Merge pull request #46058 from jcbsmpsn/configure-certificate-duration

Automatic merge from submit-queue Add support for specifying certificate duration at runtime.
2017-05-26 11:02:03 -07:00
parent 2ada6e62d5 07e9b0e197
commit bcad534ebc
7 changed files with 27 additions and 21 deletions
--- a/cmd/kube-controller-manager/app/certificates.go
+++ b/cmd/kube-controller-manager/app/certificates.go
@@ -42,6 +42,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
 		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
 		ctx.Options.ClusterSigningCertFile,
 		ctx.Options.ClusterSigningKeyFile,
+		ctx.Options.ClusterSigningDuration.Duration,
 	)
 	if err != nil {
 		glog.Errorf("Failed to start certificate controller: %v", err)
--- a/cmd/kube-controller-manager/app/options/BUILD
+++ b/cmd/kube-controller-manager/app/options/BUILD
@@ -17,6 +17,7 @@ go_library(
        "//pkg/controller/garbagecollector:go_default_library",
        "//pkg/features:go_default_library",
        "//pkg/master/ports:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
        "//vendor/github.com/spf13/pflag:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
--- a/cmd/kube-controller-manager/app/options/options.go
+++ b/cmd/kube-controller-manager/app/options/options.go
@@ -35,6 +35,7 @@ import (
 	// add the kubernetes feature gates
 	_ "k8s.io/kubernetes/pkg/features"

+	"github.com/cloudflare/cfssl/helpers"
 	"github.com/spf13/pflag"
 )

@@ -112,6 +113,7 @@ func NewCMServer() *CMServer {
 			GCIgnoredResources:                    gcIgnoredResources,
 			ClusterSigningCertFile:                "/etc/kubernetes/ca/ca.pem",
 			ClusterSigningKeyFile:                 "/etc/kubernetes/ca/ca.key",
+			ClusterSigningDuration:                metav1.Duration{Duration: helpers.OneYear},
 			ReconcilerSyncLoopPeriod:              metav1.Duration{Duration: 60 * time.Second},
 			EnableTaintManager:                    true,
 			HorizontalPodAutoscalerUseRESTClients: false,
@@ -192,6 +194,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled
 	fs.StringVar(&s.ServiceAccountKeyFile, "service-account-private-key-file", s.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
 	fs.StringVar(&s.ClusterSigningCertFile, "cluster-signing-cert-file", s.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates")
 	fs.StringVar(&s.ClusterSigningKeyFile, "cluster-signing-key-file", s.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates")
+	fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
 	fs.StringVar(&s.ApproveAllKubeletCSRsForGroup, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "The group for which the controller-manager will auto approve all CSRs for kubelet client certificates.")
 	fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
 	fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled")