refactor certificate controller

cmd/kube-controller-manager/app/BUILD

@@ -44,7 +44,8 @@ go_library(
         "//pkg/cloudprovider/providers/vsphere:go_default_library",
         "//pkg/controller:go_default_library",
         "//pkg/controller/bootstrap:go_default_library",
-        "//pkg/controller/certificates:go_default_library",
+        "//pkg/controller/certificates/approver:go_default_library",
+        "//pkg/controller/certificates/signer:go_default_library",
         "//pkg/controller/cronjob:go_default_library",
         "//pkg/controller/daemon:go_default_library",
         "//pkg/controller/deployment:go_default_library",

cmd/kube-controller-manager/app/certificates.go

@@ -24,26 +24,47 @@ import (
 	"github.com/golang/glog"
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	certcontroller "k8s.io/kubernetes/pkg/controller/certificates"
+	"k8s.io/kubernetes/pkg/controller/certificates/approver"
+	"k8s.io/kubernetes/pkg/controller/certificates/signer"
 )
 
-func startCSRController(ctx ControllerContext) (bool, error) {
+func startCSRSigningController(ctx ControllerContext) (bool, error) {
 	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1beta1", Resource: "certificatesigningrequests"}] {
 		return false, nil
 	}
+	if ctx.Options.ClusterSigningCertFile == "" || ctx.Options.ClusterSigningKeyFile == "" {
+		return false, nil
+	}
 	c := ctx.ClientBuilder.ClientOrDie("certificate-controller")
 
-	signer, err := certcontroller.NewCFSSLSigner(ctx.Options.ClusterSigningCertFile, ctx.Options.ClusterSigningKeyFile)
+	signer, err := signer.NewCSRSigningController(
+		c,
+		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
+		ctx.Options.ClusterSigningCertFile,
+		ctx.Options.ClusterSigningKeyFile,
+	)
 	if err != nil {
 		glog.Errorf("Failed to start certificate controller: %v", err)
 		return false, nil
 	}
+	go signer.Run(1, ctx.Stop)
 
-	certController, err := certcontroller.NewCertificateController(
+	return true, nil
+}
+
+func startCSRApprovingController(ctx ControllerContext) (bool, error) {
+	if !ctx.AvailableResources[schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1beta1", Resource: "certificatesigningrequests"}] {
+		return false, nil
+	}
+	if ctx.Options.ApproveAllKubeletCSRsForGroup == "" {
+		return false, nil
+	}
+	c := ctx.ClientBuilder.ClientOrDie("certificate-controller")
+
+	approver, err := approver.NewCSRApprovingController(
 		c,
 		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
-		signer,
-		certcontroller.NewGroupApprover(ctx.Options.ApproveAllKubeletCSRsForGroup),
+		ctx.Options.ApproveAllKubeletCSRsForGroup,
 	)
 	if err != nil {
 		// TODO this is failing consistently in test-cmd and local-up-cluster.sh.  Fix them and make it consistent with all others which
@@ -51,6 +72,7 @@ func startCSRController(ctx ControllerContext) (bool, error) {
 		glog.Errorf("Failed to start certificate controller: %v", err)
 		return false, nil
 	}
-	go certController.Run(1, ctx.Stop)
+	go approver.Run(1, ctx.Stop)
+
 	return true, nil
 }

cmd/kube-controller-manager/app/controllermanager.go

@@ -309,7 +309,8 @@ func NewControllerInitializers() map[string]InitFunc {
 	controllers["disruption"] = startDisruptionController
 	controllers["statefulset"] = startStatefulSetController
 	controllers["cronjob"] = startCronJobController
-	controllers["certificatesigningrequests"] = startCSRController
+	controllers["csrsigning"] = startCSRSigningController
+	controllers["csrapproving"] = startCSRApprovingController
 	controllers["ttl"] = startTTLController
 	controllers["bootstrapsigner"] = startBootstrapSignerController
 	controllers["tokencleaner"] = startTokenCleanerController