Merge pull request #46058 from jcbsmpsn/configure-certificate-duration

Automatic merge from submit-queue Add support for specifying certificate duration at runtime.
2025-07-28 22:17:14 +00:00 · 2017-05-26 11:02:03 -07:00 · 2017-05-26 11:02:03 -07:00 · bcad534ebc
commit bcad534ebc
parent 2ada6e62d5 07e9b0e197
7 changed files with 27 additions and 21 deletions
--- a/cmd/kube-controller-manager/app/certificates.go
+++ b/cmd/kube-controller-manager/app/certificates.go
@ -42,6 +42,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
 		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
 		ctx.Options.ClusterSigningCertFile,
 		ctx.Options.ClusterSigningKeyFile,
+		ctx.Options.ClusterSigningDuration.Duration,
 	)
 	if err != nil {
 		glog.Errorf("Failed to start certificate controller: %v", err)
--- a/cmd/kube-controller-manager/app/options/BUILD
+++ b/cmd/kube-controller-manager/app/options/BUILD
@ -17,6 +17,7 @@ go_library(
        "//pkg/controller/garbagecollector:go_default_library",
        "//pkg/features:go_default_library",
        "//pkg/master/ports:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
        "//vendor/github.com/spf13/pflag:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
--- a/cmd/kube-controller-manager/app/options/options.go
+++ b/cmd/kube-controller-manager/app/options/options.go
@ -35,6 +35,7 @@ import (
 	// add the kubernetes feature gates
 	_ "k8s.io/kubernetes/pkg/features"

+	"github.com/cloudflare/cfssl/helpers"
 	"github.com/spf13/pflag"
 )

@ -112,6 +113,7 @@ func NewCMServer() *CMServer {
 			GCIgnoredResources:                    gcIgnoredResources,
 			ClusterSigningCertFile:                "/etc/kubernetes/ca/ca.pem",
 			ClusterSigningKeyFile:                 "/etc/kubernetes/ca/ca.key",
+			ClusterSigningDuration:                metav1.Duration{Duration: helpers.OneYear},
 			ReconcilerSyncLoopPeriod:              metav1.Duration{Duration: 60 * time.Second},
 			EnableTaintManager:                    true,
 			HorizontalPodAutoscalerUseRESTClients: false,
@ -192,6 +194,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled
 	fs.StringVar(&s.ServiceAccountKeyFile, "service-account-private-key-file", s.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
 	fs.StringVar(&s.ClusterSigningCertFile, "cluster-signing-cert-file", s.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates")
 	fs.StringVar(&s.ClusterSigningKeyFile, "cluster-signing-key-file", s.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates")
+	fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
 	fs.StringVar(&s.ApproveAllKubeletCSRsForGroup, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "The group for which the controller-manager will auto approve all CSRs for kubelet client certificates.")
 	fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
 	fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled")
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@ -242,6 +242,7 @@ experimental-allowed-unsafe-sysctls
 experimental-bootstrap-kubeconfig
 experimental-bootstrap-token-auth
 experimental-check-node-capabilities-before-mount
+experimental-cluster-signing-duration
 experimental-cri
 experimental-dockershim
 experimental-dockershim-root-directory
--- a/pkg/apis/componentconfig/types.go
+++ b/pkg/apis/componentconfig/types.go
@ -836,6 +836,9 @@ type KubeControllerManagerConfiguration struct {
 	// clusterSigningCertFile is the filename containing a PEM-encoded
 	// RSA or ECDSA private key used to issue cluster-scoped certificates
 	ClusterSigningKeyFile string
+	// clusterSigningDuration is the length of duration signed certificates
+	// will be given.
+	ClusterSigningDuration metav1.Duration
 	// approveAllKubeletCSRs tells the CSR controller to approve all CSRs originating
 	// from the kubelet bootstrapping group automatically.
 	// WARNING: this grants all users with access to the certificates API group
--- a/pkg/controller/certificates/signer/cfssl_signer.go
+++ b/pkg/controller/certificates/signer/cfssl_signer.go
@ -23,6 +23,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"time"

 	capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
@ -35,20 +36,13 @@ import (
 	"github.com/cloudflare/cfssl/signer/local"
 )

-var onlySigningPolicy = &config.Signing{
-	Default: &config.SigningProfile{
-		Usage:        []string{"signing"},
-		Expiry:       helpers.OneYear,
-		ExpiryString: "8760h",
-	},
-}
-
 func NewCSRSigningController(
 	client clientset.Interface,
 	csrInformer certificatesinformers.CertificateSigningRequestInformer,
 	caFile, caKeyFile string,
+	certificateDuration time.Duration,
 ) (*certificates.CertificateController, error) {
-	signer, err := newCFSSLSigner(caFile, caKeyFile, client)
+	signer, err := newCFSSLSigner(caFile, caKeyFile, client, certificateDuration)
 	if err != nil {
 		return nil, err
 	}
@ -60,13 +54,14 @@ func NewCSRSigningController(
 }

 type cfsslSigner struct {
-	ca      *x509.Certificate
-	priv    crypto.Signer
-	sigAlgo x509.SignatureAlgorithm
-	client  clientset.Interface
+	ca                  *x509.Certificate
+	priv                crypto.Signer
+	sigAlgo             x509.SignatureAlgorithm
+	client              clientset.Interface
+	certificateDuration time.Duration
 }

-func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfsslSigner, error) {
+func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface, certificateDuration time.Duration) (*cfsslSigner, error) {
 	ca, err := ioutil.ReadFile(caFile)
 	if err != nil {
 		return nil, err
@ -92,10 +87,11 @@ func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfss
 		return nil, fmt.Errorf("Malformed private key %v", err)
 	}
 	return &cfsslSigner{
-		priv:    priv,
-		ca:      parsedCa,
-		sigAlgo: signer.DefaultSigAlgo(priv),
-		client:  client,
+		priv:                priv,
+		ca:                  parsedCa,
+		sigAlgo:             signer.DefaultSigAlgo(priv),
+		client:              client,
+		certificateDuration: certificateDuration,
 	}, nil
 }

@ -122,8 +118,8 @@ func (s *cfsslSigner) sign(csr *capi.CertificateSigningRequest) (*capi.Certifica
 	policy := &config.Signing{
 		Default: &config.SigningProfile{
 			Usage:        usages,
-			Expiry:       helpers.OneYear,
-			ExpiryString: "8760h",
+			Expiry:       s.certificateDuration,
+			ExpiryString: s.certificateDuration.String(),
 		},
 	}
 	cfs, err := local.NewSigner(s.priv, s.ca, s.sigAlgo, policy)
--- a/pkg/controller/certificates/signer/cfssl_signer_test.go
+++ b/pkg/controller/certificates/signer/cfssl_signer_test.go
@ -21,13 +21,14 @@ import (
 	"io/ioutil"
 	"reflect"
 	"testing"
+	"time"

 	"k8s.io/client-go/util/cert"
 	capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
 )

 func TestSigner(t *testing.T) {
-	s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil)
+	s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)
 	if err != nil {
 		t.Fatalf("failed to create signer: %v", err)
 	}