Merge pull request #78556 from neolit123/kubeadm-certs-order

kubeadm: apply deterministic order to certificate phases
2025-08-04 09:49:50 +00:00 · 2019-06-14 05:32:24 -07:00 · 2019-06-14 05:32:24 -07:00 · fadb63c7eb
commit fadb63c7eb
parent 70b46ca5fb 2413713c4e
2 changed files with 46 additions and 10 deletions
--- a/cmd/kubeadm/app/cmd/phases/init/certs.go
+++ b/cmd/kubeadm/app/cmd/phases/init/certs.go
@ -86,17 +86,19 @@ func newCertSubPhases() []workflow.Phase {
 	subPhases = append(subPhases, allPhase)
-	certTree, _ := certsphase.GetDefaultCertList().AsMap().CertTree()
+	// This loop assumes that GetDefaultCertList() always returns a list of
-
+	// certificate that is preceded by the CAs that sign them.
-	for ca, certList := range certTree {
+	var lastCACert *certsphase.KubeadmCert
-		caPhase := newCertSubPhase(ca, runCAPhase(ca))
+	for _, cert := range certsphase.GetDefaultCertList() {
-		subPhases = append(subPhases, caPhase)
+		var phase workflow.Phase
-
+		if cert.CAName == "" {
-		for _, cert := range certList {
+			phase = newCertSubPhase(cert, runCAPhase(cert))
-			certPhase := newCertSubPhase(cert, runCertPhase(cert, ca))
+			lastCACert = cert
-			certPhase.LocalFlags = localFlags()
+		} else {
-			subPhases = append(subPhases, certPhase)
+			phase = newCertSubPhase(cert, runCertPhase(cert, lastCACert))
 			phase.LocalFlags = localFlags()
 		}
 		subPhases = append(subPhases, phase)
 	}
 	// SA creates the private/public key pair, which doesn't use x509 at all
--- a/cmd/kubeadm/app/phases/certs/certlist_test.go
+++ b/cmd/kubeadm/app/phases/certs/certlist_test.go
@ -29,6 +29,40 @@ import (
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 )
 func TestCertListOrder(t *testing.T) {
 	tests := []struct {
 		certs Certificates
 		name  string
 	}{
 		{
 			name:  "Default Certificate List",
 			certs: GetDefaultCertList(),
 		},
 		{
 			name:  "Cert list less etcd",
 			certs: GetCertsWithoutEtcd(),
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			var lastCA *KubeadmCert
 			for i, cert := range test.certs {
 				if i > 0 && lastCA == nil {
 					t.Fatalf("CA not present in list before certificate %q", cert.Name)
 				}
 				if cert.CAName == "" {
 					lastCA = cert
 				} else {
 					if cert.CAName != lastCA.Name {
 						t.Fatalf("expected CA name %q, got %q, for certificate %q", lastCA.Name, cert.CAName, cert.Name)
 					}
 				}
 			}
 		})
 	}
 }
 func TestCAPointersValid(t *testing.T) {
 	tests := []struct {
 		certs Certificates