Merge pull request #41268 from pipejakob/public-signer

Automatic merge from submit-queue (batch tested with PRs 41137, 41268) Allow the CertificateController to use any Signer implementation. **What this PR does / why we need it**: This will allow developers to create `CertificateController`s with arbitrary `Signer`s, instead of forcing the use of `CFSSLSigner`. It matches the behavior of allowing an arbitrary `AutoApprover` to be passed in the constructor. **Release note**: ```release-note NONE ``` CC @mikedanese
2025-08-01 15:58:37 +00:00 · 2017-02-10 18:05:35 -08:00 · 2017-02-10 18:05:35 -08:00 · 198fcf60ca
commit 198fcf60ca
parent aa724ae0a9 7682aa53b1
3 changed files with 16 additions and 11 deletions
--- a/cmd/kube-controller-manager/app/certificates.go
+++ b/cmd/kube-controller-manager/app/certificates.go
@ -32,11 +32,17 @@ func startCSRController(ctx ControllerContext) (bool, error) {
 		return false, nil
 	}
 	c := ctx.ClientBuilder.ClientOrDie("certificate-controller")
 	signer, err := certcontroller.NewCFSSLSigner(ctx.Options.ClusterSigningCertFile, ctx.Options.ClusterSigningKeyFile)
 	if err != nil {
 		glog.Errorf("Failed to start certificate controller: %v", err)
 		return false, nil
 	}
 	certController, err := certcontroller.NewCertificateController(
 		c,
 		ctx.NewInformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
-		ctx.Options.ClusterSigningCertFile,
+		signer,
 		ctx.Options.ClusterSigningKeyFile,
 		certcontroller.NewGroupApprover(ctx.Options.ApproveAllKubeletCSRsForGroup),
 	)
 	if err != nil {
--- a/pkg/controller/certificates/certificate_controller.go
+++ b/pkg/controller/certificates/certificate_controller.go
@ -63,21 +63,16 @@ type CertificateController struct {
 	queue workqueue.RateLimitingInterface
 }
-func NewCertificateController(kubeClient clientset.Interface, csrInformer certificatesinformers.CertificateSigningRequestInformer, caCertFile, caKeyFile string, approver AutoApprover) (*CertificateController, error) {
+func NewCertificateController(kubeClient clientset.Interface, csrInformer certificatesinformers.CertificateSigningRequestInformer, signer Signer, approver AutoApprover) (*CertificateController, error) {
 	// Send events to the apiserver
 	eventBroadcaster := record.NewBroadcaster()
 	eventBroadcaster.StartLogging(glog.Infof)
 	eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: v1core.New(kubeClient.Core().RESTClient()).Events("")})
 	s, err := NewCFSSLSigner(caCertFile, caKeyFile)
 	if err != nil {
 		return nil, err
 	}
 	cc := &CertificateController{
 		kubeClient: kubeClient,
 		queue:      workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "certificate"),
-		signer:     s,
+		signer:     signer,
 		approver:   approver,
 	}
--- a/pkg/controller/certificates/certificate_controller_test.go
+++ b/pkg/controller/certificates/certificate_controller_test.go
@ -58,12 +58,16 @@ func newController(csrs ...runtime.Object) (*testController, error) {
 		return nil, err
 	}
 	signer, err := NewCFSSLSigner(certFile, keyFile)
 	if err != nil {
 		return nil, err
 	}
 	approver := &fakeAutoApprover{make(chan *certificates.CertificateSigningRequest, 1)}
 	controller, err := NewCertificateController(
 		client,
 		informerFactory.Certificates().V1beta1().CertificateSigningRequests(),
-		certFile,
+		signer,
 		keyFile,
 		approver,
 	)
 	if err != nil {