mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
Merge pull request #46058 from jcbsmpsn/configure-certificate-duration
Automatic merge from submit-queue Add support for specifying certificate duration at runtime.
This commit is contained in:
commit
bcad534ebc
@ -42,6 +42,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
|
||||
ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
|
||||
ctx.Options.ClusterSigningCertFile,
|
||||
ctx.Options.ClusterSigningKeyFile,
|
||||
ctx.Options.ClusterSigningDuration.Duration,
|
||||
)
|
||||
if err != nil {
|
||||
glog.Errorf("Failed to start certificate controller: %v", err)
|
||||
|
@ -17,6 +17,7 @@ go_library(
|
||||
"//pkg/controller/garbagecollector:go_default_library",
|
||||
"//pkg/features:go_default_library",
|
||||
"//pkg/master/ports:go_default_library",
|
||||
"//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
|
||||
"//vendor/github.com/spf13/pflag:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
|
||||
|
@ -35,6 +35,7 @@ import (
|
||||
// add the kubernetes feature gates
|
||||
_ "k8s.io/kubernetes/pkg/features"
|
||||
|
||||
"github.com/cloudflare/cfssl/helpers"
|
||||
"github.com/spf13/pflag"
|
||||
)
|
||||
|
||||
@ -112,6 +113,7 @@ func NewCMServer() *CMServer {
|
||||
GCIgnoredResources: gcIgnoredResources,
|
||||
ClusterSigningCertFile: "/etc/kubernetes/ca/ca.pem",
|
||||
ClusterSigningKeyFile: "/etc/kubernetes/ca/ca.key",
|
||||
ClusterSigningDuration: metav1.Duration{Duration: helpers.OneYear},
|
||||
ReconcilerSyncLoopPeriod: metav1.Duration{Duration: 60 * time.Second},
|
||||
EnableTaintManager: true,
|
||||
HorizontalPodAutoscalerUseRESTClients: false,
|
||||
@ -192,6 +194,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled
|
||||
fs.StringVar(&s.ServiceAccountKeyFile, "service-account-private-key-file", s.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
|
||||
fs.StringVar(&s.ClusterSigningCertFile, "cluster-signing-cert-file", s.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates")
|
||||
fs.StringVar(&s.ClusterSigningKeyFile, "cluster-signing-key-file", s.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates")
|
||||
fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
|
||||
fs.StringVar(&s.ApproveAllKubeletCSRsForGroup, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "The group for which the controller-manager will auto approve all CSRs for kubelet client certificates.")
|
||||
fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
|
||||
fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled")
|
||||
|
@ -242,6 +242,7 @@ experimental-allowed-unsafe-sysctls
|
||||
experimental-bootstrap-kubeconfig
|
||||
experimental-bootstrap-token-auth
|
||||
experimental-check-node-capabilities-before-mount
|
||||
experimental-cluster-signing-duration
|
||||
experimental-cri
|
||||
experimental-dockershim
|
||||
experimental-dockershim-root-directory
|
||||
|
@ -836,6 +836,9 @@ type KubeControllerManagerConfiguration struct {
|
||||
// clusterSigningCertFile is the filename containing a PEM-encoded
|
||||
// RSA or ECDSA private key used to issue cluster-scoped certificates
|
||||
ClusterSigningKeyFile string
|
||||
// clusterSigningDuration is the length of duration signed certificates
|
||||
// will be given.
|
||||
ClusterSigningDuration metav1.Duration
|
||||
// approveAllKubeletCSRs tells the CSR controller to approve all CSRs originating
|
||||
// from the kubelet bootstrapping group automatically.
|
||||
// WARNING: this grants all users with access to the certificates API group
|
||||
|
@ -23,6 +23,7 @@ import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
|
||||
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
||||
@ -35,20 +36,13 @@ import (
|
||||
"github.com/cloudflare/cfssl/signer/local"
|
||||
)
|
||||
|
||||
var onlySigningPolicy = &config.Signing{
|
||||
Default: &config.SigningProfile{
|
||||
Usage: []string{"signing"},
|
||||
Expiry: helpers.OneYear,
|
||||
ExpiryString: "8760h",
|
||||
},
|
||||
}
|
||||
|
||||
func NewCSRSigningController(
|
||||
client clientset.Interface,
|
||||
csrInformer certificatesinformers.CertificateSigningRequestInformer,
|
||||
caFile, caKeyFile string,
|
||||
certificateDuration time.Duration,
|
||||
) (*certificates.CertificateController, error) {
|
||||
signer, err := newCFSSLSigner(caFile, caKeyFile, client)
|
||||
signer, err := newCFSSLSigner(caFile, caKeyFile, client, certificateDuration)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -60,13 +54,14 @@ func NewCSRSigningController(
|
||||
}
|
||||
|
||||
type cfsslSigner struct {
|
||||
ca *x509.Certificate
|
||||
priv crypto.Signer
|
||||
sigAlgo x509.SignatureAlgorithm
|
||||
client clientset.Interface
|
||||
ca *x509.Certificate
|
||||
priv crypto.Signer
|
||||
sigAlgo x509.SignatureAlgorithm
|
||||
client clientset.Interface
|
||||
certificateDuration time.Duration
|
||||
}
|
||||
|
||||
func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfsslSigner, error) {
|
||||
func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface, certificateDuration time.Duration) (*cfsslSigner, error) {
|
||||
ca, err := ioutil.ReadFile(caFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@ -92,10 +87,11 @@ func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfss
|
||||
return nil, fmt.Errorf("Malformed private key %v", err)
|
||||
}
|
||||
return &cfsslSigner{
|
||||
priv: priv,
|
||||
ca: parsedCa,
|
||||
sigAlgo: signer.DefaultSigAlgo(priv),
|
||||
client: client,
|
||||
priv: priv,
|
||||
ca: parsedCa,
|
||||
sigAlgo: signer.DefaultSigAlgo(priv),
|
||||
client: client,
|
||||
certificateDuration: certificateDuration,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@ -122,8 +118,8 @@ func (s *cfsslSigner) sign(csr *capi.CertificateSigningRequest) (*capi.Certifica
|
||||
policy := &config.Signing{
|
||||
Default: &config.SigningProfile{
|
||||
Usage: usages,
|
||||
Expiry: helpers.OneYear,
|
||||
ExpiryString: "8760h",
|
||||
Expiry: s.certificateDuration,
|
||||
ExpiryString: s.certificateDuration.String(),
|
||||
},
|
||||
}
|
||||
cfs, err := local.NewSigner(s.priv, s.ca, s.sigAlgo, policy)
|
||||
|
@ -21,13 +21,14 @@ import (
|
||||
"io/ioutil"
|
||||
"reflect"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"k8s.io/client-go/util/cert"
|
||||
capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
|
||||
)
|
||||
|
||||
func TestSigner(t *testing.T) {
|
||||
s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil)
|
||||
s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to create signer: %v", err)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user