Merge pull request #46058 from jcbsmpsn/configure-certificate-duration

Automatic merge from submit-queue

Add support for specifying certificate duration at runtime.
This commit is contained in:
Kubernetes Submit Queue 2017-05-26 11:02:03 -07:00 committed by GitHub
commit bcad534ebc
7 changed files with 27 additions and 21 deletions

View File

@ -42,6 +42,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
ctx.Options.ClusterSigningCertFile,
ctx.Options.ClusterSigningKeyFile,
ctx.Options.ClusterSigningDuration.Duration,
)
if err != nil {
glog.Errorf("Failed to start certificate controller: %v", err)

View File

@ -17,6 +17,7 @@ go_library(
"//pkg/controller/garbagecollector:go_default_library",
"//pkg/features:go_default_library",
"//pkg/master/ports:go_default_library",
"//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
"//vendor/github.com/spf13/pflag:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",

View File

@ -35,6 +35,7 @@ import (
// add the kubernetes feature gates
_ "k8s.io/kubernetes/pkg/features"
"github.com/cloudflare/cfssl/helpers"
"github.com/spf13/pflag"
)
@ -112,6 +113,7 @@ func NewCMServer() *CMServer {
GCIgnoredResources: gcIgnoredResources,
ClusterSigningCertFile: "/etc/kubernetes/ca/ca.pem",
ClusterSigningKeyFile: "/etc/kubernetes/ca/ca.key",
ClusterSigningDuration: metav1.Duration{Duration: helpers.OneYear},
ReconcilerSyncLoopPeriod: metav1.Duration{Duration: 60 * time.Second},
EnableTaintManager: true,
HorizontalPodAutoscalerUseRESTClients: false,
@ -192,6 +194,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled
fs.StringVar(&s.ServiceAccountKeyFile, "service-account-private-key-file", s.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
fs.StringVar(&s.ClusterSigningCertFile, "cluster-signing-cert-file", s.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates")
fs.StringVar(&s.ClusterSigningKeyFile, "cluster-signing-key-file", s.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates")
fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
fs.StringVar(&s.ApproveAllKubeletCSRsForGroup, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "The group for which the controller-manager will auto approve all CSRs for kubelet client certificates.")
fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled")

View File

@ -242,6 +242,7 @@ experimental-allowed-unsafe-sysctls
experimental-bootstrap-kubeconfig
experimental-bootstrap-token-auth
experimental-check-node-capabilities-before-mount
experimental-cluster-signing-duration
experimental-cri
experimental-dockershim
experimental-dockershim-root-directory

View File

@ -836,6 +836,9 @@ type KubeControllerManagerConfiguration struct {
// clusterSigningCertFile is the filename containing a PEM-encoded
// RSA or ECDSA private key used to issue cluster-scoped certificates
ClusterSigningKeyFile string
// clusterSigningDuration is the length of duration signed certificates
// will be given.
ClusterSigningDuration metav1.Duration
// approveAllKubeletCSRs tells the CSR controller to approve all CSRs originating
// from the kubelet bootstrapping group automatically.
// WARNING: this grants all users with access to the certificates API group

View File

@ -23,6 +23,7 @@ import (
"fmt"
"io/ioutil"
"os"
"time"
capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
@ -35,20 +36,13 @@ import (
"github.com/cloudflare/cfssl/signer/local"
)
var onlySigningPolicy = &config.Signing{
Default: &config.SigningProfile{
Usage: []string{"signing"},
Expiry: helpers.OneYear,
ExpiryString: "8760h",
},
}
func NewCSRSigningController(
client clientset.Interface,
csrInformer certificatesinformers.CertificateSigningRequestInformer,
caFile, caKeyFile string,
certificateDuration time.Duration,
) (*certificates.CertificateController, error) {
signer, err := newCFSSLSigner(caFile, caKeyFile, client)
signer, err := newCFSSLSigner(caFile, caKeyFile, client, certificateDuration)
if err != nil {
return nil, err
}
@ -60,13 +54,14 @@ func NewCSRSigningController(
}
type cfsslSigner struct {
ca *x509.Certificate
priv crypto.Signer
sigAlgo x509.SignatureAlgorithm
client clientset.Interface
ca *x509.Certificate
priv crypto.Signer
sigAlgo x509.SignatureAlgorithm
client clientset.Interface
certificateDuration time.Duration
}
func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfsslSigner, error) {
func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface, certificateDuration time.Duration) (*cfsslSigner, error) {
ca, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
@ -92,10 +87,11 @@ func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfss
return nil, fmt.Errorf("Malformed private key %v", err)
}
return &cfsslSigner{
priv: priv,
ca: parsedCa,
sigAlgo: signer.DefaultSigAlgo(priv),
client: client,
priv: priv,
ca: parsedCa,
sigAlgo: signer.DefaultSigAlgo(priv),
client: client,
certificateDuration: certificateDuration,
}, nil
}
@ -122,8 +118,8 @@ func (s *cfsslSigner) sign(csr *capi.CertificateSigningRequest) (*capi.Certifica
policy := &config.Signing{
Default: &config.SigningProfile{
Usage: usages,
Expiry: helpers.OneYear,
ExpiryString: "8760h",
Expiry: s.certificateDuration,
ExpiryString: s.certificateDuration.String(),
},
}
cfs, err := local.NewSigner(s.priv, s.ca, s.sigAlgo, policy)

View File

@ -21,13 +21,14 @@ import (
"io/ioutil"
"reflect"
"testing"
"time"
"k8s.io/client-go/util/cert"
capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
)
func TestSigner(t *testing.T) {
s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil)
s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)
if err != nil {
t.Fatalf("failed to create signer: %v", err)
}