Add "--cluster-signing-*-file" flags pointing at a host volume mount.

This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-24 15:41:51 -05:00 · 2020-07-24 15:41:51 -05:00 · 066bc84e2a
commit 066bc84e2a
parent 9f0d2606b1
2 changed files with 49 additions and 2 deletions
--- a/cmd/placeholder-name/app/app.go
+++ b/cmd/placeholder-name/app/app.go
@ -14,6 +14,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"time"

@ -49,8 +50,10 @@ type App struct {
 	cmd *cobra.Command

 	// CLI flags
-	configPath      string
-	downwardAPIPath string
+	configPath                 string
+	downwardAPIPath            string
+	clusterSigningCertFilePath string
+	clusterSigningKeyFilePath  string

 	recommendedOptions *genericoptions.RecommendedOptions
 }
@ -76,6 +79,18 @@ func New(ctx context.Context, args []string, stdout, stderr io.Writer) *App {
 credential from somewhere to an internal credential to be used for
 authenticating to the Kubernetes API.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			clusterSigningCertificatePEM, err := ioutil.ReadFile(a.clusterSigningCertFilePath)
+			if err != nil {
+				return fmt.Errorf("could not read cluster signing certificate: %w", err)
+			}
+			clusterSigningPrivateKeyPEM, err := ioutil.ReadFile(a.clusterSigningKeyFilePath)
+			if err != nil {
+				return fmt.Errorf("could not read cluster signing private key: %w", err)
+			}
+			// TODO: use these value for something useful
+			_ = clusterSigningCertificatePEM
+			_ = clusterSigningPrivateKeyPEM
+
 			// Load the Kubernetes client configuration (kubeconfig),
 			kubeConfig, err := restclient.InClusterConfig()
 			if err != nil {
@ -121,6 +136,20 @@ authenticating to the Kubernetes API.`,
 		"path to Downward API volume mount",
 	)

+	cmd.Flags().StringVar(
+		&a.clusterSigningCertFilePath,
+		"cluster-signing-cert-file",
+		"",
+		"path to cluster signing certificate",
+	)
+
+	cmd.Flags().StringVar(
+		&a.clusterSigningKeyFilePath,
+		"cluster-signing-key-file",
+		"",
+		"path to cluster signing private key",
+	)
+
 	a.cmd = cmd

 	return a
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@ -47,6 +47,8 @@ spec:
    metadata:
      labels:
        app: #@ data.values.app_name
+    annotations:
+      scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
      serviceAccountName: #@ data.values.app_name + "-service-account"
      containers:
@ -62,11 +64,15 @@ spec:
          args:
            - --config=/etc/config/placeholder-name.yaml
            - --downward-api-path=/etc/podinfo
+            - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
+            - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
          volumeMounts:
            - name: config-volume
              mountPath: /etc/config
            - name: podinfo
              mountPath: /etc/podinfo
+            - name: k8s-certs
+              mountPath: /etc/kubernetes/pki
      volumes:
        - name: config-volume
          configMap:
@ -80,3 +86,15 @@ spec:
              - path: "namespace"
                fieldRef:
                  fieldPath: metadata.namespace
+        - name: k8s-certs
+          hostPath:
+            path: /etc/kubernetes/pki
+            type: DirectoryOrCreate
+      priorityClassName: system-cluster-critical
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master