Merge pull request #90822 from deads2k/csr-separate-signer-flags-02

allow setting different certificates for kube-controller-managed CSR signers

api/api-rules/violation_exceptions.list

@@ -472,9 +472,15 @@ API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,
 API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,Type
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,AttachDetachControllerConfiguration,DisableAttachDetachReconcilerSync
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,AttachDetachControllerConfiguration,ReconcilerSyncLoopPeriod
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningConfiguration,CertFile
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningConfiguration,KeyFile
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,ClusterSigningCertFile
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,ClusterSigningDuration
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,ClusterSigningKeyFile
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,KubeAPIServerClientSignerConfiguration
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,KubeletClientSignerConfiguration
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,KubeletServingSignerConfiguration
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,LegacyUnknownSignerConfiguration
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CloudProviderConfiguration,CloudConfigFile
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CloudProviderConfiguration,Name
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,DaemonSetControllerConfiguration,ConcurrentDaemonSetSyncs

cmd/kube-controller-manager/app/BUILD

@@ -160,9 +160,13 @@ go_library(
 
 go_test(
     name = "go_default_test",
-    srcs = ["core_test.go"],
+    srcs = [
+        "certificates_test.go",
+        "core_test.go",
+    ],
     embed = [":go_default_library"],
     deps = [
+        "//pkg/controller/certificates/signer/config:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/client-go/discovery:go_default_library",
         "//staging/src/k8s.io/client-go/discovery/fake:go_default_library",

cmd/kube-controller-manager/app/certificates.go

@@ -22,14 +22,11 @@ package app
 
 import (
 	"fmt"
-	"os"
-
 	"net/http"
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
-	kubeoptions "k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
 	"k8s.io/kubernetes/pkg/controller/certificates/approver"
 	"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
 	"k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher"
@@ -44,87 +41,129 @@ func startCSRSigningController(ctx ControllerContext) (http.Handler, bool, error
 		klog.Warningf("Resource %s is not available now", gvr.String())
 		return nil, false, nil
 	}
-	if ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == "" || ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == "" {
+	missingSingleSigningFile := ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == "" || ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == ""
+	if missingSingleSigningFile && !anySpecificFilesSet(ctx.ComponentConfig.CSRSigningController) {
 		klog.V(2).Info("skipping CSR signer controller because no csr cert/key was specified")
 		return nil, false, nil
 	}
-
+	if !missingSingleSigningFile && anySpecificFilesSet(ctx.ComponentConfig.CSRSigningController) {
-	// Deprecation warning for old defaults.
+		return nil, false, fmt.Errorf("cannot specify default and per controller certs at the same time")
-	//
-	// * If the signing cert and key are the default paths but the files
-	// exist, warn that the paths need to be specified explicitly in a
-	// later release and the defaults will be removed. We don't expect this
-	// to be the case.
-	//
-	// * If the signing cert and key are default paths but the files don't exist,
-	// bail out of startController without logging.
-	var keyFileExists, keyUsesDefault, certFileExists, certUsesDefault bool
-
-	_, err := os.Stat(ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile)
-	certFileExists = !os.IsNotExist(err)
-
-	certUsesDefault = (ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == kubeoptions.DefaultClusterSigningCertFile)
-
-	_, err = os.Stat(ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile)
-	keyFileExists = !os.IsNotExist(err)
-
-	keyUsesDefault = (ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == kubeoptions.DefaultClusterSigningKeyFile)
-
-	switch {
-	case (keyFileExists && keyUsesDefault) || (certFileExists && certUsesDefault):
-		klog.Warningf("You might be using flag defaulting for --cluster-signing-cert-file and" +
-			" --cluster-signing-key-file. These defaults are deprecated and will be removed" +
-			" in a subsequent release. Please pass these options explicitly.")
-	case (!keyFileExists && keyUsesDefault) && (!certFileExists && certUsesDefault):
-		// This is what we expect right now if people aren't
-		// setting up the signing controller. This isn't
-		// actually a problem since the signer is not a
-		// required controller.
-		klog.V(2).Info("skipping CSR signer controller because no csr cert/key was specified and the default files are missing")
-		return nil, false, nil
-	default:
-		// Note that '!filesExist && !usesDefaults' is obviously
-		// operator error. We don't handle this case here and instead
-		// allow it to be handled by NewCSR... below.
 	}
 
 	c := ctx.ClientBuilder.ClientOrDie("certificate-controller")
 	csrInformer := ctx.InformerFactory.Certificates().V1().CertificateSigningRequests()
 	certTTL := ctx.ComponentConfig.CSRSigningController.ClusterSigningDuration.Duration
-	caFile, caKeyFile := getKubeletServingSignerFiles(ctx.ComponentConfig.CSRSigningController)
 
-	// TODO get different signer cert and key files for each signer when we add flags.
+	if kubeletServingSignerCertFile, kubeletServingSignerKeyFile := getKubeletServingSignerFiles(ctx.ComponentConfig.CSRSigningController); len(kubeletServingSignerCertFile) > 0 || len(kubeletServingSignerKeyFile) > 0 {
-
+		kubeletServingSigner, err := signer.NewKubeletServingCSRSigningController(c, csrInformer, kubeletServingSignerCertFile, kubeletServingSignerKeyFile, certTTL)
-	kubeletServingSigner, err := signer.NewKubeletServingCSRSigningController(c, csrInformer, caFile, caKeyFile, certTTL)
+		if err != nil {
-	if err != nil {
+			return nil, false, fmt.Errorf("failed to start kubernetes.io/kubelet-serving certificate controller: %v", err)
-		return nil, false, fmt.Errorf("failed to start kubernetes.io/kubelet-serving certificate controller: %v", err)
+		}
+		go kubeletServingSigner.Run(1, ctx.Stop)
+	} else {
+		klog.V(2).Infof("skipping CSR signer controller %q because specific files were specified for other signers and not this one.", "kubernetes.io/kubelet-serving")
 	}
-	go kubeletServingSigner.Run(1, ctx.Stop)
 
-	kubeletClientSigner, err := signer.NewKubeletClientCSRSigningController(c, csrInformer, caFile, caKeyFile, certTTL)
+	if kubeletClientSignerCertFile, kubeletClientSignerKeyFile := getKubeletClientSignerFiles(ctx.ComponentConfig.CSRSigningController); len(kubeletClientSignerCertFile) > 0 || len(kubeletClientSignerKeyFile) > 0 {
-	if err != nil {
+		kubeletClientSigner, err := signer.NewKubeletClientCSRSigningController(c, csrInformer, kubeletClientSignerCertFile, kubeletClientSignerKeyFile, certTTL)
-		return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client-kubelet certificate controller: %v", err)
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client-kubelet certificate controller: %v", err)
+		}
+		go kubeletClientSigner.Run(1, ctx.Stop)
+	} else {
+		klog.V(2).Infof("skipping CSR signer controller %q because specific files were specified for other signers and not this one.", "kubernetes.io/kube-apiserver-client-kubelet")
 	}
-	go kubeletClientSigner.Run(1, ctx.Stop)
 
-	kubeAPIServerClientSigner, err := signer.NewKubeAPIServerClientCSRSigningController(c, csrInformer, caFile, caKeyFile, certTTL)
+	if kubeAPIServerSignerCertFile, kubeAPIServerSignerKeyFile := getKubeAPIServerClientSignerFiles(ctx.ComponentConfig.CSRSigningController); len(kubeAPIServerSignerCertFile) > 0 || len(kubeAPIServerSignerKeyFile) > 0 {
-	if err != nil {
+		kubeAPIServerClientSigner, err := signer.NewKubeAPIServerClientCSRSigningController(c, csrInformer, kubeAPIServerSignerCertFile, kubeAPIServerSignerKeyFile, certTTL)
-		return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client certificate controller: %v", err)
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client certificate controller: %v", err)
+		}
+		go kubeAPIServerClientSigner.Run(1, ctx.Stop)
+	} else {
+		klog.V(2).Infof("skipping CSR signer controller %q because specific files were specified for other signers and not this one.", "kubernetes.io/kube-apiserver-client")
 	}
-	go kubeAPIServerClientSigner.Run(1, ctx.Stop)
 
-	legacyUnknownSigner, err := signer.NewLegacyUnknownCSRSigningController(c, csrInformer, caFile, caKeyFile, certTTL)
+	if legacyUnknownSignerCertFile, legacyUnknownSignerKeyFile := getLegacyUnknownSignerFiles(ctx.ComponentConfig.CSRSigningController); len(legacyUnknownSignerCertFile) > 0 || len(legacyUnknownSignerKeyFile) > 0 {
-	if err != nil {
+		legacyUnknownSigner, err := signer.NewLegacyUnknownCSRSigningController(c, csrInformer, legacyUnknownSignerCertFile, legacyUnknownSignerKeyFile, certTTL)
-		return nil, false, fmt.Errorf("failed to start kubernetes.io/legacy-unknown certificate controller: %v", err)
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to start kubernetes.io/legacy-unknown certificate controller: %v", err)
+		}
+		go legacyUnknownSigner.Run(1, ctx.Stop)
+	} else {
+		klog.V(2).Infof("skipping CSR signer controller %q because specific files were specified for other signers and not this one.", "kubernetes.io/legacy-unknown")
 	}
-	go legacyUnknownSigner.Run(1, ctx.Stop)
 
 	return nil, true, nil
 }
 
-// getKubeletServingSignerFiles returns the cert and key for signing.
+func areKubeletServingSignerFilesSpecified(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
-// TODO we will extended this for each signer so that it prefers the specific flag (to be added) and falls back to the single flag
+	if len(config.KubeletServingSignerConfiguration.CertFile) > 0 || len(config.KubeletServingSignerConfiguration.KeyFile) > 0 {
+		// if only one is specified, it will error later during construction
+		return true
+	}
+	return false
+}
+func areKubeletClientSignerFilesSpecified(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
+	if len(config.KubeletClientSignerConfiguration.CertFile) > 0 || len(config.KubeletClientSignerConfiguration.KeyFile) > 0 {
+		// if only one is specified, it will error later during construction
+		return true
+	}
+	return false
+}
+
+func areKubeAPIServerClientSignerFilesSpecified(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
+	if len(config.KubeAPIServerClientSignerConfiguration.CertFile) > 0 || len(config.KubeAPIServerClientSignerConfiguration.KeyFile) > 0 {
+		// if only one is specified, it will error later during construction
+		return true
+	}
+	return false
+}
+
+func areLegacyUnknownSignerFilesSpecified(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
+	if len(config.LegacyUnknownSignerConfiguration.CertFile) > 0 || len(config.LegacyUnknownSignerConfiguration.KeyFile) > 0 {
+		// if only one is specified, it will error later during construction
+		return true
+	}
+	return false
+}
+
+func anySpecificFilesSet(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
+	return areKubeletServingSignerFilesSpecified(config) ||
+		areKubeletClientSignerFilesSpecified(config) ||
+		areKubeAPIServerClientSignerFilesSpecified(config) ||
+		areLegacyUnknownSignerFilesSpecified(config)
+}
+
 func getKubeletServingSignerFiles(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string) {
+	// if any cert/key is set for specific CSR signing loops, then the --cluster-signing-{cert,key}-file are not used for any CSR signing loop.
+	if anySpecificFilesSet(config) {
+		return config.KubeletServingSignerConfiguration.CertFile, config.KubeletServingSignerConfiguration.KeyFile
+	}
+	return config.ClusterSigningCertFile, config.ClusterSigningKeyFile
+}
+
+func getKubeletClientSignerFiles(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string) {
+	// if any cert/key is set for specific CSR signing loops, then the --cluster-signing-{cert,key}-file are not used for any CSR signing loop.
+	if anySpecificFilesSet(config) {
+		return config.KubeletClientSignerConfiguration.CertFile, config.KubeletClientSignerConfiguration.KeyFile
+	}
+	return config.ClusterSigningCertFile, config.ClusterSigningKeyFile
+}
+
+func getKubeAPIServerClientSignerFiles(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string) {
+	// if any cert/key is set for specific CSR signing loops, then the --cluster-signing-{cert,key}-file are not used for any CSR signing loop.
+	if anySpecificFilesSet(config) {
+		return config.KubeAPIServerClientSignerConfiguration.CertFile, config.KubeAPIServerClientSignerConfiguration.KeyFile
+	}
+	return config.ClusterSigningCertFile, config.ClusterSigningKeyFile
+}
+
+func getLegacyUnknownSignerFiles(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string) {
+	// if any cert/key is set for specific CSR signing loops, then the --cluster-signing-{cert,key}-file are not used for any CSR signing loop.
+	if anySpecificFilesSet(config) {
+		return config.LegacyUnknownSignerConfiguration.CertFile, config.LegacyUnknownSignerConfiguration.KeyFile
+	}
 	return config.ClusterSigningCertFile, config.ClusterSigningKeyFile
 }
 

cmd/kube-controller-manager/app/certificates_test.go

@@ -0,0 +1,309 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"testing"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	csrsigningconfig "k8s.io/kubernetes/pkg/controller/certificates/signer/config"
+)
+
+func TestCertSpecified(t *testing.T) {
+	allConfig := csrsigningconfig.CSRSigningControllerConfiguration{
+		ClusterSigningCertFile: "/cluster-signing-cert",
+		ClusterSigningKeyFile:  "/cluster-signing-key",
+		ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour},
+		KubeletServingSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-kubelet-serving/cert-file",
+			KeyFile:  "/cluster-signing-kubelet-serving/key-file",
+		},
+		KubeletClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-kubelet-client/cert-file",
+			KeyFile:  "/cluster-signing-kubelet-client/key-file",
+		},
+		KubeAPIServerClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-kube-apiserver-client/cert-file",
+			KeyFile:  "/cluster-signing-kube-apiserver-client/key-file",
+		},
+		LegacyUnknownSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-legacy-unknown/cert-file",
+			KeyFile:  "/cluster-signing-legacy-unknown/key-file",
+		},
+	}
+	defaultOnly := csrsigningconfig.CSRSigningControllerConfiguration{
+		ClusterSigningCertFile: "/cluster-signing-cert",
+		ClusterSigningKeyFile:  "/cluster-signing-key",
+		ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour},
+	}
+	specifiedOnly := csrsigningconfig.CSRSigningControllerConfiguration{
+		KubeletServingSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-kubelet-serving/cert-file",
+			KeyFile:  "/cluster-signing-kubelet-serving/key-file",
+		},
+		KubeletClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-kubelet-client/cert-file",
+			KeyFile:  "/cluster-signing-kubelet-client/key-file",
+		},
+		KubeAPIServerClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-kube-apiserver-client/cert-file",
+			KeyFile:  "/cluster-signing-kube-apiserver-client/key-file",
+		},
+		LegacyUnknownSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-legacy-unknown/cert-file",
+			KeyFile:  "/cluster-signing-legacy-unknown/key-file",
+		},
+	}
+	halfASpecified := csrsigningconfig.CSRSigningControllerConfiguration{
+		ClusterSigningCertFile: "/cluster-signing-cert",
+		ClusterSigningKeyFile:  "/cluster-signing-key",
+		ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour},
+		KubeletServingSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-kubelet-serving/cert-file",
+			KeyFile:  "/cluster-signing-kubelet-serving/key-file",
+		},
+		KubeletClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-kubelet-client/cert-file",
+			KeyFile:  "/cluster-signing-kubelet-client/key-file",
+		},
+	}
+	halfBSpecified := csrsigningconfig.CSRSigningControllerConfiguration{
+		ClusterSigningCertFile: "/cluster-signing-cert",
+		ClusterSigningKeyFile:  "/cluster-signing-key",
+		ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour},
+		KubeAPIServerClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-kube-apiserver-client/cert-file",
+			KeyFile:  "/cluster-signing-kube-apiserver-client/key-file",
+		},
+		LegacyUnknownSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+			CertFile: "/cluster-signing-legacy-unknown/cert-file",
+			KeyFile:  "/cluster-signing-legacy-unknown/key-file",
+		},
+	}
+
+	tests := []struct {
+		name              string
+		config            csrsigningconfig.CSRSigningControllerConfiguration
+		specifiedFn       func(config csrsigningconfig.CSRSigningControllerConfiguration) bool
+		expectedSpecified bool
+		filesFn           func(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string)
+		expectedCert      string
+		expectedKey       string
+	}{
+		{
+			name:              "allConfig-KubeletServingSignerFilesSpecified",
+			config:            allConfig,
+			specifiedFn:       areKubeletServingSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getKubeletServingSignerFiles,
+			expectedCert:      "/cluster-signing-kubelet-serving/cert-file",
+			expectedKey:       "/cluster-signing-kubelet-serving/key-file",
+		},
+		{
+			name:              "defaultOnly-KubeletServingSignerFilesSpecified",
+			config:            defaultOnly,
+			specifiedFn:       areKubeletServingSignerFilesSpecified,
+			expectedSpecified: false,
+			filesFn:           getKubeletServingSignerFiles,
+			expectedCert:      "/cluster-signing-cert",
+			expectedKey:       "/cluster-signing-key",
+		},
+		{
+			name:              "specifiedOnly-KubeletServingSignerFilesSpecified",
+			config:            specifiedOnly,
+			specifiedFn:       areKubeletServingSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getKubeletServingSignerFiles,
+			expectedCert:      "/cluster-signing-kubelet-serving/cert-file",
+			expectedKey:       "/cluster-signing-kubelet-serving/key-file",
+		},
+		{
+			name:              "halfASpecified-KubeletServingSignerFilesSpecified",
+			config:            halfASpecified,
+			specifiedFn:       areKubeletServingSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getKubeletServingSignerFiles,
+			expectedCert:      "/cluster-signing-kubelet-serving/cert-file",
+			expectedKey:       "/cluster-signing-kubelet-serving/key-file",
+		},
+		{
+			name:              "halfBSpecified-KubeletServingSignerFilesSpecified",
+			config:            halfBSpecified,
+			specifiedFn:       areKubeletServingSignerFilesSpecified,
+			expectedSpecified: false,
+			filesFn:           getKubeletServingSignerFiles,
+			expectedCert:      "",
+			expectedKey:       "",
+		},
+
+		{
+			name:              "allConfig-KubeletClientSignerFiles",
+			config:            allConfig,
+			specifiedFn:       areKubeletClientSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getKubeletClientSignerFiles,
+			expectedCert:      "/cluster-signing-kubelet-client/cert-file",
+			expectedKey:       "/cluster-signing-kubelet-client/key-file",
+		},
+		{
+			name:              "defaultOnly-KubeletClientSignerFiles",
+			config:            defaultOnly,
+			specifiedFn:       areKubeletClientSignerFilesSpecified,
+			expectedSpecified: false,
+			filesFn:           getKubeletClientSignerFiles,
+			expectedCert:      "/cluster-signing-cert",
+			expectedKey:       "/cluster-signing-key",
+		},
+		{
+			name:              "specifiedOnly-KubeletClientSignerFiles",
+			config:            specifiedOnly,
+			specifiedFn:       areKubeletClientSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getKubeletClientSignerFiles,
+			expectedCert:      "/cluster-signing-kubelet-client/cert-file",
+			expectedKey:       "/cluster-signing-kubelet-client/key-file",
+		},
+		{
+			name:              "halfASpecified-KubeletClientSignerFiles",
+			config:            halfASpecified,
+			specifiedFn:       areKubeletClientSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getKubeletClientSignerFiles,
+			expectedCert:      "/cluster-signing-kubelet-client/cert-file",
+			expectedKey:       "/cluster-signing-kubelet-client/key-file",
+		},
+		{
+			name:              "halfBSpecified-KubeletClientSignerFiles",
+			config:            halfBSpecified,
+			specifiedFn:       areKubeletClientSignerFilesSpecified,
+			expectedSpecified: false,
+			filesFn:           getKubeletClientSignerFiles,
+			expectedCert:      "",
+			expectedKey:       "",
+		},
+
+		{
+			name:              "allConfig-KubeletClientSignerFiles",
+			config:            allConfig,
+			specifiedFn:       areKubeAPIServerClientSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getKubeAPIServerClientSignerFiles,
+			expectedCert:      "/cluster-signing-kube-apiserver-client/cert-file",
+			expectedKey:       "/cluster-signing-kube-apiserver-client/key-file",
+		},
+		{
+			name:              "defaultOnly-KubeletClientSignerFiles",
+			config:            defaultOnly,
+			specifiedFn:       areKubeAPIServerClientSignerFilesSpecified,
+			expectedSpecified: false,
+			filesFn:           getKubeAPIServerClientSignerFiles,
+			expectedCert:      "/cluster-signing-cert",
+			expectedKey:       "/cluster-signing-key",
+		},
+		{
+			name:              "specifiedOnly-KubeletClientSignerFiles",
+			config:            specifiedOnly,
+			specifiedFn:       areKubeAPIServerClientSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getKubeAPIServerClientSignerFiles,
+			expectedCert:      "/cluster-signing-kube-apiserver-client/cert-file",
+			expectedKey:       "/cluster-signing-kube-apiserver-client/key-file",
+		},
+		{
+			name:              "halfASpecified-KubeletClientSignerFiles",
+			config:            halfASpecified,
+			specifiedFn:       areKubeAPIServerClientSignerFilesSpecified,
+			expectedSpecified: false,
+			filesFn:           getKubeAPIServerClientSignerFiles,
+			expectedCert:      "",
+			expectedKey:       "",
+		},
+		{
+			name:              "halfBSpecified-KubeletClientSignerFiles",
+			config:            halfBSpecified,
+			specifiedFn:       areKubeAPIServerClientSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getKubeAPIServerClientSignerFiles,
+			expectedCert:      "/cluster-signing-kube-apiserver-client/cert-file",
+			expectedKey:       "/cluster-signing-kube-apiserver-client/key-file",
+		},
+
+		{
+			name:              "allConfig-LegacyUnknownSignerFiles",
+			config:            allConfig,
+			specifiedFn:       areLegacyUnknownSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getLegacyUnknownSignerFiles,
+			expectedCert:      "/cluster-signing-legacy-unknown/cert-file",
+			expectedKey:       "/cluster-signing-legacy-unknown/key-file",
+		},
+		{
+			name:              "defaultOnly-LegacyUnknownSignerFiles",
+			config:            defaultOnly,
+			specifiedFn:       areLegacyUnknownSignerFilesSpecified,
+			expectedSpecified: false,
+			filesFn:           getLegacyUnknownSignerFiles,
+			expectedCert:      "/cluster-signing-cert",
+			expectedKey:       "/cluster-signing-key",
+		},
+		{
+			name:              "specifiedOnly-LegacyUnknownSignerFiles",
+			config:            specifiedOnly,
+			specifiedFn:       areLegacyUnknownSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getLegacyUnknownSignerFiles,
+			expectedCert:      "/cluster-signing-legacy-unknown/cert-file",
+			expectedKey:       "/cluster-signing-legacy-unknown/key-file",
+		},
+		{
+			name:              "halfASpecified-LegacyUnknownSignerFiles",
+			config:            halfASpecified,
+			specifiedFn:       areLegacyUnknownSignerFilesSpecified,
+			expectedSpecified: false,
+			filesFn:           getLegacyUnknownSignerFiles,
+			expectedCert:      "",
+			expectedKey:       "",
+		},
+		{
+			name:              "halfBSpecified-LegacyUnknownSignerFiles",
+			config:            halfBSpecified,
+			specifiedFn:       areLegacyUnknownSignerFilesSpecified,
+			expectedSpecified: true,
+			filesFn:           getLegacyUnknownSignerFiles,
+			expectedCert:      "/cluster-signing-legacy-unknown/cert-file",
+			expectedKey:       "/cluster-signing-legacy-unknown/key-file",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			actualSpecified := test.specifiedFn(test.config)
+			if actualSpecified != test.expectedSpecified {
+				t.Error(actualSpecified)
+			}
+
+			actualCert, actualKey := test.filesFn(test.config)
+			if actualCert != test.expectedCert {
+				t.Error(actualCert)
+			}
+			if actualKey != test.expectedKey {
+				t.Error(actualKey)
+			}
+		})
+	}
+}

cmd/kube-controller-manager/app/options/csrsigningcontroller.go

@@ -17,21 +17,13 @@ limitations under the License.
 package options
 
 import (
+	"fmt"
+
 	"github.com/spf13/pflag"
 
 	csrsigningconfig "k8s.io/kubernetes/pkg/controller/certificates/signer/config"
 )
 
-const (
-	// These defaults are deprecated and exported so that we can warn if
-	// they are being used.
-
-	// DefaultClusterSigningCertFile is deprecated. Do not use.
-	DefaultClusterSigningCertFile = "/etc/kubernetes/ca/ca.pem"
-	// DefaultClusterSigningKeyFile is deprecated. Do not use.
-	DefaultClusterSigningKeyFile = "/etc/kubernetes/ca/ca.key"
-)
-
 // CSRSigningControllerOptions holds the CSRSigningController options.
 type CSRSigningControllerOptions struct {
 	*csrsigningconfig.CSRSigningControllerConfiguration
@@ -43,8 +35,16 @@ func (o *CSRSigningControllerOptions) AddFlags(fs *pflag.FlagSet) {
 		return
 	}
 
-	fs.StringVar(&o.ClusterSigningCertFile, "cluster-signing-cert-file", o.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates")
+	fs.StringVar(&o.ClusterSigningCertFile, "cluster-signing-cert-file", o.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates.  If specified, no more specific --cluster-signing-* flag may be specified.")
-	fs.StringVar(&o.ClusterSigningKeyFile, "cluster-signing-key-file", o.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates")
+	fs.StringVar(&o.ClusterSigningKeyFile, "cluster-signing-key-file", o.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates.  If specified, no more specific --cluster-signing-* flag may be specified.")
+	fs.StringVar(&o.KubeletServingSignerConfiguration.CertFile, "cluster-signing-kubelet-serving-cert-file", o.KubeletServingSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kubelet-serving signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
+	fs.StringVar(&o.KubeletServingSignerConfiguration.KeyFile, "cluster-signing-kubelet-serving-key-file", o.KubeletServingSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kubelet-serving signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
+	fs.StringVar(&o.KubeletClientSignerConfiguration.CertFile, "cluster-signing-kubelet-client-cert-file", o.KubeletClientSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
+	fs.StringVar(&o.KubeletClientSignerConfiguration.KeyFile, "cluster-signing-kubelet-client-key-file", o.KubeletClientSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client-kubelet signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
+	fs.StringVar(&o.KubeAPIServerClientSignerConfiguration.CertFile, "cluster-signing-kube-apiserver-client-cert-file", o.KubeAPIServerClientSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
+	fs.StringVar(&o.KubeAPIServerClientSignerConfiguration.KeyFile, "cluster-signing-kube-apiserver-client-key-file", o.KubeAPIServerClientSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
+	fs.StringVar(&o.LegacyUnknownSignerConfiguration.CertFile, "cluster-signing-legacy-unknown-cert-file", o.LegacyUnknownSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/legacy-unknown signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
+	fs.StringVar(&o.LegacyUnknownSignerConfiguration.KeyFile, "cluster-signing-legacy-unknown-key-file", o.LegacyUnknownSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/legacy-unknown signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
 	fs.DurationVar(&o.ClusterSigningDuration.Duration, "cluster-signing-duration", o.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
 	fs.DurationVar(&o.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", o.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
 	fs.MarkDeprecated("experimental-cluster-signing-duration", "use --cluster-signing-duration")
@@ -58,6 +58,10 @@ func (o *CSRSigningControllerOptions) ApplyTo(cfg *csrsigningconfig.CSRSigningCo
 
 	cfg.ClusterSigningCertFile = o.ClusterSigningCertFile
 	cfg.ClusterSigningKeyFile = o.ClusterSigningKeyFile
+	cfg.KubeletServingSignerConfiguration = o.KubeletServingSignerConfiguration
+	cfg.KubeletClientSignerConfiguration = o.KubeletClientSignerConfiguration
+	cfg.KubeAPIServerClientSignerConfiguration = o.KubeAPIServerClientSignerConfiguration
+	cfg.LegacyUnknownSignerConfiguration = o.LegacyUnknownSignerConfiguration
 	cfg.ClusterSigningDuration = o.ClusterSigningDuration
 
 	return nil
@@ -70,5 +74,43 @@ func (o *CSRSigningControllerOptions) Validate() []error {
 	}
 
 	errs := []error{}
+	if err := csrSigningFilesValid(o.KubeletServingSignerConfiguration); err != nil {
+		errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-kubelet-serving", err))
+	}
+	if err := csrSigningFilesValid(o.KubeletClientSignerConfiguration); err != nil {
+		errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-kube-apiserver-client", err))
+	}
+	if err := csrSigningFilesValid(o.KubeAPIServerClientSignerConfiguration); err != nil {
+		errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-kube-apiserver", err))
+	}
+	if err := csrSigningFilesValid(o.LegacyUnknownSignerConfiguration); err != nil {
+		errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-legacy-unknown", err))
+	}
+
+	singleSigningFile := len(o.ClusterSigningCertFile) > 0 || len(o.ClusterSigningKeyFile) > 0
+	anySpecificFilesSet := len(o.KubeletServingSignerConfiguration.CertFile) > 0 || len(o.KubeletServingSignerConfiguration.KeyFile) > 0 ||
+		len(o.KubeletClientSignerConfiguration.CertFile) > 0 || len(o.KubeletClientSignerConfiguration.KeyFile) > 0 ||
+		len(o.KubeAPIServerClientSignerConfiguration.CertFile) > 0 || len(o.KubeAPIServerClientSignerConfiguration.KeyFile) > 0 ||
+		len(o.LegacyUnknownSignerConfiguration.CertFile) > 0 || len(o.LegacyUnknownSignerConfiguration.KeyFile) > 0
+	if singleSigningFile && anySpecificFilesSet {
+		errs = append(errs, fmt.Errorf("cannot specify --cluster-signing-{cert,key}-file and other --cluster-signing-*-file flags at the same time"))
+	}
+
 	return errs
 }
+
+// both must be specified or both must be empty
+func csrSigningFilesValid(config csrsigningconfig.CSRSigningConfiguration) error {
+	switch {
+	case (len(config.CertFile) == 0) && (len(config.KeyFile) == 0):
+		return nil
+	case (len(config.CertFile) != 0) && (len(config.KeyFile) != 0):
+		return nil
+	case (len(config.CertFile) == 0) && (len(config.KeyFile) != 0):
+		return fmt.Errorf("cannot specify key without cert")
+	case (len(config.CertFile) != 0) && (len(config.KeyFile) == 0):
+		return fmt.Errorf("cannot specify cert without key")
+	}
+
+	return fmt.Errorf("math broke")
+}

cmd/kube-controller-manager/app/options/options_test.go

@@ -69,6 +69,14 @@ var args = []string{
 	"--cluster-name=k8s",
 	"--cluster-signing-cert-file=/cluster-signing-cert",
 	"--cluster-signing-key-file=/cluster-signing-key",
+	"--cluster-signing-kubelet-serving-cert-file=/cluster-signing-kubelet-serving/cert-file",
+	"--cluster-signing-kubelet-serving-key-file=/cluster-signing-kubelet-serving/key-file",
+	"--cluster-signing-kubelet-client-cert-file=/cluster-signing-kubelet-client/cert-file",
+	"--cluster-signing-kubelet-client-key-file=/cluster-signing-kubelet-client/key-file",
+	"--cluster-signing-kube-apiserver-client-cert-file=/cluster-signing-kube-apiserver-client/cert-file",
+	"--cluster-signing-kube-apiserver-client-key-file=/cluster-signing-kube-apiserver-client/key-file",
+	"--cluster-signing-legacy-unknown-cert-file=/cluster-signing-legacy-unknown/cert-file",
+	"--cluster-signing-legacy-unknown-key-file=/cluster-signing-legacy-unknown/key-file",
 	"--concurrent-deployment-syncs=10",
 	"--concurrent-statefulset-syncs=15",
 	"--concurrent-endpoint-syncs=10",
@@ -219,6 +227,22 @@ func TestAddFlags(t *testing.T) {
 				ClusterSigningCertFile: "/cluster-signing-cert",
 				ClusterSigningKeyFile:  "/cluster-signing-key",
 				ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour},
+				KubeletServingSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+					CertFile: "/cluster-signing-kubelet-serving/cert-file",
+					KeyFile:  "/cluster-signing-kubelet-serving/key-file",
+				},
+				KubeletClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+					CertFile: "/cluster-signing-kubelet-client/cert-file",
+					KeyFile:  "/cluster-signing-kubelet-client/key-file",
+				},
+				KubeAPIServerClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+					CertFile: "/cluster-signing-kube-apiserver-client/cert-file",
+					KeyFile:  "/cluster-signing-kube-apiserver-client/key-file",
+				},
+				LegacyUnknownSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+					CertFile: "/cluster-signing-legacy-unknown/cert-file",
+					KeyFile:  "/cluster-signing-legacy-unknown/key-file",
+				},
 			},
 		},
 		DaemonSetController: &DaemonSetControllerOptions{
@@ -470,6 +494,22 @@ func TestApplyTo(t *testing.T) {
 				ClusterSigningCertFile: "/cluster-signing-cert",
 				ClusterSigningKeyFile:  "/cluster-signing-key",
 				ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour},
+				KubeletServingSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+					CertFile: "/cluster-signing-kubelet-serving/cert-file",
+					KeyFile:  "/cluster-signing-kubelet-serving/key-file",
+				},
+				KubeletClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+					CertFile: "/cluster-signing-kubelet-client/cert-file",
+					KeyFile:  "/cluster-signing-kubelet-client/key-file",
+				},
+				KubeAPIServerClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+					CertFile: "/cluster-signing-kube-apiserver-client/cert-file",
+					KeyFile:  "/cluster-signing-kube-apiserver-client/key-file",
+				},
+				LegacyUnknownSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{
+					CertFile: "/cluster-signing-legacy-unknown/cert-file",
+					KeyFile:  "/cluster-signing-legacy-unknown/key-file",
+				},
 			},
 			DaemonSetController: daemonconfig.DaemonSetControllerConfiguration{
 				ConcurrentDaemonSetSyncs: 2,

pkg/controller/certificates/signer/config/types.go

@@ -28,7 +28,27 @@ type CSRSigningControllerConfiguration struct {
 	// clusterSigningCertFile is the filename containing a PEM-encoded
 	// RSA or ECDSA private key used to issue cluster-scoped certificates
 	ClusterSigningKeyFile string
+
+	// kubeletServingSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kubelet-serving signer
+	KubeletServingSignerConfiguration CSRSigningConfiguration
+	// kubeletClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet
+	KubeletClientSignerConfiguration CSRSigningConfiguration
+	// kubeAPIServerClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client
+	KubeAPIServerClientSignerConfiguration CSRSigningConfiguration
+	// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
+	LegacyUnknownSignerConfiguration CSRSigningConfiguration
+
 	// clusterSigningDuration is the length of duration signed certificates
 	// will be given.
 	ClusterSigningDuration metav1.Duration
 }
+
+// CSRSigningConfiguration holds information about a particular CSR signer
+type CSRSigningConfiguration struct {
+	// certFile is the filename containing a PEM-encoded
+	// X509 CA certificate used to issue certificates
+	CertFile string
+	// keyFile is the filename containing a PEM-encoded
+	// RSA or ECDSA private key used to issue certificates
+	KeyFile string
+}

pkg/controller/certificates/signer/config/v1alpha1/defaults.go

@@ -34,12 +34,6 @@ import (
 // run it in your wrapper struct of this type in its `SetDefaults_` method.
 func RecommendedDefaultCSRSigningControllerConfiguration(obj *kubectrlmgrconfigv1alpha1.CSRSigningControllerConfiguration) {
 	zero := metav1.Duration{}
-	if obj.ClusterSigningCertFile == "" {
-		obj.ClusterSigningCertFile = "/etc/kubernetes/ca/ca.pem"
-	}
-	if obj.ClusterSigningKeyFile == "" {
-		obj.ClusterSigningKeyFile = "/etc/kubernetes/ca/ca.key"
-	}
 	if obj.ClusterSigningDuration == zero {
 		obj.ClusterSigningDuration = metav1.Duration{Duration: 365 * 24 * time.Hour}
 	}

pkg/controller/certificates/signer/config/v1alpha1/zz_generated.conversion.go

@@ -35,6 +35,16 @@ func init() {
 // RegisterConversions adds conversion functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*v1alpha1.CSRSigningConfiguration)(nil), (*config.CSRSigningConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(a.(*v1alpha1.CSRSigningConfiguration), b.(*config.CSRSigningConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*config.CSRSigningConfiguration)(nil), (*v1alpha1.CSRSigningConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(a.(*config.CSRSigningConfiguration), b.(*v1alpha1.CSRSigningConfiguration), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*v1alpha1.GroupResource)(nil), (*v1.GroupResource)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_GroupResource_To_v1_GroupResource(a.(*v1alpha1.GroupResource), b.(*v1.GroupResource), scope)
 	}); err != nil {
@@ -58,9 +68,43 @@ func RegisterConversions(s *runtime.Scheme) error {
 	return nil
 }
 
+func autoConvert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in *v1alpha1.CSRSigningConfiguration, out *config.CSRSigningConfiguration, s conversion.Scope) error {
+	out.CertFile = in.CertFile
+	out.KeyFile = in.KeyFile
+	return nil
+}
+
+// Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration is an autogenerated conversion function.
+func Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in *v1alpha1.CSRSigningConfiguration, out *config.CSRSigningConfiguration, s conversion.Scope) error {
+	return autoConvert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(in, out, s)
+}
+
+func autoConvert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in *config.CSRSigningConfiguration, out *v1alpha1.CSRSigningConfiguration, s conversion.Scope) error {
+	out.CertFile = in.CertFile
+	out.KeyFile = in.KeyFile
+	return nil
+}
+
+// Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration is an autogenerated conversion function.
+func Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in *config.CSRSigningConfiguration, out *v1alpha1.CSRSigningConfiguration, s conversion.Scope) error {
+	return autoConvert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(in, out, s)
+}
+
 func autoConvert_v1alpha1_CSRSigningControllerConfiguration_To_config_CSRSigningControllerConfiguration(in *v1alpha1.CSRSigningControllerConfiguration, out *config.CSRSigningControllerConfiguration, s conversion.Scope) error {
 	out.ClusterSigningCertFile = in.ClusterSigningCertFile
 	out.ClusterSigningKeyFile = in.ClusterSigningKeyFile
+	if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeletServingSignerConfiguration, &out.KubeletServingSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeletClientSignerConfiguration, &out.KubeletClientSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.KubeAPIServerClientSignerConfiguration, &out.KubeAPIServerClientSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_v1alpha1_CSRSigningConfiguration_To_config_CSRSigningConfiguration(&in.LegacyUnknownSignerConfiguration, &out.LegacyUnknownSignerConfiguration, s); err != nil {
+		return err
+	}
 	out.ClusterSigningDuration = in.ClusterSigningDuration
 	return nil
 }
@@ -68,6 +112,18 @@ func autoConvert_v1alpha1_CSRSigningControllerConfiguration_To_config_CSRSigning
 func autoConvert_config_CSRSigningControllerConfiguration_To_v1alpha1_CSRSigningControllerConfiguration(in *config.CSRSigningControllerConfiguration, out *v1alpha1.CSRSigningControllerConfiguration, s conversion.Scope) error {
 	out.ClusterSigningCertFile = in.ClusterSigningCertFile
 	out.ClusterSigningKeyFile = in.ClusterSigningKeyFile
+	if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeletServingSignerConfiguration, &out.KubeletServingSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeletClientSignerConfiguration, &out.KubeletClientSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.KubeAPIServerClientSignerConfiguration, &out.KubeAPIServerClientSignerConfiguration, s); err != nil {
+		return err
+	}
+	if err := Convert_config_CSRSigningConfiguration_To_v1alpha1_CSRSigningConfiguration(&in.LegacyUnknownSignerConfiguration, &out.LegacyUnknownSignerConfiguration, s); err != nil {
+		return err
+	}
 	out.ClusterSigningDuration = in.ClusterSigningDuration
 	return nil
 }

pkg/controller/certificates/signer/config/zz_generated.deepcopy.go

@@ -20,9 +20,29 @@ limitations under the License.
 
 package config
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CSRSigningConfiguration) DeepCopyInto(out *CSRSigningConfiguration) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSRSigningConfiguration.
+func (in *CSRSigningConfiguration) DeepCopy() *CSRSigningConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(CSRSigningConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CSRSigningControllerConfiguration) DeepCopyInto(out *CSRSigningControllerConfiguration) {
 	*out = *in
+	out.KubeletServingSignerConfiguration = in.KubeletServingSignerConfiguration
+	out.KubeletClientSignerConfiguration = in.KubeletClientSignerConfiguration
+	out.KubeAPIServerClientSignerConfiguration = in.KubeAPIServerClientSignerConfiguration
+	out.LegacyUnknownSignerConfiguration = in.LegacyUnknownSignerConfiguration
 	out.ClusterSigningDuration = in.ClusterSigningDuration
 	return
 }

staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go

@@ -246,11 +246,31 @@ type CSRSigningControllerConfiguration struct {
 	// clusterSigningCertFile is the filename containing a PEM-encoded
 	// RSA or ECDSA private key used to issue cluster-scoped certificates
 	ClusterSigningKeyFile string
+
+	// kubeletServingSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kubelet-serving signer
+	KubeletServingSignerConfiguration CSRSigningConfiguration
+	// kubeletClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet
+	KubeletClientSignerConfiguration CSRSigningConfiguration
+	// kubeAPIServerClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client
+	KubeAPIServerClientSignerConfiguration CSRSigningConfiguration
+	// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
+	LegacyUnknownSignerConfiguration CSRSigningConfiguration
+
 	// clusterSigningDuration is the length of duration signed certificates
 	// will be given.
 	ClusterSigningDuration metav1.Duration
 }
 
+// CSRSigningConfiguration holds information about a particular CSR signer
+type CSRSigningConfiguration struct {
+	// certFile is the filename containing a PEM-encoded
+	// X509 CA certificate used to issue certificates
+	CertFile string
+	// keyFile is the filename containing a PEM-encoded
+	// RSA or ECDSA private key used to issue certificates
+	KeyFile string
+}
+
 // DaemonSetControllerConfiguration contains elements describing DaemonSetController.
 type DaemonSetControllerConfiguration struct {
 	// concurrentDaemonSetSyncs is the number of daemonset objects that are

staging/src/k8s.io/kube-controller-manager/config/v1alpha1/zz_generated.deepcopy.go

@@ -41,9 +41,29 @@ func (in *AttachDetachControllerConfiguration) DeepCopy() *AttachDetachControlle
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CSRSigningConfiguration) DeepCopyInto(out *CSRSigningConfiguration) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSRSigningConfiguration.
+func (in *CSRSigningConfiguration) DeepCopy() *CSRSigningConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(CSRSigningConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CSRSigningControllerConfiguration) DeepCopyInto(out *CSRSigningControllerConfiguration) {
 	*out = *in
+	out.KubeletServingSignerConfiguration = in.KubeletServingSignerConfiguration
+	out.KubeletClientSignerConfiguration = in.KubeletClientSignerConfiguration
+	out.KubeAPIServerClientSignerConfiguration = in.KubeAPIServerClientSignerConfiguration
+	out.LegacyUnknownSignerConfiguration = in.LegacyUnknownSignerConfiguration
 	out.ClusterSigningDuration = in.ClusterSigningDuration
 	return
 }