Merge pull request #88246 from munnerz/csr-signername-controllers

Update CSR controllers & kubelet to respect signerName field Kubernetes-commit: 03b7f272c8287fdaafa67b82f1c577a96c5a238a
2025-06-27 15:39:39 +00:00 · 2020-02-28 23:38:39 -08:00 · 2020-02-28 23:38:39 -08:00 · bcb30edc8b
commit bcb30edc8b
parent dd730ded40 e8be24fd4c
5 changed files with 14 additions and 8 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -348,7 +348,7 @@
 		},
 		{
 			"ImportPath": "k8s.io/api",
-			"Rev": "d155b85a4fda"
+			"Rev": "0cf4f255cdfe"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery",
--- a/go.mod
+++ b/go.mod
@ -28,7 +28,7 @@ require (
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4
 	google.golang.org/appengine v1.5.0 // indirect
-	k8s.io/api v0.0.0-20200226122402-d155b85a4fda
+	k8s.io/api v0.0.0-20200229073839-0cf4f255cdfe
 	k8s.io/apimachinery v0.0.0-20200214081019-2373d029717c
 	k8s.io/klog v1.0.0
 	k8s.io/utils v0.0.0-20200117235808-5f6fbceb4c31
@ -38,6 +38,6 @@ require (
 replace (
 	golang.org/x/sys => golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // pinned to release-branch.go1.13
 	golang.org/x/tools => golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7 // pinned to release-branch.go1.13
-	k8s.io/api => k8s.io/api v0.0.0-20200226122402-d155b85a4fda
+	k8s.io/api => k8s.io/api v0.0.0-20200229073839-0cf4f255cdfe
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200214081019-2373d029717c
 )
--- a/go.sum
+++ b/go.sum
@ -182,7 +182,7 @@ gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.0.0-20200226122402-d155b85a4fda/go.mod h1:brPp6rLV9ZWi2IgXmvCsY7TKw2l27eF4rfCHlyW88ys=
+k8s.io/api v0.0.0-20200229073839-0cf4f255cdfe/go.mod h1:brPp6rLV9ZWi2IgXmvCsY7TKw2l27eF4rfCHlyW88ys=
 k8s.io/apimachinery v0.0.0-20200214081019-2373d029717c/go.mod h1:5X8oEhnd931nEg6/Nkumo00nT6ZsCLp2h7Xwd7Ym6P4=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
--- a/util/certificate/certificate_manager.go
+++ b/util/certificate/certificate_manager.go
@ -85,6 +85,9 @@ type Config struct {
 	// If no template is available, nil may be returned, and no certificate will be requested.
 	// If specified, takes precedence over Template.
 	GetTemplate func() *x509.CertificateRequest
+	// SignerName is the name of the certificate signer that should sign certificates
+	// generated by the manager.
+	SignerName string
 	// Usages is the types of usages that certificates generated by the manager
 	// can be used for.
 	Usages []certificates.KeyUsage
@ -174,6 +177,7 @@ type manager struct {
 	lastRequest       *x509.CertificateRequest

 	dynamicTemplate bool
+	signerName      string
 	usages          []certificates.KeyUsage
 	forceRotation   bool

@ -219,6 +223,7 @@ func NewManager(config *Config) (Manager, error) {
 		clientFn:                config.ClientFn,
 		getTemplate:             getTemplate,
 		dynamicTemplate:         config.GetTemplate != nil,
+		signerName:              config.SignerName,
 		usages:                  config.Usages,
 		certStore:               config.CertificateStore,
 		cert:                    cert,
@ -424,7 +429,7 @@ func (m *manager) rotateCerts() (bool, error) {

 	// Call the Certificate Signing Request API to get a certificate for the
 	// new private key.
-	req, err := csr.RequestCertificate(client, csrPEM, "", m.usages, privateKey)
+	req, err := csr.RequestCertificate(client, csrPEM, "", m.signerName, m.usages, privateKey)
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("Failed while requesting a signed certificate from the master: %v", err))
 		if m.certificateRenewFailure != nil {
--- a/util/certificate/csr/csr.go
+++ b/util/certificate/csr/csr.go
@ -46,7 +46,7 @@ import (
 // status, once approved by API server, it will return the API server's issued
 // certificate (pem-encoded). If there is any errors, or the watch timeouts, it
 // will return an error.
-func RequestCertificate(client certificatesclient.CertificateSigningRequestInterface, csrData []byte, name string, usages []certificates.KeyUsage, privateKey interface{}) (req *certificates.CertificateSigningRequest, err error) {
+func RequestCertificate(client certificatesclient.CertificateSigningRequestInterface, csrData []byte, name string, signerName string, usages []certificates.KeyUsage, privateKey interface{}) (req *certificates.CertificateSigningRequest, err error) {
 	csr := &certificates.CertificateSigningRequest{
 		// Username, UID, Groups will be injected by API server.
 		TypeMeta: metav1.TypeMeta{Kind: "CertificateSigningRequest"},
@ -54,8 +54,9 @@ func RequestCertificate(client certificatesclient.CertificateSigningRequestInter
 			Name: name,
 		},
 		Spec: certificates.CertificateSigningRequestSpec{
-			Request: csrData,
-			Usages:  usages,
+			Request:    csrData,
+			Usages:     usages,
+			SignerName: &signerName,
 		},
 	}
 	if len(csr.Name) == 0 {