Merge pull request #74671 from yagonobre/certificate-key

Add certificate-key to kubeadm upload-certs phase, and improve init output

cmd/kubeadm/app/cmd/init.go

@@ -85,6 +85,8 @@ type initOptions struct {
 	bto                     *options.BootstrapTokenOptions
 	externalcfg             *kubeadmapiv1beta1.InitConfiguration
 	uploadCerts             bool
+	certificateKey          string
+	skipCertificateKeyPrint bool
 }
 
 // compile-time assert that the local data object satisfies the phases data interface.
@@ -107,6 +109,7 @@ type initData struct {
 	outputWriter            io.Writer
 	uploadCerts             bool
 	certificateKey          string
+	skipCertificateKeyPrint bool
 }
 
 // NewCmdInit returns "kubeadm init" command.
@@ -241,7 +244,15 @@ func AddInitOtherFlags(flagSet *flag.FlagSet, initOptions *initOptions) {
 	)
 	flagSet.BoolVar(
 		&initOptions.uploadCerts, options.UploadCerts, initOptions.uploadCerts,
-		"Upload certfificates to kubeadm-certs secret.",
+		"Upload control-plane certificates to the kubeadm-certs Secret.",
+	)
+	flagSet.StringVar(
+		&initOptions.certificateKey, options.CertificateKey, "",
+		"Key used to encrypt the control-plane certificates in the kubeadm-certs Secret.",
+	)
+	flagSet.BoolVar(
+		&initOptions.skipCertificateKeyPrint, options.SkipCertificateKeyPrint, initOptions.skipCertificateKeyPrint,
+		"Don't print the key used to encrypt the control-plane certificates.",
 	)
 }
 
@@ -348,6 +359,8 @@ func newInitData(cmd *cobra.Command, args []string, options *initOptions, out io
 		externalCA:              externalCA,
 		outputWriter:            out,
 		uploadCerts:             options.uploadCerts,
+		certificateKey:          options.certificateKey,
+		skipCertificateKeyPrint: options.skipCertificateKeyPrint,
 	}, nil
 }
 
@@ -472,7 +485,7 @@ func (d *initData) Tokens() []string {
 }
 
 func printJoinCommand(out io.Writer, adminKubeConfigPath, token string, i *initData) error {
-	joinCommand, err := cmdutil.GetJoinCommand(adminKubeConfigPath, token, i.certificateKey, i.skipTokenPrint, i.uploadCerts)
+	joinCommand, err := cmdutil.GetJoinCommand(adminKubeConfigPath, token, i.certificateKey, i.skipTokenPrint, i.uploadCerts, i.skipCertificateKeyPrint)
 	if err != nil {
 		return err
 	}

cmd/kubeadm/app/cmd/options/constant.go

@@ -124,4 +124,7 @@ const (
 
 	// CertificateKey flag sets the key used to encrypt and decrypt certificate secrets
 	CertificateKey = "certificate-key"
+
+	// SkipCertificateKeyPrint flag instruct kubeadm to skip printing certificate key used to encrypt certs by 'kubeadm init'.
+	SkipCertificateKeyPrint = "skip-certificate-key-print"
 )

cmd/kubeadm/app/cmd/phases/init/uploadcerts.go

@@ -39,6 +39,7 @@ func NewUploadCertsPhase() workflow.Phase {
 		InheritFlags: []string{
 			options.CfgPath,
 			options.UploadCerts,
+			options.CertificateKey,
 		},
 	}
 }

cmd/kubeadm/app/cmd/token.go

@@ -231,7 +231,8 @@ func RunCreateToken(out io.Writer, client clientset.Interface, cfgPath string, c
 		key := ""
 		skipTokenPrint := false
 		uploadCerts := false
-		joinCommand, err := cmdutil.GetJoinCommand(kubeConfigFile, internalcfg.BootstrapTokens[0].Token.String(), key, skipTokenPrint, uploadCerts)
+		skipCertificateKeyPrint := false
+		joinCommand, err := cmdutil.GetJoinCommand(kubeConfigFile, internalcfg.BootstrapTokens[0].Token.String(), key, skipTokenPrint, uploadCerts, skipCertificateKeyPrint)
 		if err != nil {
 			return errors.Wrap(err, "failed to get join command")
 		}

cmd/kubeadm/app/cmd/util/join.go

@@ -30,12 +30,19 @@ import (
 )
 
 var joinCommandTemplate = template.Must(template.New("join").Parse(`` +
-	`kubeadm join {{.ControlPlaneHostPort}} --token {{.Token}}{{range $h := .CAPubKeyPins}} --discovery-token-ca-cert-hash {{$h}}{{end}}{{if .UploadCerts}} --certificate-key {{.CertificateKey}}{{end}}`,
+	`{{if .UploadCerts}}You can now join any number of control-plane node running the following command on each as a root:{{else}}You can now join any number of control-plane node by copying the required certificate authorities on each node and then running the following as root:{{end}}
+	kubeadm join {{.ControlPlaneHostPort}} --token {{.Token}}{{range $h := .CAPubKeyPins}} --discovery-token-ca-cert-hash {{$h}}{{end}} --experimental-control-plane {{if .UploadCerts}}--certificate-key {{.CertificateKey}}
+
+  Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
+  As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use kubeadm init phase upload-certs to reload certs afterward.{{end}}
+	
+  Then you can join any number of worker nodes by running the following on each as root:
+	kubeadm join {{.ControlPlaneHostPort}} --token {{.Token}}{{range $h := .CAPubKeyPins}} --discovery-token-ca-cert-hash {{$h}}{{end}}`,
 ))
 
 // GetJoinCommand returns the kubeadm join command for a given token and
 // and Kubernetes cluster (the current cluster in the kubeconfig file)
-func GetJoinCommand(kubeConfigFile, token, key string, skipTokenPrint, uploadCerts bool) (string, error) {
+func GetJoinCommand(kubeConfigFile, token, key string, skipTokenPrint, uploadCerts, skipCertificateKeyPrint bool) (string, error) {
 	// load the kubeconfig file to get the CA certificate and endpoint
 	config, err := clientcmd.LoadFromFile(kubeConfigFile)
 	if err != nil {
@@ -81,6 +88,9 @@ func GetJoinCommand(kubeConfigFile, token, key string, skipTokenPrint, uploadCer
 	if skipTokenPrint {
 		ctx["Token"] = template.HTML("<value withheld>")
 	}
+	if skipCertificateKeyPrint {
+		ctx["CertificateKey"] = template.HTML("<value withheld>")
+	}
 
 	var out bytes.Buffer
 	err = joinCommandTemplate.Execute(&out, ctx)