mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #46058 from jcbsmpsn/configure-certificate-duration
Automatic merge from submit-queue Add support for specifying certificate duration at runtime.
This commit is contained in:
commit
bcad534ebc
@ -42,6 +42,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
|
|||||||
ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
|
ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
|
||||||
ctx.Options.ClusterSigningCertFile,
|
ctx.Options.ClusterSigningCertFile,
|
||||||
ctx.Options.ClusterSigningKeyFile,
|
ctx.Options.ClusterSigningKeyFile,
|
||||||
|
ctx.Options.ClusterSigningDuration.Duration,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Errorf("Failed to start certificate controller: %v", err)
|
glog.Errorf("Failed to start certificate controller: %v", err)
|
||||||
|
@ -17,6 +17,7 @@ go_library(
|
|||||||
"//pkg/controller/garbagecollector:go_default_library",
|
"//pkg/controller/garbagecollector:go_default_library",
|
||||||
"//pkg/features:go_default_library",
|
"//pkg/features:go_default_library",
|
||||||
"//pkg/master/ports:go_default_library",
|
"//pkg/master/ports:go_default_library",
|
||||||
|
"//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
|
||||||
"//vendor/github.com/spf13/pflag:go_default_library",
|
"//vendor/github.com/spf13/pflag:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
|
||||||
|
@ -35,6 +35,7 @@ import (
|
|||||||
// add the kubernetes feature gates
|
// add the kubernetes feature gates
|
||||||
_ "k8s.io/kubernetes/pkg/features"
|
_ "k8s.io/kubernetes/pkg/features"
|
||||||
|
|
||||||
|
"github.com/cloudflare/cfssl/helpers"
|
||||||
"github.com/spf13/pflag"
|
"github.com/spf13/pflag"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -112,6 +113,7 @@ func NewCMServer() *CMServer {
|
|||||||
GCIgnoredResources: gcIgnoredResources,
|
GCIgnoredResources: gcIgnoredResources,
|
||||||
ClusterSigningCertFile: "/etc/kubernetes/ca/ca.pem",
|
ClusterSigningCertFile: "/etc/kubernetes/ca/ca.pem",
|
||||||
ClusterSigningKeyFile: "/etc/kubernetes/ca/ca.key",
|
ClusterSigningKeyFile: "/etc/kubernetes/ca/ca.key",
|
||||||
|
ClusterSigningDuration: metav1.Duration{Duration: helpers.OneYear},
|
||||||
ReconcilerSyncLoopPeriod: metav1.Duration{Duration: 60 * time.Second},
|
ReconcilerSyncLoopPeriod: metav1.Duration{Duration: 60 * time.Second},
|
||||||
EnableTaintManager: true,
|
EnableTaintManager: true,
|
||||||
HorizontalPodAutoscalerUseRESTClients: false,
|
HorizontalPodAutoscalerUseRESTClients: false,
|
||||||
@ -192,6 +194,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled
|
|||||||
fs.StringVar(&s.ServiceAccountKeyFile, "service-account-private-key-file", s.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
|
fs.StringVar(&s.ServiceAccountKeyFile, "service-account-private-key-file", s.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
|
||||||
fs.StringVar(&s.ClusterSigningCertFile, "cluster-signing-cert-file", s.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates")
|
fs.StringVar(&s.ClusterSigningCertFile, "cluster-signing-cert-file", s.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates")
|
||||||
fs.StringVar(&s.ClusterSigningKeyFile, "cluster-signing-key-file", s.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates")
|
fs.StringVar(&s.ClusterSigningKeyFile, "cluster-signing-key-file", s.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates")
|
||||||
|
fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
|
||||||
fs.StringVar(&s.ApproveAllKubeletCSRsForGroup, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "The group for which the controller-manager will auto approve all CSRs for kubelet client certificates.")
|
fs.StringVar(&s.ApproveAllKubeletCSRsForGroup, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "The group for which the controller-manager will auto approve all CSRs for kubelet client certificates.")
|
||||||
fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
|
fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
|
||||||
fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled")
|
fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled")
|
||||||
|
@ -242,6 +242,7 @@ experimental-allowed-unsafe-sysctls
|
|||||||
experimental-bootstrap-kubeconfig
|
experimental-bootstrap-kubeconfig
|
||||||
experimental-bootstrap-token-auth
|
experimental-bootstrap-token-auth
|
||||||
experimental-check-node-capabilities-before-mount
|
experimental-check-node-capabilities-before-mount
|
||||||
|
experimental-cluster-signing-duration
|
||||||
experimental-cri
|
experimental-cri
|
||||||
experimental-dockershim
|
experimental-dockershim
|
||||||
experimental-dockershim-root-directory
|
experimental-dockershim-root-directory
|
||||||
|
@ -836,6 +836,9 @@ type KubeControllerManagerConfiguration struct {
|
|||||||
// clusterSigningCertFile is the filename containing a PEM-encoded
|
// clusterSigningCertFile is the filename containing a PEM-encoded
|
||||||
// RSA or ECDSA private key used to issue cluster-scoped certificates
|
// RSA or ECDSA private key used to issue cluster-scoped certificates
|
||||||
ClusterSigningKeyFile string
|
ClusterSigningKeyFile string
|
||||||
|
// clusterSigningDuration is the length of duration signed certificates
|
||||||
|
// will be given.
|
||||||
|
ClusterSigningDuration metav1.Duration
|
||||||
// approveAllKubeletCSRs tells the CSR controller to approve all CSRs originating
|
// approveAllKubeletCSRs tells the CSR controller to approve all CSRs originating
|
||||||
// from the kubelet bootstrapping group automatically.
|
// from the kubelet bootstrapping group automatically.
|
||||||
// WARNING: this grants all users with access to the certificates API group
|
// WARNING: this grants all users with access to the certificates API group
|
||||||
|
@ -23,6 +23,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
|
"time"
|
||||||
|
|
||||||
capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
|
capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
|
||||||
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
|
||||||
@ -35,20 +36,13 @@ import (
|
|||||||
"github.com/cloudflare/cfssl/signer/local"
|
"github.com/cloudflare/cfssl/signer/local"
|
||||||
)
|
)
|
||||||
|
|
||||||
var onlySigningPolicy = &config.Signing{
|
|
||||||
Default: &config.SigningProfile{
|
|
||||||
Usage: []string{"signing"},
|
|
||||||
Expiry: helpers.OneYear,
|
|
||||||
ExpiryString: "8760h",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
func NewCSRSigningController(
|
func NewCSRSigningController(
|
||||||
client clientset.Interface,
|
client clientset.Interface,
|
||||||
csrInformer certificatesinformers.CertificateSigningRequestInformer,
|
csrInformer certificatesinformers.CertificateSigningRequestInformer,
|
||||||
caFile, caKeyFile string,
|
caFile, caKeyFile string,
|
||||||
|
certificateDuration time.Duration,
|
||||||
) (*certificates.CertificateController, error) {
|
) (*certificates.CertificateController, error) {
|
||||||
signer, err := newCFSSLSigner(caFile, caKeyFile, client)
|
signer, err := newCFSSLSigner(caFile, caKeyFile, client, certificateDuration)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -64,9 +58,10 @@ type cfsslSigner struct {
|
|||||||
priv crypto.Signer
|
priv crypto.Signer
|
||||||
sigAlgo x509.SignatureAlgorithm
|
sigAlgo x509.SignatureAlgorithm
|
||||||
client clientset.Interface
|
client clientset.Interface
|
||||||
|
certificateDuration time.Duration
|
||||||
}
|
}
|
||||||
|
|
||||||
func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfsslSigner, error) {
|
func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface, certificateDuration time.Duration) (*cfsslSigner, error) {
|
||||||
ca, err := ioutil.ReadFile(caFile)
|
ca, err := ioutil.ReadFile(caFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -96,6 +91,7 @@ func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface) (*cfss
|
|||||||
ca: parsedCa,
|
ca: parsedCa,
|
||||||
sigAlgo: signer.DefaultSigAlgo(priv),
|
sigAlgo: signer.DefaultSigAlgo(priv),
|
||||||
client: client,
|
client: client,
|
||||||
|
certificateDuration: certificateDuration,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -122,8 +118,8 @@ func (s *cfsslSigner) sign(csr *capi.CertificateSigningRequest) (*capi.Certifica
|
|||||||
policy := &config.Signing{
|
policy := &config.Signing{
|
||||||
Default: &config.SigningProfile{
|
Default: &config.SigningProfile{
|
||||||
Usage: usages,
|
Usage: usages,
|
||||||
Expiry: helpers.OneYear,
|
Expiry: s.certificateDuration,
|
||||||
ExpiryString: "8760h",
|
ExpiryString: s.certificateDuration.String(),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
cfs, err := local.NewSigner(s.priv, s.ca, s.sigAlgo, policy)
|
cfs, err := local.NewSigner(s.priv, s.ca, s.sigAlgo, policy)
|
||||||
|
@ -21,13 +21,14 @@ import (
|
|||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"reflect"
|
"reflect"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"k8s.io/client-go/util/cert"
|
"k8s.io/client-go/util/cert"
|
||||||
capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
|
capi "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestSigner(t *testing.T) {
|
func TestSigner(t *testing.T) {
|
||||||
s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil)
|
s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("failed to create signer: %v", err)
|
t.Fatalf("failed to create signer: %v", err)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user