From d22a29cf6646c91c9ea507345f78f3df4c8a20bd Mon Sep 17 00:00:00 2001 From: Ryan Fowler Date: Tue, 8 Sep 2015 11:35:32 -0500 Subject: [PATCH] Block apiserver startup on certificate With some regularity, if the root certificate file needs to be generated the apiserver could come up on the non-secure port before the cert was generated. `hack/local-up-cluster.sh` requires that apiserver.crt exists before the replication controller starts. Otherwise service accounts and secrets don't work. This change just takes the certificate handling code out of the `go`. --- cmd/kube-apiserver/app/server.go | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index 158ddde7a12..f14fea3b5d0 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -505,23 +505,24 @@ func (s *APIServer) Run(_ []string) error { } glog.Infof("Serving securely on %s", secureLocation) + if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" { + s.TLSCertFile = path.Join(s.CertDirectory, "apiserver.crt") + s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "apiserver.key") + // TODO (cjcullen): Is PublicAddress the right address to sign a cert with? + alternateIPs := []net.IP{config.ServiceReadWriteIP} + alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"} + // It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless + // alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME") + if err := util.GenerateSelfSignedCert(config.PublicAddress.String(), s.TLSCertFile, s.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil { + glog.Errorf("Unable to generate self signed cert: %v", err) + } else { + glog.Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile) + } + } + go func() { defer util.HandleCrash() for { - if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" { - s.TLSCertFile = path.Join(s.CertDirectory, "apiserver.crt") - s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "apiserver.key") - // TODO (cjcullen): Is PublicAddress the right address to sign a cert with? - alternateIPs := []net.IP{config.ServiceReadWriteIP} - alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"} - // It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless - // alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME") - if err := util.GenerateSelfSignedCert(config.PublicAddress.String(), s.TLSCertFile, s.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil { - glog.Errorf("Unable to generate self signed cert: %v", err) - } else { - glog.Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile) - } - } // err == systemd.SdNotifyNoSocket when not running on a systemd system if err := systemd.SdNotify("READY=1\n"); err != nil && err != systemd.SdNotifyNoSocket { glog.Errorf("Unable to send systemd daemon successful start message: %v\n", err)