add an option to controller-manager to auto approve all CSRs

pkg/controller/certificates/controller.go

@@ -17,12 +17,11 @@ limitations under the License.
 package certificates
 
 import (
+	"fmt"
+	"reflect"
+	"strings"
 	"time"
 
-	"github.com/cloudflare/cfssl/config"
-	"github.com/cloudflare/cfssl/signer"
-	"github.com/cloudflare/cfssl/signer/local"
-	"github.com/golang/glog"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/certificates"
 	"k8s.io/kubernetes/pkg/client/cache"
@@ -32,10 +31,16 @@ import (
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/controller/framework"
 	"k8s.io/kubernetes/pkg/runtime"
+	utilcertificates "k8s.io/kubernetes/pkg/util/certificates"
 	utilruntime "k8s.io/kubernetes/pkg/util/runtime"
 	"k8s.io/kubernetes/pkg/util/wait"
 	"k8s.io/kubernetes/pkg/util/workqueue"
 	"k8s.io/kubernetes/pkg/watch"
+
+	"github.com/cloudflare/cfssl/config"
+	"github.com/cloudflare/cfssl/signer"
+	"github.com/cloudflare/cfssl/signer/local"
+	"github.com/golang/glog"
 )
 
 type CertificateController struct {
@@ -49,12 +54,14 @@ type CertificateController struct {
 	updateHandler func(csr *certificates.CertificateSigningRequest) error
 	syncHandler   func(csrKey string) error
 
+	approveAllKubeletCSRsForGroup string
+
 	signer *local.Signer
 
 	queue *workqueue.Type
 }
 
-func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Duration, caCertFile, caKeyFile string) (*CertificateController, error) {
+func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Duration, caCertFile, caKeyFile string, approveAllKubeletCSRsForGroup string) (*CertificateController, error) {
 	// Send events to the apiserver
 	eventBroadcaster := record.NewBroadcaster()
 	eventBroadcaster.StartLogging(glog.Infof)
@@ -74,6 +81,7 @@ func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Du
 		kubeClient: kubeClient,
 		queue:      workqueue.New(),
 		signer:     ca,
+		approveAllKubeletCSRsForGroup: approveAllKubeletCSRsForGroup,
 	}
 
 	// Manage the addition/update of certificate requests
@@ -181,6 +189,11 @@ func (cc *CertificateController) maybeSignCertificate(key string) error {
 	}
 	csr := obj.(*certificates.CertificateSigningRequest)
 
+	csr, err = cc.maybeAutoApproveCSR(csr)
+	if err != nil {
+		return fmt.Errorf("error auto approving csr: %v", err)
+	}
+
 	// At this point, the controller needs to:
 	// 1. Check the approval conditions
 	// 2. Generate a signed certificate
@@ -198,3 +211,47 @@ func (cc *CertificateController) maybeSignCertificate(key string) error {
 
 	return cc.updateCertificateRequestStatus(csr)
 }
+
+func (cc *CertificateController) maybeAutoApproveCSR(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) {
+	// short-circuit if we're not auto-approving
+	if cc.approveAllKubeletCSRsForGroup == "" {
+		return csr, nil
+	}
+	// short-circuit if we're already approved or denied
+	if approved, denied := getCertApprovalCondition(&csr.Status); approved || denied {
+		return csr, nil
+	}
+
+	isKubeletBootstrapGroup := false
+	for _, g := range csr.Spec.Groups {
+		if g == cc.approveAllKubeletCSRsForGroup {
+			isKubeletBootstrapGroup = true
+			break
+		}
+	}
+	if !isKubeletBootstrapGroup {
+		return csr, nil
+	}
+
+	x509cr, err := utilcertificates.ParseCertificateRequestObject(csr)
+	if err != nil {
+		glog.Errorf("unable to parse csr %q: %v", csr.ObjectMeta.Name, err)
+		return csr, nil
+	}
+	if !reflect.DeepEqual([]string{"system:nodes"}, x509cr.Subject.Organization) {
+		return csr, nil
+	}
+	if !strings.HasPrefix(x509cr.Subject.CommonName, "system:node:") {
+		return csr, nil
+	}
+	if len(x509cr.DNSNames)+len(x509cr.EmailAddresses)+len(x509cr.IPAddresses) != 0 {
+		return csr, nil
+	}
+
+	csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{
+		Type:    certificates.CertificateApproved,
+		Reason:  "AutoApproved",
+		Message: "Auto approving of all kubelet CSRs is enabled on the controller manager",
+	})
+	return cc.kubeClient.Certificates().CertificateSigningRequests().UpdateApproval(csr)
+}