From e5902533eb7ab0586fe2ef83720873a8cb021805 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Fri, 24 Jul 2020 15:41:51 -0500 Subject: [PATCH] Add "--cluster-signing-*-file" flags pointing at a host volume mount. This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer --- cmd/placeholder-name/app/app.go | 33 +++++++++++++++++++++++++++++++-- deploy/deployment.yaml | 18 ++++++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/cmd/placeholder-name/app/app.go b/cmd/placeholder-name/app/app.go index 82a420c9..7b9d726e 100644 --- a/cmd/placeholder-name/app/app.go +++ b/cmd/placeholder-name/app/app.go @@ -14,6 +14,7 @@ import ( "encoding/pem" "fmt" "io" + "io/ioutil" "log" "time" @@ -49,8 +50,10 @@ type App struct { cmd *cobra.Command // CLI flags - configPath string - downwardAPIPath string + configPath string + downwardAPIPath string + clusterSigningCertFilePath string + clusterSigningKeyFilePath string recommendedOptions *genericoptions.RecommendedOptions } @@ -76,6 +79,18 @@ func New(ctx context.Context, args []string, stdout, stderr io.Writer) *App { credential from somewhere to an internal credential to be used for authenticating to the Kubernetes API.`, RunE: func(cmd *cobra.Command, args []string) error { + clusterSigningCertificatePEM, err := ioutil.ReadFile(a.clusterSigningCertFilePath) + if err != nil { + return fmt.Errorf("could not read cluster signing certificate: %w", err) + } + clusterSigningPrivateKeyPEM, err := ioutil.ReadFile(a.clusterSigningKeyFilePath) + if err != nil { + return fmt.Errorf("could not read cluster signing private key: %w", err) + } + // TODO: use these value for something useful + _ = clusterSigningCertificatePEM + _ = clusterSigningPrivateKeyPEM + // Load the Kubernetes client configuration (kubeconfig), kubeConfig, err := restclient.InClusterConfig() if err != nil { @@ -121,6 +136,20 @@ authenticating to the Kubernetes API.`, "path to Downward API volume mount", ) + cmd.Flags().StringVar( + &a.clusterSigningCertFilePath, + "cluster-signing-cert-file", + "", + "path to cluster signing certificate", + ) + + cmd.Flags().StringVar( + &a.clusterSigningKeyFilePath, + "cluster-signing-key-file", + "", + "path to cluster signing private key", + ) + a.cmd = cmd return a diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index 764ec5f8..9cfb474b 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -47,6 +47,8 @@ spec: metadata: labels: app: #@ data.values.app_name + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: #@ data.values.app_name + "-service-account" containers: @@ -62,11 +64,15 @@ spec: args: - --config=/etc/config/placeholder-name.yaml - --downward-api-path=/etc/podinfo + - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt + - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key volumeMounts: - name: config-volume mountPath: /etc/config - name: podinfo mountPath: /etc/podinfo + - name: k8s-certs + mountPath: /etc/kubernetes/pki volumes: - name: config-volume configMap: @@ -80,3 +86,15 @@ spec: - path: "namespace" fieldRef: fieldPath: metadata.namespace + - name: k8s-certs + hostPath: + path: /etc/kubernetes/pki + type: DirectoryOrCreate + priorityClassName: system-cluster-critical + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master