github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 21:47:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #88850 from enj/enj/i/dynamic_cert_fixes

Browse Source 
Fix dynamic certificates issues
This commit is contained in:
Kubernetes Prow Robot 2020-03-05 20:05:05 -08:00 committed by GitHub
commit 6c8cdb9162
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/named_certificates.go
View File

@ -23,7 +23,7 @@ import (
"net" "net"
"strings" "strings"
v1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation"
"k8s.io/klog" "k8s.io/klog"
) )
@ -52,7 +52,7 @@ func (c *DynamicServingCertificateController) BuildNamedCertificates(sniCerts []
klog.V(2).Infof("loaded SNI cert [%d/%q]: %s", i, c.sniCerts[i].Name(), GetHumanCertDetail(x509Cert)) klog.V(2).Infof("loaded SNI cert [%d/%q]: %s", i, c.sniCerts[i].Name(), GetHumanCertDetail(x509Cert))
if c.eventRecorder != nil { if c.eventRecorder != nil {
c.eventRecorder.Eventf(nil, nil, v1.EventTypeWarning, "TLSConfigChanged", "SNICertificateReload", "loaded SNI cert [%d/%q]: %s with explicit names %v", i, c.sniCerts[i].Name(), GetHumanCertDetail(x509Cert), names) c.eventRecorder.Eventf(&corev1.ObjectReference{Name: c.sniCerts[i].Name()}, nil, corev1.EventTypeWarning, "TLSConfigChanged", "SNICertificateReload", "loaded SNI cert [%d/%q]: %s with explicit names %v", i, c.sniCerts[i].Name(), GetHumanCertDetail(x509Cert), names)
} }
if len(names) == 0 { if len(names) == 0 {

2
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/server_test.go
View File

@ -79,7 +79,7 @@ func TestServingCert(t *testing.T) {
} }
dynamicCertificateController := NewDynamicServingCertificateController( dynamicCertificateController := NewDynamicServingCertificateController(
*tlsConfig, tlsConfig,
&nullCAContent{name: "client-ca"}, &nullCAContent{name: "client-ca"},
defaultCertProvider, defaultCertProvider,
sniCerts, sniCerts,

11
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/tlsconfig.go
View File

@ -25,8 +25,7 @@ import (
"sync/atomic" "sync/atomic"
"time" "time"
v1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
utilruntime "k8s.io/apimachinery/pkg/util/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/tools/events" "k8s.io/client-go/tools/events"
@ -41,7 +40,7 @@ const workItemKey = "key"
type DynamicServingCertificateController struct { type DynamicServingCertificateController struct {
// baseTLSConfig is the static portion of the tlsConfig for serving to clients. It is copied and the copy is mutated // baseTLSConfig is the static portion of the tlsConfig for serving to clients. It is copied and the copy is mutated
// based on the dynamic cert state. // based on the dynamic cert state.
baseTLSConfig tls.Config baseTLSConfig *tls.Config
// clientCA provides the very latest content of the ca bundle // clientCA provides the very latest content of the ca bundle
clientCA CAContentProvider clientCA CAContentProvider
@ -65,7 +64,7 @@ var _ Listener = &DynamicServingCertificateController{}
// NewDynamicServingCertificateController returns a controller that can be used to keep a TLSConfig up to date. // NewDynamicServingCertificateController returns a controller that can be used to keep a TLSConfig up to date.
func NewDynamicServingCertificateController( func NewDynamicServingCertificateController(
baseTLSConfig tls.Config, baseTLSConfig *tls.Config,
clientCA CAContentProvider, clientCA CAContentProvider,
servingCert CertKeyContentProvider, servingCert CertKeyContentProvider,
sniCerts []SNICertKeyContentProvider, sniCerts []SNICertKeyContentProvider,
@ -178,7 +177,7 @@ func (c *DynamicServingCertificateController) syncCerts() error {
for i, cert := range newClientCAs { for i, cert := range newClientCAs {
klog.V(2).Infof("loaded client CA [%d/%q]: %s", i, c.clientCA.Name(), GetHumanCertDetail(cert)) klog.V(2).Infof("loaded client CA [%d/%q]: %s", i, c.clientCA.Name(), GetHumanCertDetail(cert))
if c.eventRecorder != nil { if c.eventRecorder != nil {
c.eventRecorder.Eventf(nil, nil, v1.EventTypeWarning, "TLSConfigChanged", "CACertificateReload", "loaded client CA [%d/%q]: %s", i, c.clientCA.Name(), GetHumanCertDetail(cert)) c.eventRecorder.Eventf(&corev1.ObjectReference{Name: c.clientCA.Name()}, nil, corev1.EventTypeWarning, "TLSConfigChanged", "CACertificateReload", "loaded client CA [%d/%q]: %s", i, c.clientCA.Name(), GetHumanCertDetail(cert))
} }
newClientCAPool.AddCert(cert) newClientCAPool.AddCert(cert)
@ -200,7 +199,7 @@ func (c *DynamicServingCertificateController) syncCerts() error {
klog.V(2).Infof("loaded serving cert [%q]: %s", c.servingCert.Name(), GetHumanCertDetail(x509Cert)) klog.V(2).Infof("loaded serving cert [%q]: %s", c.servingCert.Name(), GetHumanCertDetail(x509Cert))
if c.eventRecorder != nil { if c.eventRecorder != nil {
c.eventRecorder.Eventf(nil, nil, v1.EventTypeWarning, "TLSConfigChanged", "ServingCertificateReload", "loaded serving cert [%q]: %s", c.clientCA.Name(), GetHumanCertDetail(x509Cert)) c.eventRecorder.Eventf(&corev1.ObjectReference{Name: c.servingCert.Name()}, nil, corev1.EventTypeWarning, "TLSConfigChanged", "ServingCertificateReload", "loaded serving cert [%q]: %s", c.servingCert.Name(), GetHumanCertDetail(x509Cert))
} }
newTLSConfigCopy.Certificates = []tls.Certificate{cert} newTLSConfigCopy.Certificates = []tls.Certificate{cert}

2
staging/src/k8s.io/apiserver/pkg/server/secure_serving.go
View File

@ -66,7 +66,7 @@ func (s *SecureServingInfo) tlsConfig(stopCh <-chan struct{}) (*tls.Config, erro
if s.ClientCA != nil || s.Cert != nil || len(s.SNICerts) > 0 { if s.ClientCA != nil || s.Cert != nil || len(s.SNICerts) > 0 {
dynamicCertificateController := dynamiccertificates.NewDynamicServingCertificateController( dynamicCertificateController := dynamiccertificates.NewDynamicServingCertificateController(
*tlsConfig, tlsConfig,
s.ClientCA, s.ClientCA,
s.Cert, s.Cert,
s.SNICerts, s.SNICerts,