Merge pull request #90822 from deads2k/csr-separate-signer-flags-02
allow setting different certificates for kube-controller-managed CSR signers
This commit is contained in:
@@ -28,7 +28,27 @@ type CSRSigningControllerConfiguration struct {
|
||||
// clusterSigningCertFile is the filename containing a PEM-encoded
|
||||
// RSA or ECDSA private key used to issue cluster-scoped certificates
|
||||
ClusterSigningKeyFile string
|
||||
|
||||
// kubeletServingSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kubelet-serving signer
|
||||
KubeletServingSignerConfiguration CSRSigningConfiguration
|
||||
// kubeletClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet
|
||||
KubeletClientSignerConfiguration CSRSigningConfiguration
|
||||
// kubeAPIServerClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client
|
||||
KubeAPIServerClientSignerConfiguration CSRSigningConfiguration
|
||||
// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
|
||||
LegacyUnknownSignerConfiguration CSRSigningConfiguration
|
||||
|
||||
// clusterSigningDuration is the length of duration signed certificates
|
||||
// will be given.
|
||||
ClusterSigningDuration metav1.Duration
|
||||
}
|
||||
|
||||
// CSRSigningConfiguration holds information about a particular CSR signer
|
||||
type CSRSigningConfiguration struct {
|
||||
// certFile is the filename containing a PEM-encoded
|
||||
// X509 CA certificate used to issue certificates
|
||||
CertFile string
|
||||
// keyFile is the filename containing a PEM-encoded
|
||||
// RSA or ECDSA private key used to issue certificates
|
||||
KeyFile string
|
||||
}
|
||||
|
@@ -34,12 +34,6 @@ import (
|
||||
// run it in your wrapper struct of this type in its `SetDefaults_` method.
|
||||
func RecommendedDefaultCSRSigningControllerConfiguration(obj *kubectrlmgrconfigv1alpha1.CSRSigningControllerConfiguration) {
|
||||
zero := metav1.Duration{}
|
||||
if obj.ClusterSigningCertFile == "" {
|
||||
obj.ClusterSigningCertFile = "/etc/kubernetes/ca/ca.pem"
|
||||
}
|
||||
if obj.ClusterSigningKeyFile == "" {
|
||||
obj.ClusterSigningKeyFile = "/etc/kubernetes/ca/ca.key"
|
||||
}
|
||||
if obj.ClusterSigningDuration == zero {
|
||||
obj.ClusterSigningDuration = metav1.Duration{Duration: 365 * 24 * time.Hour}
|
||||
}
|
||||
|
@@ -35,6 +35,16 @@ func init() {
|
||||
// RegisterConversions adds conversion functions to the given scheme.
|
||||
// Public to allow building arbitrary schemes.
|
||||
func RegisterConversions(s *runtime.Scheme) error {
|
||||
if err := s.AddGeneratedConversionFunc((*v1alpha1.CSRSigningConfiguration)(nil), (*config.CSRSigningConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||
return Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(a.(*v1alpha1.CSRSigningConfiguration), b.(*config.CSRSigningConfiguration), scope)
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.AddGeneratedConversionFunc((*config.CSRSigningConfiguration)(nil), (*v1alpha1.CSRSigningConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||
return Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(a.(*config.CSRSigningConfiguration), b.(*v1alpha1.CSRSigningConfiguration), scope)
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.AddGeneratedConversionFunc((*v1alpha1.GroupResource)(nil), (*v1.GroupResource)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||
return Convert_v1alpha1_GroupResource_To_v1_GroupResource(a.(*v1alpha1.GroupResource), b.(*v1.GroupResource), scope)
|
||||
}); err != nil {
|
||||
@@ -58,9 +68,43 @@ func RegisterConversions(s *runtime.Scheme) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func autoConvert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in *v1alpha1.CSRSigningConfiguration, out *config.CSRSigningConfiguration, s conversion.Scope) error {
|
||||
out.CertFile = in.CertFile
|
||||
out.KeyFile = in.KeyFile
|
||||
return nil
|
||||
}
|
||||
|
||||
// Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration is an autogenerated conversion function.
|
||||
func Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in *v1alpha1.CSRSigningConfiguration, out *config.CSRSigningConfiguration, s conversion.Scope) error {
|
||||
return autoConvert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in, out, s)
|
||||
}
|
||||
|
||||
func autoConvert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in *config.CSRSigningConfiguration, out *v1alpha1.CSRSigningConfiguration, s conversion.Scope) error {
|
||||
out.CertFile = in.CertFile
|
||||
out.KeyFile = in.KeyFile
|
||||
return nil
|
||||
}
|
||||
|
||||
// Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration is an autogenerated conversion function.
|
||||
func Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in *config.CSRSigningConfiguration, out *v1alpha1.CSRSigningConfiguration, s conversion.Scope) error {
|
||||
return autoConvert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in, out, s)
|
||||
}
|
||||
|
||||
func autoConvert_v1alpha1_CSRSigningControllerConfiguration_To_config_CSRSigningControllerConfiguration(in *v1alpha1.CSRSigningControllerConfiguration, out *config.CSRSigningControllerConfiguration, s conversion.Scope) error {
|
||||
out.ClusterSigningCertFile = in.ClusterSigningCertFile
|
||||
out.ClusterSigningKeyFile = in.ClusterSigningKeyFile
|
||||
if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeletServingSignerConfiguration, &out.KubeletServingSignerConfiguration, s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeletClientSignerConfiguration, &out.KubeletClientSignerConfiguration, s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeAPIServerClientSignerConfiguration, &out.KubeAPIServerClientSignerConfiguration, s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.LegacyUnknownSignerConfiguration, &out.LegacyUnknownSignerConfiguration, s); err != nil {
|
||||
return err
|
||||
}
|
||||
out.ClusterSigningDuration = in.ClusterSigningDuration
|
||||
return nil
|
||||
}
|
||||
@@ -68,6 +112,18 @@ func autoConvert_v1alpha1_CSRSigningControllerConfiguration_To_config_CSRSigning
|
||||
func autoConvert_config_CSRSigningControllerConfiguration_To_v1alpha1_CSRSigningControllerConfiguration(in *config.CSRSigningControllerConfiguration, out *v1alpha1.CSRSigningControllerConfiguration, s conversion.Scope) error {
|
||||
out.ClusterSigningCertFile = in.ClusterSigningCertFile
|
||||
out.ClusterSigningKeyFile = in.ClusterSigningKeyFile
|
||||
if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeletServingSignerConfiguration, &out.KubeletServingSignerConfiguration, s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeletClientSignerConfiguration, &out.KubeletClientSignerConfiguration, s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeAPIServerClientSignerConfiguration, &out.KubeAPIServerClientSignerConfiguration, s); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.LegacyUnknownSignerConfiguration, &out.LegacyUnknownSignerConfiguration, s); err != nil {
|
||||
return err
|
||||
}
|
||||
out.ClusterSigningDuration = in.ClusterSigningDuration
|
||||
return nil
|
||||
}
|
||||
|
@@ -20,9 +20,29 @@ limitations under the License.
|
||||
|
||||
package config
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *CSRSigningConfiguration) DeepCopyInto(out *CSRSigningConfiguration) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSRSigningConfiguration.
|
||||
func (in *CSRSigningConfiguration) DeepCopy() *CSRSigningConfiguration {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(CSRSigningConfiguration)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *CSRSigningControllerConfiguration) DeepCopyInto(out *CSRSigningControllerConfiguration) {
|
||||
*out = *in
|
||||
out.KubeletServingSignerConfiguration = in.KubeletServingSignerConfiguration
|
||||
out.KubeletClientSignerConfiguration = in.KubeletClientSignerConfiguration
|
||||
out.KubeAPIServerClientSignerConfiguration = in.KubeAPIServerClientSignerConfiguration
|
||||
out.LegacyUnknownSignerConfiguration = in.LegacyUnknownSignerConfiguration
|
||||
out.ClusterSigningDuration = in.ClusterSigningDuration
|
||||
return
|
||||
}
|
||||
|
Reference in New Issue
Block a user