kubeadm: Enable dry-run mode for phase of control-plane-prepare certs

- All certs will be created under the folder of `/etc/kubernetes/tmp/kubeadm-join-dryrunxxx` if the `dry-run` mode is enabled. - Try to make each phase idempotent by resetting the cert dir with `dry-run` mode Signed-off-by: Dave Chen <dave.chen@arm.com>
2025-07-21 19:01:49 +00:00 · 2022-10-12 16:46:31 +08:00 · 2022-10-12 16:46:31 +08:00 · b3f91f0c02
commit b3f91f0c02
parent 335fd41484
3 changed files with 14 additions and 4 deletions
--- a/cmd/kubeadm/app/cmd/phases/join/controlplaneprepare.go
+++ b/cmd/kubeadm/app/cmd/phases/join/controlplaneprepare.go
@ -108,6 +108,7 @@ func getControlPlanePreparePhaseFlags(name string) []string {
 			options.TokenDiscoverySkipCAHash,
 			options.TLSBootstrapToken,
 			options.TokenStr,
+			options.DryRun,
 		}
 	case "kubeconfig":
 		flags = []string{
@ -230,10 +231,10 @@ func runControlPlanePrepareDownloadCertsPhaseLocal(c workflow.RunData) error {
 		return err
 	}

-	// If we're dry-running, download certs to tmp dir
-	if data.DryRun() {
-		cfg.CertificatesDir = data.CertificateWriteDir()
-	}
+	// If we're dry-running, download certs to tmp dir, and defer to restore to the path originally specified by the user
+	certsDir := cfg.CertificatesDir
+	cfg.CertificatesDir = data.CertificateWriteDir()
+	defer func() { cfg.CertificatesDir = certsDir }()

 	client, err := bootstrapClient(data)
 	if err != nil {
@ -264,6 +265,10 @@ func runControlPlanePrepareCertsPhaseLocal(c workflow.RunData) error {

 	fmt.Printf("[certs] Using certificateDir folder %q\n", cfg.CertificatesDir)

+	// if dryrunning, write certificates files to a temporary folder (and defer restore to the path originally specified by the user)
+	certsDir := cfg.CertificatesDir
+	cfg.CertificatesDir = data.CertificateWriteDir()
+	defer func() { cfg.CertificatesDir = certsDir }()
 	// Generate missing certificates (if any)
 	return certsphase.CreatePKIAssets(cfg)
 }
--- a/cmd/kubeadm/app/phases/certs/certlist.go
+++ b/cmd/kubeadm/app/phases/certs/certlist.go
@ -21,10 +21,12 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
+	"path/filepath"

 	"github.com/pkg/errors"

 	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/klog/v2"

 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
@ -151,6 +153,7 @@ func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error {
 				continue
 			}
 			// CA key exists; just use that to create new certificates.
+			klog.V(1).Infof("[certs] Using the existing CA certificate %q and key %q\n", filepath.Join(ic.CertificatesDir, fmt.Sprintf("%s.crt", ca.BaseName)), filepath.Join(ic.CertificatesDir, fmt.Sprintf("%s.key", ca.BaseName)))
 		} else {
 			// CACert doesn't already exist, create a new cert and key.
 			caCert, caKey, err = pkiutil.NewCertificateAuthority(cfg)
--- a/cmd/kubeadm/app/phases/copycerts/copycerts.go
+++ b/cmd/kubeadm/app/phases/copycerts/copycerts.go
@ -234,6 +234,8 @@ func DownloadCerts(client clientset.Interface, cfg *kubeadmapi.InitConfiguration
 		return errors.Wrap(err, "error decoding secret data with provided key")
 	}

+	fmt.Printf("[download-certs] Saving the certificates to the folder: %q\n", cfg.CertificatesDir)
+
 	for certOrKeyName, certOrKeyPath := range certsToTransfer(cfg) {
 		certOrKeyData, found := secretData[certOrKeyNameToSecretName(certOrKeyName)]
 		if !found {