Allow the CertificateController to use any Signer implementation.

This will allow developers to create CertificateControllers with arbitrary Signers, instead of forcing the use of CFSSLSigner.
2025-07-23 03:41:45 +00:00 · 2017-02-10 14:02:58 -08:00 · 2017-02-10 14:02:58 -08:00 · 7682aa53b1
commit 7682aa53b1
parent b88b31cff4
3 changed files with 16 additions and 11 deletions
--- a/cmd/kube-controller-manager/app/certificates.go
+++ b/cmd/kube-controller-manager/app/certificates.go
@ -32,11 +32,17 @@ func startCSRController(ctx ControllerContext) (bool, error) {
 		return false, nil
 	}
 	c := ctx.ClientBuilder.ClientOrDie("certificate-controller")
+
+	signer, err := certcontroller.NewCFSSLSigner(ctx.Options.ClusterSigningCertFile, ctx.Options.ClusterSigningKeyFile)
+	if err != nil {
+		glog.Errorf("Failed to start certificate controller: %v", err)
+		return false, nil
+	}
+
 	certController, err := certcontroller.NewCertificateController(
 		c,
 		ctx.NewInformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
-		ctx.Options.ClusterSigningCertFile,
-		ctx.Options.ClusterSigningKeyFile,
+		signer,
 		certcontroller.NewGroupApprover(ctx.Options.ApproveAllKubeletCSRsForGroup),
 	)
 	if err != nil {
--- a/pkg/controller/certificates/certificate_controller.go
+++ b/pkg/controller/certificates/certificate_controller.go
@ -63,21 +63,16 @@ type CertificateController struct {
 	queue workqueue.RateLimitingInterface
 }

-func NewCertificateController(kubeClient clientset.Interface, csrInformer certificatesinformers.CertificateSigningRequestInformer, caCertFile, caKeyFile string, approver AutoApprover) (*CertificateController, error) {
+func NewCertificateController(kubeClient clientset.Interface, csrInformer certificatesinformers.CertificateSigningRequestInformer, signer Signer, approver AutoApprover) (*CertificateController, error) {
 	// Send events to the apiserver
 	eventBroadcaster := record.NewBroadcaster()
 	eventBroadcaster.StartLogging(glog.Infof)
 	eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: v1core.New(kubeClient.Core().RESTClient()).Events("")})

-	s, err := NewCFSSLSigner(caCertFile, caKeyFile)
-	if err != nil {
-		return nil, err
-	}
-
 	cc := &CertificateController{
 		kubeClient: kubeClient,
 		queue:      workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "certificate"),
-		signer:     s,
+		signer:     signer,
 		approver:   approver,
 	}

--- a/pkg/controller/certificates/certificate_controller_test.go
+++ b/pkg/controller/certificates/certificate_controller_test.go
@ -58,12 +58,16 @@ func newController(csrs ...runtime.Object) (*testController, error) {
 		return nil, err
 	}

+	signer, err := NewCFSSLSigner(certFile, keyFile)
+	if err != nil {
+		return nil, err
+	}
+
 	approver := &fakeAutoApprover{make(chan *certificates.CertificateSigningRequest, 1)}
 	controller, err := NewCertificateController(
 		client,
 		informerFactory.Certificates().V1beta1().CertificateSigningRequests(),
-		certFile,
-		keyFile,
+		signer,
 		approver,
 	)
 	if err != nil {