github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 11:21:47 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #107327 from SataQiu/kubeadm-cert

Browse Source 
kubeadm: remove the restriction that the ca.crt can only contain one certificate
This commit is contained in:
Kubernetes Prow Robot 2022-01-05 19:08:39 -08:00 committed by GitHub
commit c15e24b128
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmd/kubeadm/app/phases/certs/renewal/readwriter.go
View File

@ -82,10 +82,8 @@ func (rw *pkiCertificateReadWriter) Read() (*x509.Certificate, error) {
return nil, errors.Wrapf(err, "failed to load existing certificate %s", rw.baseName)
}
if len(certs) != 1 {
return nil, errors.Errorf("wanted exactly one certificate, got %d", len(certs))
}
// Safely pick the first one because the sender's certificate must come first in the list.
// For details, see: https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2
return certs[0], nil
}
@ -145,9 +143,9 @@ func (rw *kubeConfigReadWriter) Read() (*x509.Certificate, error) {
if err != nil {
return nil, errors.Wrapf(err, "failed to load existing certificate %s", rw.baseName)
}
if len(caCerts) != 1 {
return nil, errors.Errorf("wanted exactly one certificate, got %d", len(caCerts))
}
// Safely pick the first one because the sender's certificate must come first in the list.
// For details, see: https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2
rw.caCert = caCerts[0]
// get current context

4
cmd/kubeadm/app/util/config/cluster.go
View File

@ -183,8 +183,8 @@ func getNodeNameFromKubeletConfig(fileName string) (string, error) {
return "", errors.Errorf("invalid kubeconfig file %s. x509 certificate expected", fileName)
}
// We are only putting one certificate in the certificate pem file, so it's safe to just pick the first one
// TODO: Support multiple certs here in order to be able to rotate certs
// Safely pick the first one because the sender's certificate must come first in the list.
// For details, see: https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2
cert := certs[0]
// gets the node name from the certificate common name

4
cmd/kubeadm/app/util/pkiutil/pki_helpers.go
View File

@ -291,8 +291,8 @@ func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error) {
return nil, errors.Wrapf(err, "couldn't load the certificate file %s", certificatePath)
}
// We are only putting one certificate in the certificate pem file, so it's safe to just pick the first one
// TODO: Support multiple certs here in order to be able to rotate certs
// Safely pick the first one because the sender's certificate must come first in the list.
// For details, see: https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2
cert := certs[0]
return cert, nil