key"
}
if obj.ClusterSigningDuration == zero {
obj.ClusterSigningDuration = metav1.Duration{Duration: 365 * 24 * time.Hour}
}

View File

@@ -35,6 +35,16 @@ func init() {
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
if err := s.AddGeneratedConversionFunc((*v1alpha1.CSRSigningConfiguration)(nil), (*config.CSRSigningConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(a.(*v1alpha1.CSRSigningConfiguration), b.(*config.CSRSigningConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*config.CSRSigningConfiguration)(nil), (*v1alpha1.CSRSigningConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(a.(*config.CSRSigningConfiguration), b.(*v1alpha1.CSRSigningConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*v1alpha1.GroupResource)(nil), (*v1.GroupResource)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_GroupResource_To_v1_GroupResource(a.(*v1alpha1.GroupResource), b.(*v1.GroupResource), scope)
}); err != nil {
@@ -58,9 +68,43 @@ func RegisterConversions(s *runtime.Scheme) error {
return nil
}
func autoConvert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in *v1alpha1.CSRSigningConfiguration, out *config.CSRSigningConfiguration, s conversion.Scope) error {
out.CertFile = in.CertFile
out.KeyFile = in.KeyFile
return nil
}
// Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration is an autogenerated conversion function.
func Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in *v1alpha1.CSRSigningConfiguration, out *config.CSRSigningConfiguration, s conversion.Scope) error {
return autoConvert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in, out, s)
}
func autoConvert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in *config.CSRSigningConfiguration, out *v1alpha1.CSRSigningConfiguration, s conversion.Scope) error {
out.CertFile = in.CertFile
out.KeyFile = in.KeyFile
return nil
}
// Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration is an autogenerated conversion function.
func Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in *config.CSRSigningConfiguration, out *v1alpha1.CSRSigningConfiguration, s conversion.Scope) error {
return autoConvert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in, out, s)
}
func autoConvert_v1alpha1_CSRSigningControllerConfiguration_To_config_CSRSigningControllerConfiguration(in *v1alpha1.CSRSigningControllerConfiguration, out *config.CSRSigningControllerConfiguration, s conversion.Scope) error {
out.ClusterSigningCertFile = in.ClusterSigningCertFile
out.ClusterSigningKeyFile = in.ClusterSigningKeyFile
if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeletServingSignerConfiguration, &out.KubeletServingSignerConfiguration, s); err != nil {
return err
}
if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeletClientSignerConfiguration, &out.KubeletClientSignerConfiguration, s); err != nil {
return err
}
if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeAPIServerClientSignerConfiguration, &out.KubeAPIServerClientSignerConfiguration, s); err != nil {
return err
}
if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.LegacyUnknownSignerConfiguration, &out.LegacyUnknownSignerConfiguration, s); err != nil {
return err
}
out.ClusterSigningDuration = in.ClusterSigningDuration
return nil
}
@@ -68,6 +112,18 @@ func autoConvert_v1alpha1_CSRSigningControllerConfiguration_To_config_CSRSigning
func autoConvert_config_CSRSigningControllerConfiguration_To_v1alpha1_CSRSigningControllerConfiguration(in *config.CSRSigningControllerConfiguration, out *v1alpha1.CSRSigningControllerConfiguration, s conversion.Scope) error {
out.ClusterSigningCertFile = in.ClusterSigningCertFile
out.ClusterSigningKeyFile = in.ClusterSigningKeyFile
if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeletServingSignerConfiguration, &out.KubeletServingSignerConfiguration, s); err != nil {
return err
}
if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeletClientSignerConfiguration, &out.KubeletClientSignerConfiguration, s); err != nil {
return err
}
if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeAPIServerClientSignerConfiguration, &out.KubeAPIServerClientSignerConfiguration, s); err != nil {
return err
}
if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.LegacyUnknownSignerConfiguration, &out.LegacyUnknownSignerConfiguration, s); err != nil {
return err
}
out.ClusterSigningDuration = in.ClusterSigningDuration
return nil
}

View File

@@ -20,9 +20,29 @@ limitations under the License.
package config
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CSRSigningConfiguration) DeepCopyInto(out *CSRSigningConfiguration) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSRSigningConfiguration.
func (in *CSRSigningConfiguration) DeepCopy() *CSRSigningConfiguration {
if in == nil {
return nil
}
out := new(CSRSigningConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CSRSigningControllerConfiguration) DeepCopyInto(out *CSRSigningControllerConfiguration) {
*out = *in
out.KubeletServingSignerConfiguration = in.KubeletServingSignerConfiguration
out.KubeletClientSignerConfiguration = in.KubeletClientSignerConfiguration
out.KubeAPIServerClientSignerConfiguration = in.KubeAPIServerClientSignerConfiguration
out.LegacyUnknownSignerConfiguration = in.LegacyUnknownSignerConfiguration
out.ClusterSigningDuration = in.ClusterSigningDuration
return
}