mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
Merge pull request #54495 from mikedanese/csr2
Automatic merge from submit-queue (batch tested with PRs 55839, 54495, 55884, 55983, 56069). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. certs: start deprecation of signing asset default paths Per https://github.com/kubernetes/kubernetes/pull/52334#issuecomment-331212749 ```release-note Defaulting of controller-manager options for --cluster-signing-cert-file and --cluster-signing-key-file is deprecated and will be removed in a later release. ```
This commit is contained in:
commit
79edffc93d
@ -21,9 +21,13 @@ limitations under the License.
|
||||
package app
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/golang/glog"
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
|
||||
"k8s.io/kubernetes/pkg/controller/certificates/approver"
|
||||
"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
|
||||
"k8s.io/kubernetes/pkg/controller/certificates/signer"
|
||||
@ -36,6 +40,45 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
|
||||
if ctx.Options.ClusterSigningCertFile == "" || ctx.Options.ClusterSigningKeyFile == "" {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Deprecation warning for old defaults.
|
||||
//
|
||||
// * If the signing cert and key are the default paths but the files
|
||||
// exist, warn that the paths need to be specified explicitly in a
|
||||
// later release and the defaults will be removed. We don't expect this
|
||||
// to be the case.
|
||||
//
|
||||
// * If the signing cert and key are default paths but the files don't exist,
|
||||
// bail out of startController without logging.
|
||||
var keyFileExists, keyUsesDefault, certFileExists, certUsesDefault bool
|
||||
|
||||
_, err := os.Stat(ctx.Options.ClusterSigningCertFile)
|
||||
certFileExists = !os.IsNotExist(err)
|
||||
|
||||
certUsesDefault = (ctx.Options.ClusterSigningCertFile == options.DefaultClusterSigningCertFile)
|
||||
|
||||
_, err = os.Stat(ctx.Options.ClusterSigningKeyFile)
|
||||
keyFileExists = !os.IsNotExist(err)
|
||||
|
||||
keyUsesDefault = (ctx.Options.ClusterSigningKeyFile == options.DefaultClusterSigningKeyFile)
|
||||
|
||||
switch {
|
||||
case (keyFileExists && keyUsesDefault) || (certFileExists && certUsesDefault):
|
||||
glog.Warningf("You might be using flag defaulting for --cluster-signing-cert-file and" +
|
||||
" --cluster-signing-key-file. These defaults are deprecated and will be removed" +
|
||||
" in a subsequent release. Please pass these options explicitly.")
|
||||
case (!keyFileExists && keyUsesDefault) && (!certFileExists && certUsesDefault):
|
||||
// This is what we expect right now if people aren't
|
||||
// setting up the signing controller. This isn't
|
||||
// actually a problem since the signer is not a
|
||||
// required controller.
|
||||
return false, nil
|
||||
default:
|
||||
// Note that '!filesExist && !usesDefaults' is obviously
|
||||
// operator error. We don't handle this case here and instead
|
||||
// allow it to be handled by NewCSR... below.
|
||||
}
|
||||
|
||||
c := ctx.ClientBuilder.ClientOrDie("certificate-controller")
|
||||
|
||||
signer, err := signer.NewCSRSigningController(
|
||||
@ -46,8 +89,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
|
||||
ctx.Options.ClusterSigningDuration.Duration,
|
||||
)
|
||||
if err != nil {
|
||||
glog.Errorf("Failed to start certificate controller: %v", err)
|
||||
return false, nil
|
||||
return false, fmt.Errorf("failed to start certificate controller: %v", err)
|
||||
}
|
||||
go signer.Run(1, ctx.Stop)
|
||||
|
||||
|
@ -39,6 +39,16 @@ import (
|
||||
"github.com/spf13/pflag"
|
||||
)
|
||||
|
||||
const (
|
||||
// These defaults are deprecated and exported so that we can warn if
|
||||
// they are being used.
|
||||
|
||||
// DefaultClusterSigningCertFile is deprecated. Do not use.
|
||||
DefaultClusterSigningCertFile = "/etc/kubernetes/ca/ca.pem"
|
||||
// DefaultClusterSigningKeyFile is deprecated. Do not use.
|
||||
DefaultClusterSigningKeyFile = "/etc/kubernetes/ca/ca.key"
|
||||
)
|
||||
|
||||
// CMServer is the main context object for the controller manager.
|
||||
type CMServer struct {
|
||||
componentconfig.KubeControllerManagerConfiguration
|
||||
@ -111,8 +121,8 @@ func NewCMServer() *CMServer {
|
||||
EnableGarbageCollector: true,
|
||||
ConcurrentGCSyncs: 20,
|
||||
GCIgnoredResources: gcIgnoredResources,
|
||||
ClusterSigningCertFile: "/etc/kubernetes/ca/ca.pem",
|
||||
ClusterSigningKeyFile: "/etc/kubernetes/ca/ca.key",
|
||||
ClusterSigningCertFile: DefaultClusterSigningCertFile,
|
||||
ClusterSigningKeyFile: DefaultClusterSigningKeyFile,
|
||||
ClusterSigningDuration: metav1.Duration{Duration: helpers.OneYear},
|
||||
ReconcilerSyncLoopPeriod: metav1.Duration{Duration: 60 * time.Second},
|
||||
EnableTaintManager: true,
|
||||
|
Loading…
Reference in New Issue
Block a user