From d6b29c9cccac30ed64aa3adfbb73b2ff10979ca4 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Steenis <mail@superseb.nl>
Date: Fri, 6 Sep 2019 21:41:42 +0200
Subject: [PATCH] Do not fetch kube-admin certificate from host(s)

---
 pki/deploy.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pki/deploy.go b/pki/deploy.go
index d550e4d2..bbea6abe 100644
--- a/pki/deploy.go
+++ b/pki/deploy.go
@@ -201,7 +201,8 @@ func FetchCertificatesFromHost(ctx context.Context, extraHosts []*hosts.Host, ho
 		// Return error if the certificate file is not found but only if its not etcd or request header certificate
 		if err != nil && !strings.HasPrefix(certName, "kube-etcd") &&
 			certName != RequestHeaderCACertName &&
-			certName != APIProxyClientCertName {
+			certName != APIProxyClientCertName &&
+			certName != KubeAdminCertName {
 			// IsErrNotFound doesn't catch this because it's a custom error
 			if isFileNotFoundErr(err) {
 				return nil, fmt.Errorf("Certificate %s is not found", GetCertTempPath(certName))
@@ -212,7 +213,8 @@ func FetchCertificatesFromHost(ctx context.Context, extraHosts []*hosts.Host, ho
 		// If I can't find an etcd or request header ca I will not fail and will create it later.
 		if crt == "" && (strings.HasPrefix(certName, "kube-etcd") ||
 			certName == RequestHeaderCACertName ||
-			certName == APIProxyClientCertName) {
+			certName == APIProxyClientCertName ||
+			certName == KubeAdminCertName) {
 			tmpCerts[certName] = CertificatePKI{}
 			continue
 		}