To inject ca.crt into container when projected volume was specified, configmap should be created in each namespace.
This patch add a controller called "root-ca-cert-publisher" to complete above job as well as some bootstrap rbac policies.
This commit is contained in:
WanLinghao
@@ -43,6 +43,7 @@ go_library(
|
||||
"//pkg/controller/bootstrap:go_default_library",
|
||||
"//pkg/controller/certificates/approver:go_default_library",
|
||||
"//pkg/controller/certificates/cleaner:go_default_library",
|
||||
"//pkg/controller/certificates/rootcacertpublisher:go_default_library",
|
||||
"//pkg/controller/certificates/signer:go_default_library",
|
||||
"//pkg/controller/clusterroleaggregation:go_default_library",
|
||||
"//pkg/controller/cronjob:go_default_library",
|
||||
|
||||
@@ -29,10 +29,13 @@ import (
|
||||
"net/http"
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
kubeoptions "k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
|
||||
"k8s.io/kubernetes/pkg/controller/certificates/approver"
|
||||
"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
|
||||
"k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher"
|
||||
"k8s.io/kubernetes/pkg/controller/certificates/signer"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
)
|
||||
|
||||
func startCSRSigningController(ctx ControllerContext) (http.Handler, bool, error) {
|
||||
@@ -120,3 +123,33 @@ func startCSRCleanerController(ctx ControllerContext) (http.Handler, bool, error
|
||||
go cleaner.Run(1, ctx.Stop)
|
||||
return nil, true, nil
|
||||
}
|
||||
|
||||
func startRootCACertPublisher(ctx ControllerContext) (http.Handler, bool, error) {
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
|
||||
return nil, false, nil
|
||||
}
|
||||
|
||||
var (
|
||||
rootCA []byte
|
||||
err error
|
||||
)
|
||||
if ctx.ComponentConfig.SAController.RootCAFile != "" {
|
||||
if rootCA, err = readCA(ctx.ComponentConfig.SAController.RootCAFile); err != nil {
|
||||
return nil, true, fmt.Errorf("error parsing root-ca-file at %s: %v", ctx.ComponentConfig.SAController.RootCAFile, err)
|
||||
}
|
||||
} else {
|
||||
rootCA = ctx.ClientBuilder.ConfigOrDie("root-ca-cert-publisher").CAData
|
||||
}
|
||||
|
||||
sac, err := rootcacertpublisher.NewPublisher(
|
||||
ctx.InformerFactory.Core().V1().ConfigMaps(),
|
||||
ctx.InformerFactory.Core().V1().Namespaces(),
|
||||
ctx.ClientBuilder.ClientOrDie("root-ca-cert-publisher"),
|
||||
rootCA,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, true, fmt.Errorf("error creating root CA certificate publisher: %v", err)
|
||||
}
|
||||
go sac.Run(1, ctx.Stop)
|
||||
return nil, true, nil
|
||||
}
|
||||
|
||||
@@ -39,6 +39,7 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
"k8s.io/apiserver/pkg/server/mux"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
apiserverflag "k8s.io/apiserver/pkg/util/flag"
|
||||
cacheddiscovery "k8s.io/client-go/discovery/cached"
|
||||
"k8s.io/client-go/informers"
|
||||
@@ -54,6 +55,7 @@ import (
|
||||
"k8s.io/kubernetes/pkg/controller"
|
||||
kubectrlmgrconfig "k8s.io/kubernetes/pkg/controller/apis/config"
|
||||
serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||
"k8s.io/kubernetes/pkg/util/configz"
|
||||
utilflag "k8s.io/kubernetes/pkg/util/flag"
|
||||
@@ -333,6 +335,7 @@ func KnownControllers() []string {
|
||||
var ControllersDisabledByDefault = sets.NewString(
|
||||
"bootstrapsigner",
|
||||
"tokencleaner",
|
||||
"root_ca_crt_publisher",
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -379,6 +382,9 @@ func NewControllerInitializers(loopMode ControllerLoopMode) map[string]InitFunc
|
||||
controllers["pvc-protection"] = startPVCProtectionController
|
||||
controllers["pv-protection"] = startPVProtectionController
|
||||
controllers["ttl-after-finished"] = startTTLAfterFinishedController
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
|
||||
controllers["root_ca_crt_publisher"] = startRootCACertPublisher
|
||||
}
|
||||
|
||||
return controllers
|
||||
}
|
||||
@@ -524,11 +530,7 @@ func (c serviceAccountTokenControllerStarter) startServiceAccountTokenController
|
||||
|
||||
var rootCA []byte
|
||||
if ctx.ComponentConfig.SAController.RootCAFile != "" {
|
||||
rootCA, err = ioutil.ReadFile(ctx.ComponentConfig.SAController.RootCAFile)
|
||||
if err != nil {
|
||||
return nil, true, fmt.Errorf("error reading root-ca-file at %s: %v", ctx.ComponentConfig.SAController.RootCAFile, err)
|
||||
}
|
||||
if _, err := certutil.ParseCertsPEM(rootCA); err != nil {
|
||||
if rootCA, err = readCA(ctx.ComponentConfig.SAController.RootCAFile); err != nil {
|
||||
return nil, true, fmt.Errorf("error parsing root-ca-file at %s: %v", ctx.ComponentConfig.SAController.RootCAFile, err)
|
||||
}
|
||||
} else {
|
||||
@@ -558,3 +560,15 @@ func (c serviceAccountTokenControllerStarter) startServiceAccountTokenController
|
||||
|
||||
return nil, true, nil
|
||||
}
|
||||
|
||||
func readCA(file string) ([]byte, error) {
|
||||
rootCA, err := ioutil.ReadFile(file)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if _, err := certutil.ParseCertsPEM(rootCA); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return rootCA, err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user