tls: add kube-apiserver-complete-server-ca-bundle.crt

[deads2k]

The KCM and the admin.kubeconfig both need the complete set of certs
to use to trust the KAS.

This is needed so the kube-apiserver can serve with it's shiny new certs. openshift/cluster-kube-apiserver-operator#282

/assign @abhinavdahiya

[staebler]

Please regenerate the asset dependency graph in a separate commit.

https://github.com/openshift/installer/blob/master/docs/design/assetgeneration.md#dependency-graph

[staebler]

Will the kubelet-client-ca-bundle.crt still be used by anything once it is removed from the kubelet kubeconfig?

[deads2k]

Will the kubelet-client-ca-bundle.crt still be used by anything once it is removed from the kubelet kubeconfig?

I think it was wired improperly here before (kube-ca for everyone!). It is logically distinct and is for verifying kubelet clients.

[deads2k]

Please regenerate the asset dependency graph in a separate commit.

https://github.com/openshift/installer/blob/master/docs/design/assetgeneration.md#dependency-graph

done

[abhinavdahiya]

nit:
KAS can use this file to trust the client certificate generated by admin-kubeconfig-signer. just drop kubeapiserver*signer

[deads2k]

I think I deleted these lines. We're trying to create a call bundle to verify the KAS serving cert, not one to verify clients.

[deads2k]

Oh, I understand now. Sure, I'll make it client ca only. Lgty otherwise? An lgtm and hold so I can get it this weekend?

[abhinavdahiya]

Oh, I understand now. Sure, I'll make it client ca only. Lgty otherwise? An lgtm and hold so I can get it this weekend?

/approve

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, deads2k

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [abhinavdahiya]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deads2k]

made that client-ca and tagging per comment

[deads2k]

/retest

[deads2k]

/retest

[deads2k]

/test e2e-aws

[deads2k]

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[deads2k]

aws, aws, aws

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[deads2k]

/test e2e-aws

[deads2k]

/test e2e-aws

[deads2k]

cadvisor

/retest

[deads2k]

This fixes sa ca.crt bundles. Green, with no overlap to the other AWS one I merged

[openshift-ci-robot]

@deads2k: The following test failed for commit 4ae423d, say /retest to rerun them:

Test name	Details	Rerun command
ci/prow/e2e-aws	link	/test e2e-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.