Merge pull request kubernetes#90822 from deads2k/csr-separate-signer-flags-02

allow setting different certificates for kube-controller-managed CSR signers

Author: k8s-ci-robot

api/api-rules/violation_exceptions.list

@@ -472,9 +472,15 @@ API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,
 API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,Type
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,AttachDetachControllerConfiguration,DisableAttachDetachReconcilerSync
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,AttachDetachControllerConfiguration,ReconcilerSyncLoopPeriod
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningConfiguration,CertFile
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningConfiguration,KeyFile
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,ClusterSigningCertFile
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,ClusterSigningDuration
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,ClusterSigningKeyFile
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,KubeAPIServerClientSignerConfiguration
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,KubeletClientSignerConfiguration
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,KubeletServingSignerConfiguration
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CSRSigningControllerConfiguration,LegacyUnknownSignerConfiguration
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CloudProviderConfiguration,CloudConfigFile
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CloudProviderConfiguration,Name
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,DaemonSetControllerConfiguration,ConcurrentDaemonSetSyncs

cmd/kube-controller-manager/app/BUILD

@@ -160,9 +160,13 @@ go_library(
 
 go_test(
     name = "go_default_test",
-    srcs = ["core_test.go"],
+    srcs = [
+        "certificates_test.go",
+        "core_test.go",
+    ],
     embed = [":go_default_library"],
     deps = [
+        "//pkg/controller/certificates/signer/config:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/client-go/discovery:go_default_library",
         "//staging/src/k8s.io/client-go/discovery/fake:go_default_library",

cmd/kube-controller-manager/app/certificates.go

@@ -22,14 +22,11 @@ package app
 
 import (
 	"fmt"
-	"os"
-
 	"net/http"
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
-	kubeoptions "k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
 	"k8s.io/kubernetes/pkg/controller/certificates/approver"
 	"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
 	"k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher"
@@ -44,87 +41,129 @@ func startCSRSigningController(ctx ControllerContext) (http.Handler, bool, error
 		klog.Warningf("Resource %s is not available now", gvr.String())
 		return nil, false, nil
 	}
-	if ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == "" || ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == "" {
+	missingSingleSigningFile := ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == "" || ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == ""
+	if missingSingleSigningFile && !anySpecificFilesSet(ctx.ComponentConfig.CSRSigningController) {
 		klog.V(2).Info("skipping CSR signer controller because no csr cert/key was specified")
 		return nil, false, nil
 	}
-
-	// Deprecation warning for old defaults.
-	//
-	// * If the signing cert and key are the default paths but the files
-	// exist, warn that the paths need to be specified explicitly in a
-	// later release and the defaults will be removed. We don't expect this
-	// to be the case.
-	//
-	// * If the signing cert and key are default paths but the files don't exist,
-	// bail out of startController without logging.
-	var keyFileExists, keyUsesDefault, certFileExists, certUsesDefault bool
-
-	_, err := os.Stat(ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile)
-	certFileExists = !os.IsNotExist(err)
-
-	certUsesDefault = (ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == kubeoptions.DefaultClusterSigningCertFile)
-
-	_, err = os.Stat(ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile)
-	keyFileExists = !os.IsNotExist(err)
-
-	keyUsesDefault = (ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == kubeoptions.DefaultClusterSigningKeyFile)
-
-	switch {
-	case (keyFileExists && keyUsesDefault) || (certFileExists && certUsesDefault):
-		klog.Warningf("You might be using flag defaulting for --cluster-signing-cert-file and" +
-			" --cluster-signing-key-file. These defaults are deprecated and will be removed" +
-			" in a subsequent release. Please pass these options explicitly.")
-	case (!keyFileExists && keyUsesDefault) && (!certFileExists && certUsesDefault):
-		// This is what we expect right now if people aren't
-		// setting up the signing controller. This isn't
-		// actually a problem since the signer is not a
-		// required controller.
-		klog.V(2).Info("skipping CSR signer controller because no csr cert/key was specified and the default files are missing")
-		return nil, false, nil
-	default:
-		// Note that '!filesExist && !usesDefaults' is obviously
-		// operator error. We don't handle this case here and instead
-		// allow it to be handled by NewCSR... below.
+	if !missingSingleSigningFile && anySpecificFilesSet(ctx.ComponentConfig.CSRSigningController) {
+		return nil, false, fmt.Errorf("cannot specify default and per controller certs at the same time")
 	}
 
 	c := ctx.ClientBuilder.ClientOrDie("certificate-controller")
 	csrInformer := ctx.InformerFactory.Certificates().V1().CertificateSigningRequests()
 	certTTL := ctx.ComponentConfig.CSRSigningController.ClusterSigningDuration.Duration
-	caFile, caKeyFile := getKubeletServingSignerFiles(ctx.ComponentConfig.CSRSigningController)
 
-	// TODO get different signer cert and key files for each signer when we add flags.
-
-	kubeletServingSigner, err := signer.NewKubeletServingCSRSigningController(c, csrInformer, caFile, caKeyFile, certTTL)
-	if err != nil {
-		return nil, false, fmt.Errorf("failed to start kubernetes.io/kubelet-serving certificate controller: %v", err)
+	if kubeletServingSignerCertFile, kubeletServingSignerKeyFile := getKubeletServingSignerFiles(ctx.ComponentConfig.CSRSigningController); len(kubeletServingSignerCertFile) > 0 || len(kubeletServingSignerKeyFile) > 0 {
+		kubeletServingSigner, err := signer.NewKubeletServingCSRSigningController(c, csrInformer, kubeletServingSignerCertFile, kubeletServingSignerKeyFile, certTTL)
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to start kubernetes.io/kubelet-serving certificate controller: %v", err)
+		}
+		go kubeletServingSigner.Run(1, ctx.Stop)
+	} else {
+		klog.V(2).Infof("skipping CSR signer controller %q because specific files were specified for other signers and not this one.", "kubernetes.io/kubelet-serving")
 	}
-	go kubeletServingSigner.Run(1, ctx.Stop)
 
-	kubeletClientSigner, err := signer.NewKubeletClientCSRSigningController(c, csrInformer, caFile, caKeyFile, certTTL)
-	if err != nil {
-		return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client-kubelet certificate controller: %v", err)
+	if kubeletClientSignerCertFile, kubeletClientSignerKeyFile := getKubeletClientSignerFiles(ctx.ComponentConfig.CSRSigningController); len(kubeletClientSignerCertFile) > 0 || len(kubeletClientSignerKeyFile) > 0 {
+		kubeletClientSigner, err := signer.NewKubeletClientCSRSigningController(c, csrInformer, kubeletClientSignerCertFile, kubeletClientSignerKeyFile, certTTL)
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client-kubelet certificate controller: %v", err)
+		}
+		go kubeletClientSigner.Run(1, ctx.Stop)
+	} else {
+		klog.V(2).Infof("skipping CSR signer controller %q because specific files were specified for other signers and not this one.", "kubernetes.io/kube-apiserver-client-kubelet")
 	}
-	go kubeletClientSigner.Run(1, ctx.Stop)
 
-	kubeAPIServerClientSigner, err := signer.NewKubeAPIServerClientCSRSigningController(c, csrInformer, caFile, caKeyFile, certTTL)
-	if err != nil {
-		return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client certificate controller: %v", err)
+	if kubeAPIServerSignerCertFile, kubeAPIServerSignerKeyFile := getKubeAPIServerClientSignerFiles(ctx.ComponentConfig.CSRSigningController); len(kubeAPIServerSignerCertFile) > 0 || len(kubeAPIServerSignerKeyFile) > 0 {
+		kubeAPIServerClientSigner, err := signer.NewKubeAPIServerClientCSRSigningController(c, csrInformer, kubeAPIServerSignerCertFile, kubeAPIServerSignerKeyFile, certTTL)
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client certificate controller: %v", err)
+		}
+		go kubeAPIServerClientSigner.Run(1, ctx.Stop)
+	} else {
+		klog.V(2).Infof("skipping CSR signer controller %q because specific files were specified for other signers and not this one.", "kubernetes.io/kube-apiserver-client")
 	}
-	go kubeAPIServerClientSigner.Run(1, ctx.Stop)
 
-	legacyUnknownSigner, err := signer.NewLegacyUnknownCSRSigningController(c, csrInformer, caFile, caKeyFile, certTTL)
-	if err != nil {
-		return nil, false, fmt.Errorf("failed to start kubernetes.io/legacy-unknown certificate controller: %v", err)
+	if legacyUnknownSignerCertFile, legacyUnknownSignerKeyFile := getLegacyUnknownSignerFiles(ctx.ComponentConfig.CSRSigningController); len(legacyUnknownSignerCertFile) > 0 || len(legacyUnknownSignerKeyFile) > 0 {
+		legacyUnknownSigner, err := signer.NewLegacyUnknownCSRSigningController(c, csrInformer, legacyUnknownSignerCertFile, legacyUnknownSignerKeyFile, certTTL)
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to start kubernetes.io/legacy-unknown certificate controller: %v", err)
+		}
+		go legacyUnknownSigner.Run(1, ctx.Stop)
+	} else {
+		klog.V(2).Infof("skipping CSR signer controller %q because specific files were specified for other signers and not this one.", "kubernetes.io/legacy-unknown")
 	}
-	go legacyUnknownSigner.Run(1, ctx.Stop)
 
 	return nil, true, nil
 }
 
-// getKubeletServingSignerFiles returns the cert and key for signing.
-// TODO we will extended this for each signer so that it prefers the specific flag (to be added) and falls back to the single flag
+func areKubeletServingSignerFilesSpecified(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
+	if len(config.KubeletServingSignerConfiguration.CertFile) > 0 || len(config.KubeletServingSignerConfiguration.KeyFile) > 0 {
+		// if only one is specified, it will error later during construction
+		return true
+	}
+	return false
+}
+func areKubeletClientSignerFilesSpecified(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
+	if len(config.KubeletClientSignerConfiguration.CertFile) > 0 || len(config.KubeletClientSignerConfiguration.KeyFile) > 0 {
+		// if only one is specified, it will error later during construction
+		return true
+	}
+	return false
+}
+
+func areKubeAPIServerClientSignerFilesSpecified(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
+	if len(config.KubeAPIServerClientSignerConfiguration.CertFile) > 0 || len(config.KubeAPIServerClientSignerConfiguration.KeyFile) > 0 {
+		// if only one is specified, it will error later during construction
+		return true
+	}
+	return false
+}
+
+func areLegacyUnknownSignerFilesSpecified(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
+	if len(config.LegacyUnknownSignerConfiguration.CertFile) > 0 || len(config.LegacyUnknownSignerConfiguration.KeyFile) > 0 {
+		// if only one is specified, it will error later during construction
+		return true
+	}
+	return false
+}
+
+func anySpecificFilesSet(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
+	return areKubeletServingSignerFilesSpecified(config) ||
+		areKubeletClientSignerFilesSpecified(config) ||
+		areKubeAPIServerClientSignerFilesSpecified(config) ||
+		areLegacyUnknownSignerFilesSpecified(config)
+}
+
 func getKubeletServingSignerFiles(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string) {
+	// if any cert/key is set for specific CSR signing loops, then the --cluster-signing-{cert,key}-file are not used for any CSR signing loop.
+	if anySpecificFilesSet(config) {
+		return config.KubeletServingSignerConfiguration.CertFile, config.KubeletServingSignerConfiguration.KeyFile
+	}
+	return config.ClusterSigningCertFile, config.ClusterSigningKeyFile
+}
+
+func getKubeletClientSignerFiles(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string) {
+	// if any cert/key is set for specific CSR signing loops, then the --cluster-signing-{cert,key}-file are not used for any CSR signing loop.
+	if anySpecificFilesSet(config) {
+		return config.KubeletClientSignerConfiguration.CertFile, config.KubeletClientSignerConfiguration.KeyFile
+	}
+	return config.ClusterSigningCertFile, config.ClusterSigningKeyFile
+}
+
+func getKubeAPIServerClientSignerFiles(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string) {
+	// if any cert/key is set for specific CSR signing loops, then the --cluster-signing-{cert,key}-file are not used for any CSR signing loop.
+	if anySpecificFilesSet(config) {
+		return config.KubeAPIServerClientSignerConfiguration.CertFile, config.KubeAPIServerClientSignerConfiguration.KeyFile
+	}
+	return config.ClusterSigningCertFile, config.ClusterSigningKeyFile
+}
+
+func getLegacyUnknownSignerFiles(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string) {
+	// if any cert/key is set for specific CSR signing loops, then the --cluster-signing-{cert,key}-file are not used for any CSR signing loop.
+	if anySpecificFilesSet(config) {
+		return config.LegacyUnknownSignerConfiguration.CertFile, config.LegacyUnknownSignerConfiguration.KeyFile
+	}
 	return config.ClusterSigningCertFile, config.ClusterSigningKeyFile
 }