github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-20 09:33:52 +00:00
Code Issues Projects Releases Wiki Activity

allow setting different certificates for kube-controller-managed CSR signers

Browse Source
This commit is contained in:
David Eads
2020-05-06 16:02:31 -04:00
parent a26e5881d8
commit e88fecf26b
9 changed files with 556 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/controller/certificates/signer/config/types.go
View File

@@ -28,7 +28,27 @@ type CSRSigningControllerConfiguration struct {
// clusterSigningCertFile is the filename containing a PEM-encoded
// RSA or ECDSA private key used to issue cluster-scoped certificates
ClusterSigningKeyFile string
// kubeletServingSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kubelet-serving signer
KubeletServingSignerConfiguration CSRSigningConfiguration
// kubeletClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet
KubeletClientSignerConfiguration CSRSigningConfiguration
// kubeAPIServerClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client
KubeAPIServerClientSignerConfiguration CSRSigningConfiguration
// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
LegacyUnknownSignerConfiguration CSRSigningConfiguration
// clusterSigningDuration is the length of duration signed certificates
// will be given.
ClusterSigningDuration metav1.Duration
}
// CSRSigningConfiguration holds information about a particular CSR signer
type CSRSigningConfiguration struct {
// certFile is the filename containing a PEM-encoded
// X509 CA certificate used to issue certificates
CertFile string
// keyFile is the filename containing a PEM-encoded
// RSA or ECDSA private key used to issue certificates
KeyFile string
}

6
pkg/controller/certificates/signer/config/v1alpha1/defaults.go
View File

@@ -34,12 +34,6 @@ import (
// run it in your wrapper struct of this type in its `SetDefaults_` method.
func RecommendedDefaultCSRSigningControllerConfiguration(obj *kubectrlmgrconfigv1alpha1.CSRSigningControllerConfiguration) {
zero := metav1.Duration{}
if obj.ClusterSigningCertFile == "" {
obj.ClusterSigningCertFile = "/etc/kubernetes/ca/ca.pem"
}
if obj.ClusterSigningKeyFile == "" {
obj.ClusterSigningKeyFile = "/etc/kubernetes/ca/ca.key"
}
if obj.ClusterSigningDuration == zero {
obj.ClusterSigningDuration = metav1.Duration{Duration: 365 * 24 * time.Hour}
}