From daf48769f2ba8f8365b6d0efe0710ca29be3e56d Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Fri, 15 Feb 2019 08:51:34 -0500
Subject: [PATCH] require kubelet serving certs

---
 bindata/v3.11.0/kube-apiserver/defaultconfig.yaml |  3 +--
 .../resourcesynccontroller.go                     | 15 +++++++++++++++
 pkg/operator/v311_00_assets/bindata.go            |  3 +--
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/bindata/v3.11.0/kube-apiserver/defaultconfig.yaml b/bindata/v3.11.0/kube-apiserver/defaultconfig.yaml
index 023226d9e1..10ade15c0d 100644
--- a/bindata/v3.11.0/kube-apiserver/defaultconfig.yaml
+++ b/bindata/v3.11.0/kube-apiserver/defaultconfig.yaml
@@ -84,8 +84,7 @@ imagePolicyConfig:
   externalRegistryHostname: ""
   internalRegistryHostname: docker-registry.default.svc:5000
 kubeletClientInfo:
-  # empty until it's properly secured
-  ca: ""
+  ca: /etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt
   certFile: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
   keyFile: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key
   port: 10250
diff --git a/pkg/operator/resourcesynccontroller/resourcesynccontroller.go b/pkg/operator/resourcesynccontroller/resourcesynccontroller.go
index 14993d4776..b11d9d36ea 100644
--- a/pkg/operator/resourcesynccontroller/resourcesynccontroller.go
+++ b/pkg/operator/resourcesynccontroller/resourcesynccontroller.go
@@ -21,18 +21,21 @@ func NewResourceSyncController(
 		v1helpers.CachedConfigMapGetter(kubeClient.CoreV1(), kubeInformersForNamespaces),
 		eventRecorder,
 	)
+
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "etcd-serving-ca"},
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.EtcdNamespaceName, Name: "etcd-serving-ca"},
 	); err != nil {
 		return nil, err
 	}
+
 	if err := resourceSyncController.SyncSecret(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "etcd-client"},
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.EtcdNamespaceName, Name: "etcd-client"},
 	); err != nil {
 		return nil, err
 	}
+
 	// this configmap holds the cert used to verify SA token JWTs created by the bootstrap kube-controller-manager
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "initial-sa-token-signing-certs"},
@@ -40,6 +43,7 @@ func NewResourceSyncController(
 	); err != nil {
 		return nil, err
 	}
+
 	// this configmaps holds the certs used to verify the SA token JWTs created by the kube-controller-manager-operator
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-controller-manager-sa-token-signing-certs"},
@@ -56,6 +60,7 @@ func NewResourceSyncController(
 	); err != nil {
 		return nil, err
 	}
+
 	// this secret contains the serving cert/key pair for the kube-apiserver
 	// TODO this will logically become two secrets: one for the ELB/default, another for the loopback and service network
 	if err := resourceSyncController.SyncSecret(
@@ -72,6 +77,7 @@ func NewResourceSyncController(
 	); err != nil {
 		return nil, err
 	}
+
 	// this ca bundle contains certs used by the kube-apiserver to verify client certs
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-apiserver-client-ca"},
@@ -79,6 +85,7 @@ func NewResourceSyncController(
 	); err != nil {
 		return nil, err
 	}
+
 	// this ca bundle contains certs provided by the kube-apiserver to verify aggregator client certs
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-apiserver-aggregator-client-ca"},
@@ -87,5 +94,13 @@ func NewResourceSyncController(
 		return nil, err
 	}
 
+	// this ca bundle contains certs that can be used to verify a kubelet
+	if err := resourceSyncController.SyncConfigMap(
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kubelet-serving-ca"},
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kubelet-serving-ca"},
+	); err != nil {
+		return nil, err
+	}
+
 	return resourceSyncController, nil
 }
diff --git a/pkg/operator/v311_00_assets/bindata.go b/pkg/operator/v311_00_assets/bindata.go
index 591ca5c224..197a9ca88e 100644
--- a/pkg/operator/v311_00_assets/bindata.go
+++ b/pkg/operator/v311_00_assets/bindata.go
@@ -161,8 +161,7 @@ imagePolicyConfig:
   externalRegistryHostname: ""
   internalRegistryHostname: docker-registry.default.svc:5000
 kubeletClientInfo:
-  # empty until it's properly secured
-  ca: ""
+  ca: /etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt
   certFile: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
   keyFile: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key
   port: 10250