Don't issue certs for features not enabled

2020-08-16 22:49:57 -07:00 · 2020-08-16 22:49:57 -07:00 · d05f9a3eff
parent b6947ccaee
commit d05f9a3eff
4 changed files with 25 additions and 7 deletions
--- a/cmd/kops-controller/pkg/config/options.go
+++ b/cmd/kops-controller/pkg/config/options.go
@ -43,6 +43,8 @@ type ServerOptions struct {
 	CABasePath string `json:"caBasePath"`
 	// SigningCAs is the list of active signing CAs.
 	SigningCAs []string `json:"signingCAs"`
+	// CertNames is the list of active certificate names.
+	CertNames []string `json:"certNames"`
 }

 type ServerProviderOptions struct {
--- a/cmd/kops-controller/pkg/server/BUILD.bazel
+++ b/cmd/kops-controller/pkg/server/BUILD.bazel
@ -14,6 +14,7 @@ go_library(
        "//pkg/pki:go_default_library",
        "//pkg/rbac:go_default_library",
        "//upup/pkg/fi:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
        "//vendor/k8s.io/klog:go_default_library",
    ],
 )
--- a/cmd/kops-controller/pkg/server/server.go
+++ b/cmd/kops-controller/pkg/server/server.go
@ -29,6 +29,7 @@ import (
 	"runtime/debug"
 	"time"

+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog"
 	"k8s.io/kops/cmd/kops-controller/pkg/config"
 	"k8s.io/kops/pkg/apis/nodeup"
@ -38,10 +39,11 @@ import (
 )

 type Server struct {
-	opt      *config.Options
-	server   *http.Server
-	verifier fi.Verifier
-	keystore pki.Keystore
+	opt       *config.Options
+	certNames sets.String
+	server    *http.Server
+	verifier  fi.Verifier
+	keystore  pki.Keystore
 }

 func NewServer(opt *config.Options, verifier fi.Verifier) (*Server, error) {
@ -54,9 +56,10 @@ func NewServer(opt *config.Options, verifier fi.Verifier) (*Server, error) {
 	}

 	s := &Server{
-		opt:      opt,
-		server:   server,
-		verifier: verifier,
+		opt:       opt,
+		certNames: sets.NewString(opt.Server.CertNames...),
+		server:    server,
+		verifier:  verifier,
 	}
 	r := http.NewServeMux()
 	r.Handle("/bootstrap", http.HandlerFunc(s.bootstrap))
@ -158,6 +161,9 @@ func (s *Server) issueCert(name string, pubKey string, id *fi.VerifyResult, vali
 		Validity:  time.Hour * time.Duration(validHours),
 	}

+	if !s.certNames.Has(name) {
+		return "", fmt.Errorf("key name not enabled")
+	}
 	switch name {
 	case "kubelet":
 		issueReq.Subject = pkix.Name{
--- a/upup/pkg/fi/cloudup/template_functions.go
+++ b/upup/pkg/fi/cloudup/template_functions.go
@ -383,6 +383,14 @@ func (tf *TemplateFunctions) KopsControllerConfig() (string, error) {
 	}

 	if tf.UseKopsControllerForNodeBootstrap() {
+		certNames := []string{"kubelet"}
+		if cluster.Spec.KubeProxy.Enabled == nil || *cluster.Spec.KubeProxy.Enabled {
+			certNames = append(certNames, "kube-proxy")
+		}
+		if cluster.Spec.Networking.Kuberouter != nil {
+			certNames = append(certNames, "kube-router")
+		}
+
 		pkiDir := "/etc/kubernetes/kops-controller/pki"
 		config.Server = &kopscontrollerconfig.ServerOptions{
 			Listen:                fmt.Sprintf(":%d", wellknownports.KopsControllerPort),
@ -390,6 +398,7 @@ func (tf *TemplateFunctions) KopsControllerConfig() (string, error) {
 			ServerKeyPath:         path.Join(pkiDir, "kops-controller.key"),
 			CABasePath:            pkiDir,
 			SigningCAs:            []string{fi.CertificateIDCA},
+			CertNames:             certNames,
 		}

 		switch kops.CloudProviderID(cluster.Spec.CloudProvider) {