Skip to content

provide ca bundle for trusting the kube-apiserver #290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
deads2k merged 1 commit into from
Feb 22, 2019
Merged

provide ca bundle for trusting the kube-apiserver #290

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions bindata/bootkube/manifests/configmap-initial-kube-apiserver-serving-ca.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: initial-kube-apiserver-server-ca
namespace: openshift-config
data:
ca-bundle.crt: |
{{ .Assets | load "kube-ca.crt" | indent 4 }}

26 changes: 26 additions & 0 deletions pkg/operator/targetconfigcontroller/targetconfigcontroller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,10 @@ func createTargetConfig(c TargetConfigController, recorder events.Recorder, oper
if err != nil {
errors = append(errors, fmt.Errorf("%q: %v", "configmap/kubelet-serving-ca", err))
}
_, _, err = manageKubeAPIServerCABundle(c.configMapLister, c.kubeClient.CoreV1(), recorder)
if err != nil {
errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-apiserver-server-ca", err))
}

if len(errors) > 0 {
condition := operatorv1.OperatorCondition{
Expand Down Expand Up @@ -270,6 +274,28 @@ func manageClientCABundle(lister corev1listers.ConfigMapLister, client coreclien
return resourceapply.ApplyConfigMap(client, recorder, requiredConfigMap)
}

func manageKubeAPIServerCABundle(lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-apiserver-server-ca"},
lister,
nil, // TODO remove this
nil, // TODO remove this
// this is from the installer and contains the value they think we should have
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "initial-kube-apiserver-server-ca"},
// this bundle is what this operator uses to mint loadbalancers certs
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "loadbalancer-serving-ca"},
// this bundle is what this operator uses to mint localhost certs
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "localhost-serving-ca"},
// this bundle is what a user uses to mint service-network certs
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "service-network-serving-ca"},
)
if err != nil {
return nil, false, err
}

return resourceapply.ApplyConfigMap(client, recorder, requiredConfigMap)
}

func manageKubeletServingCABundle(lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kubelet-serving-ca"},
Expand Down