首頁 探索 說明
登入
tzeneto
/
custom-kube-scheduler
關註 1
讚好 0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: 7e8b047bed
分支列表 標籤列表
custom-kube-...
/
kubernetes
/
cmd
/
kube-controller-manager
/
app
/
certificates.go

certificates.go 6.1 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162 
  1. /*
    2. 

  2. Copyright 2016 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. // Package app implements a server that runs a set of active
    18. 

  18. // components.  This includes replication controllers, service endpoints and
    19. 

  19. // nodes.
    20. 

  20. //
    21. 

  21. package app
    22. 

  22. 

  23. import (
    24. 

  24. 	"fmt"
    25. 

  25. 	"os"
    26. 

  26. 

  27. 	"k8s.io/klog"
    28. 

  28. 

  29. 	"net/http"
    30. 

  30. 

  31. 	"k8s.io/apimachinery/pkg/runtime/schema"
    32. 

  32. 	utilfeature "k8s.io/apiserver/pkg/util/feature"
    33. 

  33. 	kubeoptions "k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
    34. 

  34. 	"k8s.io/kubernetes/pkg/controller/certificates/approver"
    35. 

  35. 	"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
    36. 

  36. 	"k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher"
    37. 

  37. 	"k8s.io/kubernetes/pkg/controller/certificates/signer"
    38. 

  38. 	"k8s.io/kubernetes/pkg/features"
    39. 

  39. )
    40. 

  40. 

  41. func startCSRSigningController(ctx ControllerContext) (http.Handler, bool, error) {
    42. 

  42. 	gvr := schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1beta1", Resource: "certificatesigningrequests"}
    43. 

  43. 	if !ctx.AvailableResources[gvr] {
    44. 

  44. 		klog.Warningf("Resource %s is not available now", gvr.String())
    45. 

  45. 		return nil, false, nil
    46. 

  46. 	}
    47. 

  47. 	if ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == "" || ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == "" {
    48. 

  48. 		klog.V(2).Info("skipping CSR signer controller because no csr cert/key was specified")
    49. 

  49. 		return nil, false, nil
    50. 

  50. 	}
    51. 

  51. 

  52. 	// Deprecation warning for old defaults.
    53. 

  53. 	//
    54. 

  54. 	// * If the signing cert and key are the default paths but the files
    55. 

  55. 	// exist, warn that the paths need to be specified explicitly in a
    56. 

  56. 	// later release and the defaults will be removed. We don't expect this
    57. 

  57. 	// to be the case.
    58. 

  58. 	//
    59. 

  59. 	// * If the signing cert and key are default paths but the files don't exist,
    60. 

  60. 	// bail out of startController without logging.
    61. 

  61. 	var keyFileExists, keyUsesDefault, certFileExists, certUsesDefault bool
    62. 

  62. 

  63. 	_, err := os.Stat(ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile)
    64. 

  64. 	certFileExists = !os.IsNotExist(err)
    65. 

  65. 

  66. 	certUsesDefault = (ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == kubeoptions.DefaultClusterSigningCertFile)
    67. 

  67. 

  68. 	_, err = os.Stat(ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile)
    69. 

  69. 	keyFileExists = !os.IsNotExist(err)
    70. 

  70. 

  71. 	keyUsesDefault = (ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == kubeoptions.DefaultClusterSigningKeyFile)
    72. 

  72. 

  73. 	switch {
    74. 

  74. 	case (keyFileExists && keyUsesDefault) || (certFileExists && certUsesDefault):
    75. 

  75. 		klog.Warningf("You might be using flag defaulting for --cluster-signing-cert-file and" +
    76. 

  76. 			" --cluster-signing-key-file. These defaults are deprecated and will be removed" +
    77. 

  77. 			" in a subsequent release. Please pass these options explicitly.")
    78. 

  78. 	case (!keyFileExists && keyUsesDefault) && (!certFileExists && certUsesDefault):
    79. 

  79. 		// This is what we expect right now if people aren't
    80. 

  80. 		// setting up the signing controller. This isn't
    81. 

  81. 		// actually a problem since the signer is not a
    82. 

  82. 		// required controller.
    83. 

  83. 		klog.V(2).Info("skipping CSR signer controller because no csr cert/key was specified and the default files are missing")
    84. 

  84. 		return nil, false, nil
    85. 

  85. 	default:
    86. 

  86. 		// Note that '!filesExist && !usesDefaults' is obviously
    87. 

  87. 		// operator error. We don't handle this case here and instead
    88. 

  88. 		// allow it to be handled by NewCSR... below.
    89. 

  89. 	}
    90. 

  90. 

  91. 	c := ctx.ClientBuilder.ClientOrDie("certificate-controller")
    92. 

  92. 

  93. 	signer, err := signer.NewCSRSigningController(
    94. 

  94. 		c,
    95. 

  95. 		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
    96. 

  96. 		ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile,
    97. 

  97. 		ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile,
    98. 

  98. 		ctx.ComponentConfig.CSRSigningController.ClusterSigningDuration.Duration,
    99. 

  99. 	)
    100. 

  100. 	if err != nil {
    101. 

  101. 		return nil, false, fmt.Errorf("failed to start certificate controller: %v", err)
    102. 

  102. 	}
    103. 

  103. 	go signer.Run(1, ctx.Stop)
    104. 

  104. 

  105. 	return nil, true, nil
    106. 

  106. }
    107. 

  107. 

  108. func startCSRApprovingController(ctx ControllerContext) (http.Handler, bool, error) {
    109. 

  109. 	gvr := schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1beta1", Resource: "certificatesigningrequests"}
    110. 

  110. 	if !ctx.AvailableResources[gvr] {
    111. 

  111. 		klog.Warningf("Resource %s is not available now", gvr.String())
    112. 

  112. 		return nil, false, nil
    113. 

  113. 	}
    114. 

  114. 

  115. 	approver := approver.NewCSRApprovingController(
    116. 

  116. 		ctx.ClientBuilder.ClientOrDie("certificate-controller"),
    117. 

  117. 		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
    118. 

  118. 	)
    119. 

  119. 	go approver.Run(1, ctx.Stop)
    120. 

  120. 

  121. 	return nil, true, nil
    122. 

  122. }
    123. 

  123. 

  124. func startCSRCleanerController(ctx ControllerContext) (http.Handler, bool, error) {
    125. 

  125. 	cleaner := cleaner.NewCSRCleanerController(
    126. 

  126. 		ctx.ClientBuilder.ClientOrDie("certificate-controller").CertificatesV1beta1().CertificateSigningRequests(),
    127. 

  127. 		ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
    128. 

  128. 	)
    129. 

  129. 	go cleaner.Run(1, ctx.Stop)
    130. 

  130. 	return nil, true, nil
    131. 

  131. }
    132. 

  132. 

  133. func startRootCACertPublisher(ctx ControllerContext) (http.Handler, bool, error) {
    134. 

  134. 	if !utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) {
    135. 

  135. 		return nil, false, nil
    136. 

  136. 	}
    137. 

  137. 

  138. 	var (
    139. 

  139. 		rootCA []byte
    140. 

  140. 		err    error
    141. 

  141. 	)
    142. 

  142. 	if ctx.ComponentConfig.SAController.RootCAFile != "" {
    143. 

  143. 		if rootCA, err = readCA(ctx.ComponentConfig.SAController.RootCAFile); err != nil {
    144. 

  144. 			return nil, true, fmt.Errorf("error parsing root-ca-file at %s: %v", ctx.ComponentConfig.SAController.RootCAFile, err)
    145. 

  145. 		}
    146. 

  146. 	} else {
    147. 

  147. 		rootCA = ctx.ClientBuilder.ConfigOrDie("root-ca-cert-publisher").CAData
    148. 

  148. 	}
    149. 

  149. 

  150. 	sac, err := rootcacertpublisher.NewPublisher(
    151. 

  151. 		ctx.InformerFactory.Core().V1().ConfigMaps(),
    152. 

  152. 		ctx.InformerFactory.Core().V1().Namespaces(),
    153. 

  153. 		ctx.ClientBuilder.ClientOrDie("root-ca-cert-publisher"),
    154. 

  154. 		rootCA,
    155. 

  155. 	)
    156. 

  156. 	if err != nil {
    157. 

  157. 		return nil, true, fmt.Errorf("error creating root CA certificate publisher: %v", err)
    158. 

  158. 	}
    159. 

  159. 	go sac.Run(1, ctx.Stop)
    160. 

  160. 	return nil, true, nil
    161. 

  161. }
    162. 

  162.