From 0d95f74ef5db69767d086bdd2cadfc6be7b56a42 Mon Sep 17 00:00:00 2001 From: Davanum Srinivas Date: Tue, 2 May 2017 10:17:16 -0400 Subject: [PATCH] Create a single CA for both client and server certs The following test: "Certificates API [It] should support building a client with a CSR" fails with local-up-cluster, but works in the existing CI jobs. This is because the other CI jobs use a single CA cert while local-up-cluster can use 2 different sets of CA(s). We need a way to mimic the other CI jobs (or alternatively change everything to have separate CA's). Just updating local-up-cluster with a flag seems to be the easy route. --- hack/local-up-cluster.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index e7ac7f6389..2046389a74 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -441,8 +441,16 @@ function start_apiserver { fi # Create CA signers - kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"' - kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"' + if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then + kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"client auth","server auth"' + sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key" + sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt" + sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json" + else + kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"' + kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"' + fi + # Create auth proxy client ca kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'