Merge pull request #85091 from fabriziopandini/alpha-certs-reads-incluster-config

kubeadm: alpha certs command should read in-cluster config
This commit is contained in:
Kubernetes Prow Robot 2019-11-13 09:27:42 -08:00 committed by GitHub
commit 4f6aa5a921
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 23 deletions

View File

@ -32,6 +32,7 @@ import (
"k8s.io/kubernetes/cmd/kubeadm/app/cmd/options"
cmdutil "k8s.io/kubernetes/cmd/kubeadm/app/cmd/util"
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
"k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal"
"k8s.io/kubernetes/cmd/kubeadm/app/phases/copycerts"
configutil "k8s.io/kubernetes/cmd/kubeadm/app/util/config"
@ -78,7 +79,7 @@ func newCmdCertsUtility(out io.Writer) *cobra.Command {
Short: "Commands related to handling kubernetes certificates",
}
cmd.AddCommand(newCmdCertsRenewal())
cmd.AddCommand(newCmdCertsRenewal(out))
cmd.AddCommand(newCmdCertsExpiration(out, constants.KubernetesDir))
cmd.AddCommand(NewCmdCertificateKey())
return cmd
@ -103,7 +104,7 @@ func NewCmdCertificateKey() *cobra.Command {
}
// newCmdCertsRenewal creates a new `cert renew` command.
func newCmdCertsRenewal() *cobra.Command {
func newCmdCertsRenewal(out io.Writer) *cobra.Command {
cmd := &cobra.Command{
Use: "renew",
Short: "Renew certificates for a Kubernetes cluster",
@ -111,7 +112,7 @@ func newCmdCertsRenewal() *cobra.Command {
RunE: cmdutil.SubCmdRunE("renew"),
}
cmd.AddCommand(getRenewSubCommands(constants.KubernetesDir)...)
cmd.AddCommand(getRenewSubCommands(out, constants.KubernetesDir)...)
return cmd
}
@ -125,12 +126,13 @@ type renewFlags struct {
csrPath string
}
func getRenewSubCommands(kdir string) []*cobra.Command {
func getRenewSubCommands(out io.Writer, kdir string) []*cobra.Command {
flags := &renewFlags{
cfg: kubeadmapiv1beta2.ClusterConfiguration{
// Setting kubernetes version to a default value in order to allow a not necessary internet lookup
KubernetesVersion: constants.CurrentKubernetesVersion.String(),
},
kubeconfigPath: kubeadmconstants.GetAdminKubeConfigPath(),
}
// Default values for the cobra help text
kubeadmscheme.Scheme.Default(&flags.cfg)
@ -143,8 +145,6 @@ func getRenewSubCommands(kdir string) []*cobra.Command {
}
cmdList := []*cobra.Command{}
funcList := []func() error{}
for _, handler := range rm.Certificates() {
// get the cobra.Command skeleton for this command
cmd := &cobra.Command{
@ -156,14 +156,18 @@ func getRenewSubCommands(kdir string) []*cobra.Command {
// get the implementation of renewing this certificate
renewalFunc := func(handler *renewal.CertificateRenewHandler) func() error {
return func() error {
return renewCert(flags, kdir, handler)
// Get cluster configuration (from --config, kubeadm-config ConfigMap, or default as a fallback)
internalcfg, err := getInternalCfg(flags.cfgPath, flags.kubeconfigPath, flags.cfg, out, "renew")
if err != nil {
return err
}
return renewCert(flags, kdir, internalcfg, handler)
}
}(handler)
// install the implementation into the command
cmd.RunE = func(*cobra.Command, []string) error { return renewalFunc() }
cmdList = append(cmdList, cmd)
// Collect renewal functions for `renew all`
funcList = append(funcList, renewalFunc)
}
allCmd := &cobra.Command{
@ -171,8 +175,21 @@ func getRenewSubCommands(kdir string) []*cobra.Command {
Short: "Renew all available certificates",
Long: allLongDesc,
RunE: func(*cobra.Command, []string) error {
for _, f := range funcList {
if err := f(); err != nil {
// Get cluster configuration (from --config, kubeadm-config ConfigMap, or default as a fallback)
internalcfg, err := getInternalCfg(flags.cfgPath, flags.kubeconfigPath, flags.cfg, out, "renew")
if err != nil {
return err
}
// Get a renewal manager for a actual Cluster configuration
rm, err := renewal.NewManager(&internalcfg.ClusterConfiguration, kdir)
if err != nil {
return nil
}
// Renew certificates
for _, handler := range rm.Certificates() {
if err := renewCert(flags, kdir, internalcfg, handler); err != nil {
return err
}
}
@ -194,12 +211,7 @@ func addRenewFlags(cmd *cobra.Command, flags *renewFlags) {
cmd.Flags().BoolVar(&flags.useAPI, "use-api", flags.useAPI, "Use the Kubernetes certificate API to renew certificates")
}
func renewCert(flags *renewFlags, kdir string, handler *renewal.CertificateRenewHandler) error {
internalcfg, err := configutil.LoadOrDefaultInitConfiguration(flags.cfgPath, &kubeadmapiv1beta2.InitConfiguration{}, &flags.cfg)
if err != nil {
return err
}
func renewCert(flags *renewFlags, kdir string, internalcfg *kubeadmapi.InitConfiguration, handler *renewal.CertificateRenewHandler) error {
// Get a renewal manager for the given cluster configuration
rm, err := renewal.NewManager(&internalcfg.ClusterConfiguration, kdir)
if err != nil {
@ -250,6 +262,25 @@ func renewCert(flags *renewFlags, kdir string, handler *renewal.CertificateRenew
return nil
}
func getInternalCfg(cfgPath string, kubeconfigPath string, cfg kubeadmapiv1beta2.ClusterConfiguration, out io.Writer, logPrefix string) (*kubeadmapi.InitConfiguration, error) {
// In case the user is not providing a custom config, try to get current config from the cluster.
// NB. this operation should not block, because we want to allow certificate renewal also in case of not-working clusters
if cfgPath == "" {
client, err := kubeconfigutil.ClientSetFromFile(kubeconfigPath)
if err == nil {
internalcfg, err := configutil.FetchInitConfigurationFromCluster(client, out, logPrefix, false)
if err == nil {
fmt.Println() // add empty line to separate the FetchInitConfigurationFromCluster output from the command output
return internalcfg, nil
}
fmt.Printf("[%s] Error reading configuration from the Cluster. Falling back to default configuration\n\n", logPrefix)
}
}
// Otherwise read config from --config if provided, otherwise use default configuration
return configutil.LoadOrDefaultInitConfiguration(cfgPath, &kubeadmapiv1beta2.InitConfiguration{}, &cfg)
}
// newCmdCertsExpiration creates a new `cert check-expiration` command.
func newCmdCertsExpiration(out io.Writer, kdir string) *cobra.Command {
flags := &expirationFlags{
@ -257,6 +288,7 @@ func newCmdCertsExpiration(out io.Writer, kdir string) *cobra.Command {
// Setting kubernetes version to a default value in order to allow a not necessary internet lookup
KubernetesVersion: constants.CurrentKubernetesVersion.String(),
},
kubeconfigPath: kubeadmconstants.GetAdminKubeConfigPath(),
}
// Default values for the cobra help text
kubeadmscheme.Scheme.Default(&flags.cfg)
@ -266,7 +298,8 @@ func newCmdCertsExpiration(out io.Writer, kdir string) *cobra.Command {
Short: "Check certificates expiration for a Kubernetes cluster",
Long: expirationLongDesc,
RunE: func(cmd *cobra.Command, args []string) error {
internalcfg, err := configutil.LoadOrDefaultInitConfiguration(flags.cfgPath, &kubeadmapiv1beta2.InitConfiguration{}, &flags.cfg)
// Get cluster configuration (from --config, kubeadm-config ConfigMap, or default as a fallback)
internalcfg, err := getInternalCfg(flags.cfgPath, flags.kubeconfigPath, flags.cfg, out, "check-expiration")
if err != nil {
return err
}
@ -347,11 +380,13 @@ func newCmdCertsExpiration(out io.Writer, kdir string) *cobra.Command {
}
type expirationFlags struct {
cfgPath string
cfg kubeadmapiv1beta2.ClusterConfiguration
cfgPath string
kubeconfigPath string
cfg kubeadmapiv1beta2.ClusterConfiguration
}
func addExpirationFlags(cmd *cobra.Command, flags *expirationFlags) {
options.AddConfigFlag(cmd.Flags(), &flags.cfgPath)
options.AddCertificateDirFlag(cmd.Flags(), &flags.cfg.CertificatesDir)
options.AddKubeConfigFlag(cmd.Flags(), &flags.kubeconfigPath)
}

View File

@ -60,7 +60,7 @@ func TestCommandsGenerated(t *testing.T) {
"renew controller-manager.conf",
}
renewCmd := newCmdCertsRenewal()
renewCmd := newCmdCertsRenewal(os.Stdout)
fakeRoot := &cobra.Command{}
fakeRoot.AddCommand(renewCmd)
@ -236,7 +236,7 @@ func TestRunRenewCommands(t *testing.T) {
}
// exec renew
renewCmds := getRenewSubCommands(tmpDir)
renewCmds := getRenewSubCommands(os.Stdout, tmpDir)
cmdtestutil.RunSubCommand(t, renewCmds, test.command, fmt.Sprintf("--cert-dir=%s", tmpDir))
// check the file is modified
@ -279,7 +279,7 @@ func TestRenewUsingCSR(t *testing.T) {
t.Fatalf("couldn't write certificate %s: %v", cert.Name, err)
}
renewCmds := getRenewSubCommands(tmpDir)
renewCmds := getRenewSubCommands(os.Stdout, tmpDir)
cmdtestutil.RunSubCommand(t, renewCmds, cert.Name, "--csr-only", "--csr-dir="+tmpDir, fmt.Sprintf("--cert-dir=%s", tmpDir))
if _, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(tmpDir, cert.Name); err != nil {