diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index 7b9b74a3..e69b4629 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -348,7 +348,7 @@ }, { "ImportPath": "k8s.io/api", - "Rev": "d155b85a4fda" + "Rev": "0cf4f255cdfe" }, { "ImportPath": "k8s.io/apimachinery", diff --git a/go.mod b/go.mod index 3eb17206..a5002e8b 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 google.golang.org/appengine v1.5.0 // indirect - k8s.io/api v0.0.0-20200226122402-d155b85a4fda + k8s.io/api v0.0.0-20200229073839-0cf4f255cdfe k8s.io/apimachinery v0.0.0-20200214081019-2373d029717c k8s.io/klog v1.0.0 k8s.io/utils v0.0.0-20200117235808-5f6fbceb4c31 @@ -38,6 +38,6 @@ require ( replace ( golang.org/x/sys => golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // pinned to release-branch.go1.13 golang.org/x/tools => golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7 // pinned to release-branch.go1.13 - k8s.io/api => k8s.io/api v0.0.0-20200226122402-d155b85a4fda + k8s.io/api => k8s.io/api v0.0.0-20200229073839-0cf4f255cdfe k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200214081019-2373d029717c ) diff --git a/go.sum b/go.sum index c7995045..2e424eaa 100644 --- a/go.sum +++ b/go.sum @@ -182,7 +182,7 @@ gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.0.0-20200226122402-d155b85a4fda/go.mod h1:brPp6rLV9ZWi2IgXmvCsY7TKw2l27eF4rfCHlyW88ys= +k8s.io/api v0.0.0-20200229073839-0cf4f255cdfe/go.mod h1:brPp6rLV9ZWi2IgXmvCsY7TKw2l27eF4rfCHlyW88ys= k8s.io/apimachinery v0.0.0-20200214081019-2373d029717c/go.mod h1:5X8oEhnd931nEg6/Nkumo00nT6ZsCLp2h7Xwd7Ym6P4= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= diff --git a/util/certificate/certificate_manager.go b/util/certificate/certificate_manager.go index 1af46aba..48eb7b3c 100644 --- a/util/certificate/certificate_manager.go +++ b/util/certificate/certificate_manager.go @@ -85,6 +85,9 @@ type Config struct { // If no template is available, nil may be returned, and no certificate will be requested. // If specified, takes precedence over Template. GetTemplate func() *x509.CertificateRequest + // SignerName is the name of the certificate signer that should sign certificates + // generated by the manager. + SignerName string // Usages is the types of usages that certificates generated by the manager // can be used for. Usages []certificates.KeyUsage @@ -174,6 +177,7 @@ type manager struct { lastRequest *x509.CertificateRequest dynamicTemplate bool + signerName string usages []certificates.KeyUsage forceRotation bool @@ -219,6 +223,7 @@ func NewManager(config *Config) (Manager, error) { clientFn: config.ClientFn, getTemplate: getTemplate, dynamicTemplate: config.GetTemplate != nil, + signerName: config.SignerName, usages: config.Usages, certStore: config.CertificateStore, cert: cert, @@ -424,7 +429,7 @@ func (m *manager) rotateCerts() (bool, error) { // Call the Certificate Signing Request API to get a certificate for the // new private key. - req, err := csr.RequestCertificate(client, csrPEM, "", m.usages, privateKey) + req, err := csr.RequestCertificate(client, csrPEM, "", m.signerName, m.usages, privateKey) if err != nil { utilruntime.HandleError(fmt.Errorf("Failed while requesting a signed certificate from the master: %v", err)) if m.certificateRenewFailure != nil { diff --git a/util/certificate/csr/csr.go b/util/certificate/csr/csr.go index 19f42238..c5766d24 100644 --- a/util/certificate/csr/csr.go +++ b/util/certificate/csr/csr.go @@ -46,7 +46,7 @@ import ( // status, once approved by API server, it will return the API server's issued // certificate (pem-encoded). If there is any errors, or the watch timeouts, it // will return an error. -func RequestCertificate(client certificatesclient.CertificateSigningRequestInterface, csrData []byte, name string, usages []certificates.KeyUsage, privateKey interface{}) (req *certificates.CertificateSigningRequest, err error) { +func RequestCertificate(client certificatesclient.CertificateSigningRequestInterface, csrData []byte, name string, signerName string, usages []certificates.KeyUsage, privateKey interface{}) (req *certificates.CertificateSigningRequest, err error) { csr := &certificates.CertificateSigningRequest{ // Username, UID, Groups will be injected by API server. TypeMeta: metav1.TypeMeta{Kind: "CertificateSigningRequest"}, @@ -54,8 +54,9 @@ func RequestCertificate(client certificatesclient.CertificateSigningRequestInter Name: name, }, Spec: certificates.CertificateSigningRequestSpec{ - Request: csrData, - Usages: usages, + Request: csrData, + Usages: usages, + SignerName: &signerName, }, } if len(csr.Name) == 0 {