Add "--cluster-signing-*-file" flags pointing at a host volume mount.

This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates.

The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

cmd/placeholder-name/app/app.go

@@ -14,6 +14,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"time"
 
@@ -49,8 +50,10 @@ type App struct {
 	cmd *cobra.Command
 
 	// CLI flags
-	configPath      string
+	configPath                 string
-	downwardAPIPath string
+	downwardAPIPath            string
+	clusterSigningCertFilePath string
+	clusterSigningKeyFilePath  string
 
 	recommendedOptions *genericoptions.RecommendedOptions
 }
@@ -76,6 +79,18 @@ func New(ctx context.Context, args []string, stdout, stderr io.Writer) *App {
 credential from somewhere to an internal credential to be used for
 authenticating to the Kubernetes API.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			clusterSigningCertificatePEM, err := ioutil.ReadFile(a.clusterSigningCertFilePath)
+			if err != nil {
+				return fmt.Errorf("could not read cluster signing certificate: %w", err)
+			}
+			clusterSigningPrivateKeyPEM, err := ioutil.ReadFile(a.clusterSigningKeyFilePath)
+			if err != nil {
+				return fmt.Errorf("could not read cluster signing private key: %w", err)
+			}
+			// TODO: use these value for something useful
+			_ = clusterSigningCertificatePEM
+			_ = clusterSigningPrivateKeyPEM
+
 			// Load the Kubernetes client configuration (kubeconfig),
 			kubeConfig, err := restclient.InClusterConfig()
 			if err != nil {
@@ -121,6 +136,20 @@ authenticating to the Kubernetes API.`,
 		"path to Downward API volume mount",
 	)
 
+	cmd.Flags().StringVar(
+		&a.clusterSigningCertFilePath,
+		"cluster-signing-cert-file",
+		"",
+		"path to cluster signing certificate",
+	)
+
+	cmd.Flags().StringVar(
+		&a.clusterSigningKeyFilePath,
+		"cluster-signing-key-file",
+		"",
+		"path to cluster signing private key",
+	)
+
 	a.cmd = cmd
 
 	return a

deploy/deployment.yaml

@@ -47,6 +47,8 @@ spec:
     metadata:
       labels:
         app: #@ data.values.app_name
+    annotations:
+      scheduler.alpha.kubernetes.io/critical-pod: ""
     spec:
       serviceAccountName: #@ data.values.app_name + "-service-account"
       containers:
@@ -62,11 +64,15 @@ spec:
           args:
             - --config=/etc/config/placeholder-name.yaml
             - --downward-api-path=/etc/podinfo
+            - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
+            - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
           volumeMounts:
             - name: config-volume
               mountPath: /etc/config
             - name: podinfo
               mountPath: /etc/podinfo
+            - name: k8s-certs
+              mountPath: /etc/kubernetes/pki
       volumes:
         - name: config-volume
           configMap:
@@ -80,3 +86,15 @@ spec:
               - path: "namespace"
                 fieldRef:
                   fieldPath: metadata.namespace
+        - name: k8s-certs
+          hostPath:
+            path: /etc/kubernetes/pki
+            type: DirectoryOrCreate
+      priorityClassName: system-cluster-critical
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master