Merge pull request #90822 from deads2k/csr-separate-signer-flags-02

allow setting different certificates for kube-controller-managed CSR signers

Kubernetes-commit: 05f6812c2da4c3af8d133159c06546f464b2d63f

Godeps/Godeps.json

@@ -540,15 +540,15 @@
 		},
 		{
 			"ImportPath": "k8s.io/api",
-			"Rev": "be360156aa6a"
+			"Rev": "e4973e079a11"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery",
-			"Rev": "8e7d6bb9bd6d"
+			"Rev": "cc2fa4f57325"
 		},
 		{
 			"ImportPath": "k8s.io/client-go",
-			"Rev": "505a1f443178"
+			"Rev": "319dbfd0ed29"
 		},
 		{
 			"ImportPath": "k8s.io/component-base",

config/v1alpha1/types.go

@@ -246,11 +246,31 @@ type CSRSigningControllerConfiguration struct {
 	// clusterSigningCertFile is the filename containing a PEM-encoded
 	// RSA or ECDSA private key used to issue cluster-scoped certificates
 	ClusterSigningKeyFile string
+
+	// kubeletServingSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kubelet-serving signer
+	KubeletServingSignerConfiguration CSRSigningConfiguration
+	// kubeletClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet
+	KubeletClientSignerConfiguration CSRSigningConfiguration
+	// kubeAPIServerClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client
+	KubeAPIServerClientSignerConfiguration CSRSigningConfiguration
+	// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
+	LegacyUnknownSignerConfiguration CSRSigningConfiguration
+
 	// clusterSigningDuration is the length of duration signed certificates
 	// will be given.
 	ClusterSigningDuration metav1.Duration
 }
 
+// CSRSigningConfiguration holds information about a particular CSR signer
+type CSRSigningConfiguration struct {
+	// certFile is the filename containing a PEM-encoded
+	// X509 CA certificate used to issue certificates
+	CertFile string
+	// keyFile is the filename containing a PEM-encoded
+	// RSA or ECDSA private key used to issue certificates
+	KeyFile string
+}
+
 // DaemonSetControllerConfiguration contains elements describing DaemonSetController.
 type DaemonSetControllerConfiguration struct {
 	// concurrentDaemonSetSyncs is the number of daemonset objects that are

config/v1alpha1/zz_generated.deepcopy.go

@@ -41,9 +41,29 @@ func (in *AttachDetachControllerConfiguration) DeepCopy() *AttachDetachControlle
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CSRSigningConfiguration) DeepCopyInto(out *CSRSigningConfiguration) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSRSigningConfiguration.
+func (in *CSRSigningConfiguration) DeepCopy() *CSRSigningConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(CSRSigningConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CSRSigningControllerConfiguration) DeepCopyInto(out *CSRSigningControllerConfiguration) {
 	*out = *in
+	out.KubeletServingSignerConfiguration = in.KubeletServingSignerConfiguration
+	out.KubeletClientSignerConfiguration = in.KubeletClientSignerConfiguration
+	out.KubeAPIServerClientSignerConfiguration = in.KubeAPIServerClientSignerConfiguration
+	out.LegacyUnknownSignerConfiguration = in.LegacyUnknownSignerConfiguration
 	out.ClusterSigningDuration = in.ClusterSigningDuration
 	return
 }

go.mod

@@ -5,13 +5,13 @@ module k8s.io/kube-controller-manager
 go 1.13
 
 require (
-	k8s.io/apimachinery v0.0.0-20200713125709-8e7d6bb9bd6d
+	k8s.io/apimachinery v0.0.0-20200713125710-cc2fa4f57325
 	k8s.io/component-base v0.0.0-20200713132432-e98e6e533eb1
 )
 
 replace (
-	k8s.io/api => k8s.io/api v0.0.0-20200713130235-be360156aa6a
+	k8s.io/api => k8s.io/api v0.0.0-20200716171716-e4973e079a11
-	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200713125709-8e7d6bb9bd6d
+	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200713125710-cc2fa4f57325
-	k8s.io/client-go => k8s.io/client-go v0.0.0-20200713130841-505a1f443178
+	k8s.io/client-go => k8s.io/client-go v0.0.0-20200713130842-319dbfd0ed29
 	k8s.io/component-base => k8s.io/component-base v0.0.0-20200713132432-e98e6e533eb1
 )

go.sum

@@ -352,9 +352,9 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-k8s.io/api v0.0.0-20200713130235-be360156aa6a/go.mod h1:7a4Es5f8qLSh2S2PUf3gP8NdtZFhLKve7TRsSopUcwU=
+k8s.io/api v0.0.0-20200716171716-e4973e079a11/go.mod h1:jXutK3obFCnsfnkm06ePMMz07MzBtfBdwb/tOGaxQDE=
-k8s.io/apimachinery v0.0.0-20200713125709-8e7d6bb9bd6d/go.mod h1:eHbWZVMaaewmYBAUuRYnAmTTMtDhvpPNZuh8/6Yl7v0=
+k8s.io/apimachinery v0.0.0-20200713125710-cc2fa4f57325/go.mod h1:eHbWZVMaaewmYBAUuRYnAmTTMtDhvpPNZuh8/6Yl7v0=
-k8s.io/client-go v0.0.0-20200713130841-505a1f443178/go.mod h1:4DeUSdsqcLMsCjohGuc0/AzpQDCDYsgjd7oq0vlmFQY=
+k8s.io/client-go v0.0.0-20200713130842-319dbfd0ed29/go.mod h1:4DeUSdsqcLMsCjohGuc0/AzpQDCDYsgjd7oq0vlmFQY=
 k8s.io/component-base v0.0.0-20200713132432-e98e6e533eb1/go.mod h1:vP8oeTBkmx6vS0b48FQ1masOyJvdltkTeuaV28yaF8k=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=