Merge pull request #62643 from xiangpengzhao/fix-front-proxy

Automatic merge from submit-queue (batch tested with PRs 62481, 62643, 61877, 62515). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Not validating front proxy CA Key when using External CA. **What this PR does / why we need it**: "That the front ca key is not required as the front proxy client tls keypair can be managed by the third party." This PR don't validate the front CA Key but check if it already exists. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes https://github.com/kubernetes/kubeadm/issues/752 **Special notes for your reviewer**: @yanndegat @timothysc @stealthybox @fabriziopandini **Release note**: ```release-note NONE ```
2018-04-18 17:53:12 -07:00 · 2018-04-18 17:53:12 -07:00 · 0c58c5e15e
parent 36bdcfc08c 511ac8a064
commit 0c58c5e15e
3 changed files with 23 additions and 12 deletions
--- a/cmd/kubeadm/app/phases/certs/certs.go
+++ b/cmd/kubeadm/app/phases/certs/certs.go
@ -611,8 +611,9 @@ type certKeyLocation struct {
 	uxName     string
 }

-// UsingExternalCA determines whether the user is relying on an external CA.  We currently implicitly determine this is the case when the CA Cert
-// is present but the CA Key is not. This allows us to, e.g., skip generating certs or not start the csr signing controller.
+// UsingExternalCA determines whether the user is relying on an external CA.  We currently implicitly determine this is the case
+// when both the CA Cert and the front proxy CA Cert are present but the CA Key and front proxy CA Key are not.
+// This allows us to, e.g., skip generating certs or not start the csr signing controller.
 func UsingExternalCA(cfg *kubeadmapi.MasterConfiguration) (bool, error) {

 	if err := validateCACert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, "", "CA"}); err != nil {
@ -621,7 +622,7 @@ func UsingExternalCA(cfg *kubeadmapi.MasterConfiguration) (bool, error) {

 	caKeyPath := filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName)
 	if _, err := os.Stat(caKeyPath); !os.IsNotExist(err) {
-		return false, fmt.Errorf("ca.key exists")
+		return false, fmt.Errorf("%s exists", kubeadmconstants.CAKeyName)
 	}

 	if err := validateSignedCert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, kubeadmconstants.APIServerCertAndKeyBaseName, "API server"}); err != nil {
@ -636,10 +637,15 @@ func UsingExternalCA(cfg *kubeadmapi.MasterConfiguration) (bool, error) {
 		return false, err
 	}

-	if err := validateCACertAndKey(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertAndKeyBaseName, "", "front-proxy CA"}); err != nil {
+	if err := validateCACert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertAndKeyBaseName, "", "front-proxy CA"}); err != nil {
 		return false, err
 	}

+	frontProxyCAKeyPath := filepath.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyCAKeyName)
+	if _, err := os.Stat(frontProxyCAKeyPath); !os.IsNotExist(err) {
+		return false, fmt.Errorf("%s exists", kubeadmconstants.FrontProxyCAKeyName)
+	}
+
 	if err := validateSignedCert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertAndKeyBaseName, kubeadmconstants.FrontProxyClientCertAndKeyBaseName, "front-proxy client"}); err != nil {
 		return false, err
 	}
--- a/cmd/kubeadm/app/phases/certs/certs_test.go
+++ b/cmd/kubeadm/app/phases/certs/certs_test.go
@ -466,6 +466,7 @@ func TestUsingExternalCA(t *testing.T) {
 			setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{
 				CreatePKIAssets,
 				deleteCAKey,
+				deleteFrontProxyCAKey,
 			},
 			expected: true,
 		},
@ -583,16 +584,17 @@ func TestValidateMethods(t *testing.T) {
 }

 func deleteCAKey(cfg *kubeadmapi.MasterConfiguration) error {
-	if err := os.Remove(filepath.Join(cfg.CertificatesDir, "ca.key")); err != nil {
-		return fmt.Errorf("failed removing ca.key: %v", err)
+	if err := os.Remove(filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName)); err != nil {
+		return fmt.Errorf("failed removing %s: %v", kubeadmconstants.CAKeyName, err)
 	}
 	return nil
 }

-func assertIsCa(t *testing.T, cert *x509.Certificate) {
-	if !cert.IsCA {
-		t.Error("cert is not a valida CA")
+func deleteFrontProxyCAKey(cfg *kubeadmapi.MasterConfiguration) error {
+	if err := os.Remove(filepath.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyCAKeyName)); err != nil {
+		return fmt.Errorf("failed removing %s: %v", kubeadmconstants.FrontProxyCAKeyName, err)
 	}
+	return nil
 }

 func TestCreateCertificateFilesMethods(t *testing.T) {
--- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go
+++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go
@ -967,10 +967,13 @@ func TestGetControllerManagerCommandExternalCA(t *testing.T) {
 			t.Errorf("failed creating pki assets: %v", err)
 		}

-		// delete ca.key if test.caKeyPresent is false
+		// delete ca.key and front-proxy-ca.key if test.caKeyPresent is false
 		if !test.caKeyPresent {
-			if err := os.Remove(filepath.Join(test.cfg.CertificatesDir, "ca.key")); err != nil {
-				t.Errorf("failed removing ca.key: %v", err)
+			if err := os.Remove(filepath.Join(test.cfg.CertificatesDir, kubeadmconstants.CAKeyName)); err != nil {
+				t.Errorf("failed removing %s: %v", kubeadmconstants.CAKeyName, err)
+			}
+			if err := os.Remove(filepath.Join(test.cfg.CertificatesDir, kubeadmconstants.FrontProxyCAKeyName)); err != nil {
+				t.Errorf("failed removing %s: %v", kubeadmconstants.FrontProxyCAKeyName, err)
 			}
 		}