From 53de9686763797978fee6f77d00e476cf165a3bb Mon Sep 17 00:00:00 2001 From: Vitor Savian Date: Fri, 9 May 2025 16:25:44 -0300 Subject: [PATCH] Add generation for kube-scheduler and kube-controller-manager certs (#12285) * Add generation for kube-scheduler and kube-controller-manager certs Signed-off-by: Vitor Savian * Add new certs to the tests Signed-off-by: Vitor Savian * Change cert-dir to tls-cert-file and tls-private-key-file Signed-off-by: Vitor Savian * Address altName structure Co-authored-by: Brad Davidson Signed-off-by: Vitor Savian --------- Signed-off-by: Vitor Savian Co-authored-by: Brad Davidson --- pkg/daemons/config/types.go | 24 +++++++------ pkg/daemons/control/deps/deps.go | 23 +++++++++++++ pkg/daemons/control/server.go | 4 +++ pkg/util/services/services.go | 4 +++ pkg/util/services/services_test.go | 54 +++++++++++++++++------------- 5 files changed, 76 insertions(+), 33 deletions(-) diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go index 5fb9b8e3b9e..af1361e4e3f 100644 --- a/pkg/daemons/config/types.go +++ b/pkg/daemons/config/types.go @@ -334,16 +334,20 @@ type ControlRuntime struct { KubeConfigAPIServer string KubeConfigCloudController string - ServingKubeAPICert string - ServingKubeAPIKey string - ServingKubeletKey string - ServerToken string - AgentToken string - APIServer http.Handler - Handler http.Handler - HTTPBootstrap http.Handler - Tunnel http.Handler - Authenticator authenticator.Request + ServingKubeAPICert string + ServingKubeAPIKey string + ServingKubeSchedulerCert string + ServingKubeSchedulerKey string + ServingKubeControllerCert string + ServingKubeControllerKey string + ServingKubeletKey string + ServerToken string + AgentToken string + APIServer http.Handler + Handler http.Handler + HTTPBootstrap http.Handler + Tunnel http.Handler + Authenticator authenticator.Request EgressSelectorConfig string CloudControllerConfig string diff --git a/pkg/daemons/control/deps/deps.go b/pkg/daemons/control/deps/deps.go index 2af4d16d325..e3f941b6531 100644 --- a/pkg/daemons/control/deps/deps.go +++ b/pkg/daemons/control/deps/deps.go @@ -143,6 +143,12 @@ func CreateRuntimeCertFiles(config *config.Control) { runtime.ServingKubeAPICert = filepath.Join(config.DataDir, "tls", "serving-kube-apiserver.crt") runtime.ServingKubeAPIKey = filepath.Join(config.DataDir, "tls", "serving-kube-apiserver.key") + runtime.ServingKubeSchedulerCert = filepath.Join(config.DataDir, "tls", "kube-scheduler", "kube-scheduler.crt") + runtime.ServingKubeSchedulerKey = filepath.Join(config.DataDir, "tls", "kube-scheduler", "kube-scheduler.key") + + runtime.ServingKubeControllerCert = filepath.Join(config.DataDir, "tls", "kube-controller-manager", "kube-controller-manager.crt") + runtime.ServingKubeControllerKey = filepath.Join(config.DataDir, "tls", "kube-controller-manager", "kube-controller-manager.key") + runtime.ClientKubeletKey = filepath.Join(config.DataDir, "tls", "client-kubelet.key") runtime.ServingKubeletKey = filepath.Join(config.DataDir, "tls", "serving-kubelet.key") @@ -440,6 +446,23 @@ func genServerCerts(config *config.Control) error { return err } + altNames = &certutil.AltNames{} + addSANs(altNames, []string{"localhost" ,"127.0.0.1", "::1"}) + + if _, err := createClientCertKey(regen, "kube-scheduler", nil, + altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + runtime.ServerCA, runtime.ServerCAKey, + runtime.ServingKubeSchedulerCert, runtime.ServingKubeSchedulerKey); err != nil { + return err + } + + if _, err := createClientCertKey(regen, "kube-controller-manager", nil, + altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + runtime.ServerCA, runtime.ServerCAKey, + runtime.ServingKubeControllerCert, runtime.ServingKubeControllerKey); err != nil { + return err + } + return nil } diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go index 7c7f106057c..8bf7cb28b09 100644 --- a/pkg/daemons/control/server.go +++ b/pkg/daemons/control/server.go @@ -116,6 +116,8 @@ func controllerManager(ctx context.Context, cfg *config.Control) error { "cluster-cidr": util.JoinIPNets(cfg.ClusterIPRanges), "root-ca-file": runtime.ServerCA, "profiling": "false", + "tls-cert-file": runtime.ServingKubeControllerCert, + "tls-private-key-file": runtime.ServingKubeControllerKey, "bind-address": cfg.Loopback(false), "secure-port": "10257", "use-service-account-credentials": "true", @@ -157,6 +159,8 @@ func scheduler(ctx context.Context, cfg *config.Control) error { "authentication-kubeconfig": runtime.KubeConfigScheduler, "bind-address": cfg.Loopback(false), "secure-port": "10259", + "tls-cert-file": runtime.ServingKubeSchedulerCert, + "tls-private-key-file": runtime.ServingKubeSchedulerKey, "profiling": "false", } if cfg.NoLeaderElect { diff --git a/pkg/util/services/services.go b/pkg/util/services/services.go index bdfc468e3ee..7eaf19e18e6 100644 --- a/pkg/util/services/services.go +++ b/pkg/util/services/services.go @@ -71,11 +71,15 @@ func FilesForServices(controlConfig config.Control, services []string) (map[stri fileMap[service] = []string{ controlConfig.Runtime.ClientControllerCert, controlConfig.Runtime.ClientControllerKey, + controlConfig.Runtime.ServingKubeControllerCert, + controlConfig.Runtime.ServingKubeControllerKey, } case Scheduler: fileMap[service] = []string{ controlConfig.Runtime.ClientSchedulerCert, controlConfig.Runtime.ClientSchedulerKey, + controlConfig.Runtime.ServingKubeSchedulerCert, + controlConfig.Runtime.ServingKubeSchedulerKey, } case ETCD: fileMap[service] = []string{ diff --git a/pkg/util/services/services_test.go b/pkg/util/services/services_test.go index fb169cce233..81b79dd42f3 100644 --- a/pkg/util/services/services_test.go +++ b/pkg/util/services/services_test.go @@ -38,29 +38,31 @@ func Test_UnitFilesForServices(t *testing.T) { return nil }, want: map[string][]string{ - "admin": []string{ + "admin": { filepath.Join(serverDir, "tls", "client-admin.crt"), filepath.Join(serverDir, "tls", "client-admin.key"), }, - "api-server": []string{ + "api-server": { filepath.Join(serverDir, "tls", "client-kube-apiserver.crt"), filepath.Join(serverDir, "tls", "client-kube-apiserver.key"), filepath.Join(serverDir, "tls", "serving-kube-apiserver.crt"), filepath.Join(serverDir, "tls", "serving-kube-apiserver.key"), }, - "auth-proxy": []string{ + "auth-proxy": { filepath.Join(serverDir, "tls", "client-auth-proxy.crt"), filepath.Join(serverDir, "tls", "client-auth-proxy.key"), }, - "cloud-controller": []string{ + "cloud-controller": { filepath.Join(serverDir, "tls", "client-k3s-cloud-controller.crt"), filepath.Join(serverDir, "tls", "client-k3s-cloud-controller.key"), }, - "controller-manager": []string{ + "controller-manager": { filepath.Join(serverDir, "tls", "client-controller.crt"), filepath.Join(serverDir, "tls", "client-controller.key"), + filepath.Join(serverDir, "tls", "kube-controller-manager", "kube-controller-manager.crt"), + filepath.Join(serverDir, "tls", "kube-controller-manager", "kube-controller-manager.key"), }, - "etcd": []string{ + "etcd": { filepath.Join(serverDir, "tls", "etcd", "client.crt"), filepath.Join(serverDir, "tls", "etcd", "client.key"), filepath.Join(serverDir, "tls", "etcd", "server-client.crt"), @@ -68,19 +70,19 @@ func Test_UnitFilesForServices(t *testing.T) { filepath.Join(serverDir, "tls", "etcd", "peer-server-client.crt"), filepath.Join(serverDir, "tls", "etcd", "peer-server-client.key"), }, - "k3s-controller": []string{ + "k3s-controller": { filepath.Join(serverDir, "tls", "client-k3s-controller.crt"), filepath.Join(serverDir, "tls", "client-k3s-controller.key"), filepath.Join(agentDir, "client-k3s-controller.crt"), filepath.Join(agentDir, "client-k3s-controller.key"), }, - "kube-proxy": []string{ + "kube-proxy": { filepath.Join(serverDir, "tls", "client-kube-proxy.crt"), filepath.Join(serverDir, "tls", "client-kube-proxy.key"), filepath.Join(agentDir, "client-kube-proxy.crt"), filepath.Join(agentDir, "client-kube-proxy.key"), }, - "kubelet": []string{ + "kubelet": { filepath.Join(serverDir, "tls", "client-kubelet.key"), filepath.Join(serverDir, "tls", "serving-kubelet.key"), filepath.Join(agentDir, "client-kubelet.crt"), @@ -88,11 +90,13 @@ func Test_UnitFilesForServices(t *testing.T) { filepath.Join(agentDir, "serving-kubelet.crt"), filepath.Join(agentDir, "serving-kubelet.key"), }, - "scheduler": []string{ + "scheduler": { filepath.Join(serverDir, "tls", "client-scheduler.crt"), filepath.Join(serverDir, "tls", "client-scheduler.key"), + filepath.Join(serverDir, "tls", "kube-scheduler", "kube-scheduler.crt"), + filepath.Join(serverDir, "tls", "kube-scheduler", "kube-scheduler.key"), }, - "supervisor": []string{ + "supervisor": { filepath.Join(serverDir, "tls", "client-supervisor.crt"), filepath.Join(serverDir, "tls", "client-supervisor.key"), }, @@ -112,29 +116,31 @@ func Test_UnitFilesForServices(t *testing.T) { return nil }, want: map[string][]string{ - "admin": []string{ + "admin": { filepath.Join(serverDir, "tls", "client-admin.crt"), filepath.Join(serverDir, "tls", "client-admin.key"), }, - "api-server": []string{ + "api-server": { filepath.Join(serverDir, "tls", "client-kube-apiserver.crt"), filepath.Join(serverDir, "tls", "client-kube-apiserver.key"), filepath.Join(serverDir, "tls", "serving-kube-apiserver.crt"), filepath.Join(serverDir, "tls", "serving-kube-apiserver.key"), }, - "auth-proxy": []string{ + "auth-proxy": { filepath.Join(serverDir, "tls", "client-auth-proxy.crt"), filepath.Join(serverDir, "tls", "client-auth-proxy.key"), }, - "cloud-controller": []string{ + "cloud-controller": { filepath.Join(serverDir, "tls", "client-k3s-cloud-controller.crt"), filepath.Join(serverDir, "tls", "client-k3s-cloud-controller.key"), }, - "controller-manager": []string{ + "controller-manager": { filepath.Join(serverDir, "tls", "client-controller.crt"), filepath.Join(serverDir, "tls", "client-controller.key"), + filepath.Join(serverDir, "tls", "kube-controller-manager", "kube-controller-manager.crt"), + filepath.Join(serverDir, "tls", "kube-controller-manager", "kube-controller-manager.key"), }, - "etcd": []string{ + "etcd": { filepath.Join(serverDir, "tls", "etcd", "client.crt"), filepath.Join(serverDir, "tls", "etcd", "client.key"), filepath.Join(serverDir, "tls", "etcd", "server-client.crt"), @@ -142,11 +148,13 @@ func Test_UnitFilesForServices(t *testing.T) { filepath.Join(serverDir, "tls", "etcd", "peer-server-client.crt"), filepath.Join(serverDir, "tls", "etcd", "peer-server-client.key"), }, - "scheduler": []string{ + "scheduler": { filepath.Join(serverDir, "tls", "client-scheduler.crt"), filepath.Join(serverDir, "tls", "client-scheduler.key"), + filepath.Join(serverDir, "tls", "kube-scheduler", "kube-scheduler.crt"), + filepath.Join(serverDir, "tls", "kube-scheduler", "kube-scheduler.key"), }, - "supervisor": []string{ + "supervisor": { filepath.Join(serverDir, "tls", "client-supervisor.crt"), filepath.Join(serverDir, "tls", "client-supervisor.key"), }, @@ -166,19 +174,19 @@ func Test_UnitFilesForServices(t *testing.T) { return nil }, want: map[string][]string{ - "k3s-controller": []string{ + "k3s-controller": { filepath.Join(serverDir, "tls", "client-k3s-controller.crt"), filepath.Join(serverDir, "tls", "client-k3s-controller.key"), filepath.Join(agentDir, "client-k3s-controller.crt"), filepath.Join(agentDir, "client-k3s-controller.key"), }, - "kube-proxy": []string{ + "kube-proxy": { filepath.Join(serverDir, "tls", "client-kube-proxy.crt"), filepath.Join(serverDir, "tls", "client-kube-proxy.key"), filepath.Join(agentDir, "client-kube-proxy.crt"), filepath.Join(agentDir, "client-kube-proxy.key"), }, - "kubelet": []string{ + "kubelet": { filepath.Join(serverDir, "tls", "client-kubelet.key"), filepath.Join(serverDir, "tls", "serving-kubelet.key"), filepath.Join(agentDir, "client-kubelet.crt"), @@ -202,7 +210,7 @@ func Test_UnitFilesForServices(t *testing.T) { return nil }, want: map[string][]string{ - "certificate-authority": []string{ + "certificate-authority": { filepath.Join(serverDir, "tls", "server-ca.crt"), filepath.Join(serverDir, "tls", "server-ca.key"), filepath.Join(serverDir, "tls", "client-ca.crt"),