Make the discovery deployment load the CA from a file

2025-07-24 04:06:03 +00:00 · 2017-01-21 00:30:35 +02:00 · 2017-01-21 00:30:35 +02:00 · 741b0b8c9f
commit 741b0b8c9f
parent 21f021449d
1 changed files with 13 additions and 1 deletions
--- a/cmd/kubeadm/app/master/discovery.go
+++ b/cmd/kubeadm/app/master/discovery.go
@ -20,6 +20,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"path"
 	"time"

 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -27,6 +28,7 @@ import (
 	certutil "k8s.io/client-go/pkg/util/cert"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubeadmapiext "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1"
+	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/v1"
@ -121,7 +123,17 @@ func newKubeDiscovery(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Certific
 	return kd
 }

-func CreateDiscoveryDeploymentAndSecret(cfg *kubeadmapi.MasterConfiguration, client *clientset.Clientset, caCert *x509.Certificate) error {
+func CreateDiscoveryDeploymentAndSecret(cfg *kubeadmapi.MasterConfiguration, client *clientset.Clientset) error {
+	caCertificatePath := path.Join(kubeadmapi.GlobalEnvParams.HostPKIPath, kubeadmconstants.CACertName)
+	caCerts, err := certutil.CertsFromFile(caCertificatePath)
+	if err != nil {
+		return fmt.Errorf("couldn't load the CA certificate file %s: %v", caCertificatePath, err)
+	}
+
+	// We are only putting one certificate in the certificate pem file, so it's safe to just pick the first one
+	// TODO: Support multiple certs here in order to be able to rotate certs
+	caCert := caCerts[0]
+
 	kd := newKubeDiscovery(cfg, caCert)

 	if _, err := client.Extensions().Deployments(api.NamespaceSystem).Create(kd.Deployment); err != nil {