diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index a27e7d1d4c1..cfea5fe0157 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -410,10 +410,12 @@ func InitializeTLS(s *options.KubeletServer) (*server.TLSOptions, error) { if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" { s.TLSCertFile = path.Join(s.CertDirectory, "kubelet.crt") s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "kubelet.key") - if err := crypto.GenerateSelfSignedCert(nodeutil.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile, nil, nil); err != nil { - return nil, fmt.Errorf("unable to generate self signed cert: %v", err) + if crypto.ShouldGenSelfSignedCerts(s.TLSCertFile, s.TLSPrivateKeyFile) { + if err := crypto.GenerateSelfSignedCert(nodeutil.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile, nil, nil); err != nil { + return nil, fmt.Errorf("unable to generate self signed cert: %v", err) + } + glog.V(4).Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile) } - glog.V(4).Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile) } tlsOptions := &server.TLSOptions{ Config: &tls.Config{ diff --git a/pkg/genericapiserver/genericapiserver.go b/pkg/genericapiserver/genericapiserver.go index 506ac3b11c5..9d7fe36068d 100644 --- a/pkg/genericapiserver/genericapiserver.go +++ b/pkg/genericapiserver/genericapiserver.go @@ -696,7 +696,7 @@ func (s *GenericAPIServer) Run(options *options.ServerRunOptions) { alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"} // It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless // alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME") - if shouldGenSelfSignedCerts(options.TLSCertFile, options.TLSPrivateKeyFile) { + if crypto.ShouldGenSelfSignedCerts(options.TLSCertFile, options.TLSPrivateKeyFile) { if err := crypto.GenerateSelfSignedCert(s.ClusterIP.String(), options.TLSCertFile, options.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil { glog.Errorf("Unable to generate self signed cert: %v", err) } else { @@ -735,28 +735,6 @@ func (s *GenericAPIServer) Run(options *options.ServerRunOptions) { glog.Fatal(http.ListenAndServe()) } -// If the file represented by path exists and -// readable, return true otherwise return false. -func canReadFile(path string) bool { - f, err := os.Open(path) - if err != nil { - return false - } - - defer f.Close() - - return true -} - -func shouldGenSelfSignedCerts(certPath, keyPath string) bool { - if canReadFile(certPath) || canReadFile(keyPath) { - glog.Infof("using existing apiserver.crt and apiserver.key files") - return false - } - - return true -} - // Exposes the given group version in API. func (s *GenericAPIServer) InstallAPIGroup(apiGroupInfo *APIGroupInfo) error { apiPrefix := s.APIGroupPrefix diff --git a/pkg/util/crypto/crypto.go b/pkg/util/crypto/crypto.go index 1085c0b300d..f43664369f6 100644 --- a/pkg/util/crypto/crypto.go +++ b/pkg/util/crypto/crypto.go @@ -33,6 +33,29 @@ import ( "time" ) +// ShouldGenSelfSignedCerts returns false if the certificate or key files already exists, +// otherwise returns true. +func ShouldGenSelfSignedCerts(certPath, keyPath string) bool { + if canReadFile(certPath) || canReadFile(keyPath) { + return false + } + + return true +} + +// If the file represented by path exists and +// readable, returns true otherwise returns false. +func canReadFile(path string) bool { + f, err := os.Open(path) + if err != nil { + return false + } + + defer f.Close() + + return true +} + // GenerateSelfSignedCert creates a self-signed certificate and key for the given host. // Host may be an IP or a DNS name // You may also specify additional subject alt names (either ip or dns names) for the certificate