Merge pull request #58968 from deads2k/server-07-deadarg

Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. remove --tls-ca-file which had no effect The flag has had no effect since we started configuring loopback based on the direct cert. I've marked it deprecated this release so we don't break launch scripts right away, but its coming. I think we should remove it in 1.11. ```release-note-action-required kube-apiserver flag --tls-ca-file has had no effect for some time. It is now deprecated and slated for removal in 1.11. If you are specifying this flag, you must remove it from your launch config before ugprading to 1.11. ```
2025-07-24 04:06:03 +00:00 · 2018-01-29 13:48:42 -08:00 · 2018-01-29 13:48:42 -08:00 · d8f32b2917
commit d8f32b2917
parent da601bc72a 114711f77d
3 changed files with 5 additions and 32 deletions
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@ -554,7 +554,6 @@ function start_apiserver {
      --secure-port="${API_SECURE_PORT}" \
      --tls-cert-file="${CERT_DIR}/serving-kube-apiserver.crt" \
      --tls-private-key-file="${CERT_DIR}/serving-kube-apiserver.key" \
-      --tls-ca-file="${CERT_DIR}/server-ca.crt" \
      --insecure-bind-address="${API_HOST_IP}" \
      --insecure-port="${API_PORT}" \
      --storage-backend=${STORAGE_BACKEND} \
--- a/staging/src/k8s.io/apiserver/pkg/server/config.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/config.go
@ -216,10 +216,6 @@ type SecureServingInfo struct {
 	// allowed to be in SNICerts.
 	Cert *tls.Certificate

-	// CACert is an optional certificate authority used for the loopback connection of the Admission controllers.
-	// If this is nil, the certificate authority is extracted from Cert or a matching SNI certificate.
-	CACert *tls.Certificate
-
 	// SNICerts are the TLS certificates by name used for SNI.
 	SNICerts map[string]*tls.Certificate

--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
@ -18,9 +18,7 @@ package options

 import (
 	"crypto/tls"
-	"encoding/pem"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"path"
 	"strconv"
@ -69,8 +67,6 @@ type CertKey struct {
 type GeneratableKeyCert struct {
 	CertKey CertKey

-	// CACertFile is an optional file containing the certificate chain for CertKey.CertFile
-	CACertFile string
 	// CertDirectory is a directory that will contain the certificates.  If the cert and key aren't specifically set
 	// this will be used to derive a match with the "pair-name"
 	CertDirectory string
@ -135,11 +131,6 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.ServerCert.CertKey.KeyFile, "tls-private-key-file", s.ServerCert.CertKey.KeyFile,
 		"File containing the default x509 private key matching --tls-cert-file.")

-	fs.StringVar(&s.ServerCert.CACertFile, "tls-ca-file", s.ServerCert.CACertFile, "If set, this "+
-		"certificate authority will used for secure access from Admission "+
-		"Controllers. This must be a valid PEM-encoded CA bundle. Altneratively, the certificate authority "+
-		"can be appended to the certificate provided by --tls-cert-file.")
-
 	fs.StringSliceVar(&s.CipherSuites, "tls-cipher-suites", s.CipherSuites,
 		"Comma-separated list of cipher suites for the server. "+
 			"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
@ -157,6 +148,11 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 		"trump over extracted names. For multiple key/certificate pairs, use the "+
 		"--tls-sni-cert-key multiple times. "+
 		"Examples: \"example.crt,example.key\" or \"foo.crt,foo.key:*.foo.com,foo.com\".")
+
+	// TODO remove this flag in 1.11.  The flag had no effect before this will prevent scripts from immediately failing on upgrade.
+	fs.String("tls-ca-file", "", "This flag has no effect.")
+	fs.MarkDeprecated("tls-ca-file", "This flag has no effect.")
+
 }

 func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
@ -230,24 +226,6 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 		secureServingInfo.Cert = &tlsCert
 	}

-	// optionally load CA cert
-	if len(s.ServerCert.CACertFile) != 0 {
-		pemData, err := ioutil.ReadFile(s.ServerCert.CACertFile)
-		if err != nil {
-			return fmt.Errorf("failed to read certificate authority from %q: %v", s.ServerCert.CACertFile, err)
-		}
-		block, pemData := pem.Decode(pemData)
-		if block == nil {
-			return fmt.Errorf("no certificate found in certificate authority file %q", s.ServerCert.CACertFile)
-		}
-		if block.Type != "CERTIFICATE" {
-			return fmt.Errorf("expected CERTIFICATE block in certiticate authority file %q, found: %s", s.ServerCert.CACertFile, block.Type)
-		}
-		secureServingInfo.CACert = &tls.Certificate{
-			Certificate: [][]byte{block.Bytes},
-		}
-	}
-
 	if len(s.CipherSuites) != 0 {
 		cipherSuites, err := utilflag.TLSCipherSuites(s.CipherSuites)
 		if err != nil {