Fix requestheaqder ca certificate regeneration

2025-07-19 09:46:38 +00:00 · 2018-09-08 02:23:47 +02:00 · 2018-09-08 02:23:47 +02:00 · 00e317250d
commit 00e317250d
parent 67448c38c6
1 changed files with 10 additions and 3 deletions
--- a/cluster/certificates.go
+++ b/cluster/certificates.go
@ -126,6 +126,8 @@ func getClusterCerts(ctx context.Context, kubeClient *kubernetes.Clientset, etcd
 		pki.KubeControllerCertName,
 		pki.KubeSchedulerCertName,
 		pki.KubeAdminCertName,
+		pki.APIProxyClientCertName,
+		pki.RequestHeaderCACertName,
 	}

 	for _, etcdHost := range etcdHosts {
@ -136,11 +138,16 @@ func getClusterCerts(ctx context.Context, kubeClient *kubernetes.Clientset, etcd
 	certMap := make(map[string]pki.CertificatePKI)
 	for _, certName := range certificatesNames {
 		secret, err := k8s.GetSecret(kubeClient, certName)
-		if err != nil && !strings.HasPrefix(certName, "kube-etcd") {
+		if err != nil && !strings.HasPrefix(certName, "kube-etcd") &&
+			!strings.Contains(certName, pki.RequestHeaderCACertName) &&
+			!strings.Contains(certName, pki.APIProxyClientCertName) {
 			return nil, err
 		}
-		// If I can't find an etcd cert, I will not fail and will create it later.
-		if (secret == nil || secret.Data == nil) && strings.HasPrefix(certName, "kube-etcd") {
+		// If I can't find an etcd, requestheader, or proxy client cert, I will not fail and will create it later.
+		if (secret == nil || secret.Data == nil) &&
+			(strings.HasPrefix(certName, "kube-etcd") ||
+				strings.Contains(certName, pki.RequestHeaderCACertName) ||
+				strings.Contains(certName, pki.APIProxyClientCertName)) {
 			certMap[certName] = pki.CertificatePKI{}
 			continue
 		}