kubeadm: Enable dry-run mode for phase of control-plane-prepare certs

- All certs will be created under the folder of `/etc/kubernetes/tmp/kubeadm-join-dryrunxxx`
if the `dry-run` mode is enabled.

- Try to make each phase idempotent by resetting the cert dir with `dry-run` mode

Signed-off-by: Dave Chen <dave.chen@arm.com>

cmd/kubeadm/app/cmd/phases/join/controlplaneprepare.go

@@ -108,6 +108,7 @@ func getControlPlanePreparePhaseFlags(name string) []string {
 			options.TokenDiscoverySkipCAHash,
 			options.TLSBootstrapToken,
 			options.TokenStr,
+			options.DryRun,
 		}
 	case "kubeconfig":
 		flags = []string{
@@ -230,10 +231,10 @@ func runControlPlanePrepareDownloadCertsPhaseLocal(c workflow.RunData) error {
 		return err
 	}
 
-	// If we're dry-running, download certs to tmp dir
+	// If we're dry-running, download certs to tmp dir, and defer to restore to the path originally specified by the user
-	if data.DryRun() {
+	certsDir := cfg.CertificatesDir
 	cfg.CertificatesDir = data.CertificateWriteDir()
-	}
+	defer func() { cfg.CertificatesDir = certsDir }()
 
 	client, err := bootstrapClient(data)
 	if err != nil {
@@ -264,6 +265,10 @@ func runControlPlanePrepareCertsPhaseLocal(c workflow.RunData) error {
 
 	fmt.Printf("[certs] Using certificateDir folder %q\n", cfg.CertificatesDir)
 
+	// if dryrunning, write certificates files to a temporary folder (and defer restore to the path originally specified by the user)
+	certsDir := cfg.CertificatesDir
+	cfg.CertificatesDir = data.CertificateWriteDir()
+	defer func() { cfg.CertificatesDir = certsDir }()
 	// Generate missing certificates (if any)
 	return certsphase.CreatePKIAssets(cfg)
 }

cmd/kubeadm/app/phases/certs/certlist.go

@@ -21,10 +21,12 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
+	"path/filepath"
 
 	"github.com/pkg/errors"
 
 	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/klog/v2"
 
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
@@ -151,6 +153,7 @@ func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error {
 				continue
 			}
 			// CA key exists; just use that to create new certificates.
+			klog.V(1).Infof("[certs] Using the existing CA certificate %q and key %q\n", filepath.Join(ic.CertificatesDir, fmt.Sprintf("%s.crt", ca.BaseName)), filepath.Join(ic.CertificatesDir, fmt.Sprintf("%s.key", ca.BaseName)))
 		} else {
 			// CACert doesn't already exist, create a new cert and key.
 			caCert, caKey, err = pkiutil.NewCertificateAuthority(cfg)

cmd/kubeadm/app/phases/copycerts/copycerts.go

@@ -234,6 +234,8 @@ func DownloadCerts(client clientset.Interface, cfg *kubeadmapi.InitConfiguration
 		return errors.Wrap(err, "error decoding secret data with provided key")
 	}
 
+	fmt.Printf("[download-certs] Saving the certificates to the folder: %q\n", cfg.CertificatesDir)
+
 	for certOrKeyName, certOrKeyPath := range certsToTransfer(cfg) {
 		certOrKeyData, found := secretData[certOrKeyNameToSecretName(certOrKeyName)]
 		if !found {