Merge pull request #46058 from jcbsmpsn/configure-certificate-duration

Automatic merge from submit-queue Add support for specifying certificate duration at runtime.
2025-07-23 11:50:44 +00:00 · 2017-05-26 11:02:03 -07:00 · 2017-05-26 11:02:03 -07:00 · bcad534ebc
commit bcad534ebc
parent 2ada6e62d5 07e9b0e197
7 changed files with 27 additions and 21 deletions
--- a/cmd/kube-controller-manager/app/certificates.go
+++ b/cmd/kube-controller-manager/app/certificates.go
@ -42,6 +42,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
 		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
 		ctx.Options.ClusterSigningCertFile,
 		ctx.Options.ClusterSigningKeyFile,
 		ctx.Options.ClusterSigningDuration.Duration,
 	)
 	if err != nil {
 		glog.Errorf("Failed to start certificate controller: %v", err)
--- a/cmd/kube-controller-manager/app/options/BUILD
+++ b/cmd/kube-controller-manager/app/options/BUILD
@ -17,6 +17,7 @@ go_library(
        "//pkg/controller/garbagecollector:go_default_library",
        "//pkg/features:go_default_library",
        "//pkg/master/ports:go_default_library",
        "//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
        "//vendor/github.com/spf13/pflag:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
--- a/cmd/kube-controller-manager/app/options/options.go
+++ b/cmd/kube-controller-manager/app/options/options.go
@ -35,6 +35,7 @@ import (
 	// add the kubernetes feature gates
 	_ "k8s.io/kubernetes/pkg/features"
 	"github.com/cloudflare/cfssl/helpers"
 	"github.com/spf13/pflag"
 )
@ -112,6 +113,7 @@ func NewCMServer() *CMServer {
 			GCIgnoredResources:                    gcIgnoredResources,
 			ClusterSigningCertFile:                "/etc/kubernetes/ca/ca.pem",
 			ClusterSigningKeyFile:                 "/etc/kubernetes/ca/ca.key",
 			ClusterSigningDuration:                metav1.Duration{Duration: helpers.OneYear},
 			ReconcilerSyncLoopPeriod:              metav1.Duration{Duration: 60 * time.Second},
 			EnableTaintManager:                    true,
 			HorizontalPodAutoscalerUseRESTClients: false,
@ -192,6 +194,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled
 	fs.StringVar(&s.ServiceAccountKeyFile, "service-account-private-key-file", s.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
 	fs.StringVar(&s.ClusterSigningCertFile, "cluster-signing-cert-file", s.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates")
 	fs.StringVar(&s.ClusterSigningKeyFile, "cluster-signing-key-file", s.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates")
 	fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
 	fs.StringVar(&s.ApproveAllKubeletCSRsForGroup, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "The group for which the controller-manager will auto approve all CSRs for kubelet client certificates.")
 	fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
 	fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled")
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@ -242,6 +242,7 @@ experimental-allowed-unsafe-sysctls
 experimental-bootstrap-kubeconfig
 experimental-bootstrap-token-auth
 experimental-check-node-capabilities-before-mount
 experimental-cluster-signing-duration
 experimental-cri
 experimental-dockershim
 experimental-dockershim-root-directory
--- a/pkg/apis/componentconfig/types.go
+++ b/pkg/apis/componentconfig/types.go
@ -836,6 +836,9 @@ type KubeControllerManagerConfiguration struct {
 	// clusterSigningCertFile is the filename containing a PEM-encoded
 	// RSA or ECDSA private key used to issue cluster-scoped certificates
 	ClusterSigningKeyFile string
 	// clusterSigningDuration is the length of duration signed certificates
 	// will be given.
 	ClusterSigningDuration metav1.Duration
 	// approveAllKubeletCSRs tells the CSR controller to approve all CSRs originating
 	// from the kubelet bootstrapping group automatically.
 	// WARNING: this grants all users with access to the certificates API group
--- a/pkg/controller/certificates/signer/cfssl_signer.go
+++ b/pkg/controller/certificates/signer/cfssl_signer.go
@ -23,6 +23,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
 	"time"
 	capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
@ -35,20 +36,13 @@ import (
 	"github.com/cloudflare/cfssl/signer/local"
 )
 var onlySigningPolicy = &config.Signing{
 	Default: &config.SigningProfile{
 		Usage:        []string{"signing"},
 		Expiry:       helpers.OneYear,
 		ExpiryString: "8760h",
 	},
 }
 func NewCSRSigningController(
 	client clientset.Interface,
 	csrInformer certificatesinformers.CertificateSigningRequestInformer,
 	caFile, caKeyFile string,
 	certificateDuration time.Duration,
 ) (*certificates.CertificateController, error) {
-	signer, err := newCFSSLSigner(caFile, caKeyFile, client)
+	signer, err := newCFSSLSigner(caFile, caKeyFile, client, certificateDuration)
 	if err != nil {
 		return nil, err
 	}
@ -64,9 +58,10 @@ type cfsslSigner struct {
 	priv                crypto.Signer
 	sigAlgo             x509.SignatureAlgorithm
 	client              clientset.Interface
 	certificateDuration time.Duration
 }
-func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfsslSigner, error) {
+func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface, certificateDuration time.Duration) (*cfsslSigner, error) {
 	ca, err := ioutil.ReadFile(caFile)
 	if err != nil {
 		return nil, err
@ -96,6 +91,7 @@ func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfss
 		ca:                  parsedCa,
 		sigAlgo:             signer.DefaultSigAlgo(priv),
 		client:              client,
 		certificateDuration: certificateDuration,
 	}, nil
 }
@ -122,8 +118,8 @@ func (s *cfsslSigner) sign(csr *capi.CertificateSigningRequest) (*capi.Certifica
 	policy := &config.Signing{
 		Default: &config.SigningProfile{
 			Usage:        usages,
-			Expiry:       helpers.OneYear,
+			Expiry:       s.certificateDuration,
-			ExpiryString: "8760h",
+			ExpiryString: s.certificateDuration.String(),
 		},
 	}
 	cfs, err := local.NewSigner(s.priv, s.ca, s.sigAlgo, policy)
--- a/pkg/controller/certificates/signer/cfssl_signer_test.go
+++ b/pkg/controller/certificates/signer/cfssl_signer_test.go
@ -21,13 +21,14 @@ import (
 	"io/ioutil"
 	"reflect"
 	"testing"
 	"time"
 	"k8s.io/client-go/util/cert"
 	capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
 )
 func TestSigner(t *testing.T) {
-	s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil)
+	s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)
 	if err != nil {
 		t.Fatalf("failed to create signer: %v", err)
 	}