From 513994a9f8a4be1c4552656db852cc960c1c6a5f Mon Sep 17 00:00:00 2001
From: Mike Danese <mikedanese@google.com>
Date: Fri, 20 Jan 2017 11:06:06 -0800
Subject: [PATCH] pass CA key to signer in GCE

---
 cluster/common.sh                   | 2 ++
 cluster/gce/gci/configure-helper.sh | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/cluster/common.sh b/cluster/common.sh
index 593d27f944..0d66096707 100755
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -586,6 +586,7 @@ function build-kube-master-certs {
 KUBEAPISERVER_CERT: $(yaml-quote ${KUBEAPISERVER_CERT_BASE64:-})
 KUBEAPISERVER_KEY: $(yaml-quote ${KUBEAPISERVER_KEY_BASE64:-})
 KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
+CA_KEY: $(yaml-quote ${CA_KEY_BASE64:-})
 EOF
 }
 
@@ -961,6 +962,7 @@ function create-certs {
   CERT_DIR="${KUBE_TEMP}/easy-rsa-master/easyrsa3"
   # By default, linux wraps base64 output every 76 cols, so we use 'tr -d' to remove whitespaces.
   # Note 'base64 -w0' doesn't work on Mac OS X, which has different flags.
+  CA_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/ca.key" | base64 | tr -d '\r\n')
   CA_CERT_BASE64=$(cat "${CERT_DIR}/pki/ca.crt" | base64 | tr -d '\r\n')
   MASTER_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/${MASTER_NAME}.crt" | base64 | tr -d '\r\n')
   MASTER_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/${MASTER_NAME}.key" | base64 | tr -d '\r\n')
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index d91d7a47f1..98e210dd10 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -215,6 +215,9 @@ function create-master-auth {
     echo "${MASTER_CERT}" | base64 --decode > "${auth_dir}/server.cert"
     echo "${MASTER_KEY}" | base64 --decode > "${auth_dir}/server.key"
   fi
+  if [[ ! -z "${CA_KEY:-}" ]]; then
+    echo "${CA_KEY}" | base64 --decode > "${auth_dir}/ca.key"
+  fi
   if [ ! -e "${auth_dir}/kubeapiserver.cert" ] && [[ ! -z "${KUBEAPISERVER_CERT:-}" ]] && [[ ! -z "${KUBEAPISERVER_KEY:-}" ]]; then
     echo "${KUBEAPISERVER_CERT}" | base64 --decode > "${auth_dir}/kubeapiserver.cert"
     echo "${KUBEAPISERVER_KEY}" | base64 --decode > "${auth_dir}/kubeapiserver.key"
@@ -971,6 +974,10 @@ function start-kube-controller-manager {
   if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
     params+=" --cluster-cidr=${CLUSTER_IP_RANGE}"
   fi
+  if [[ -n "${CA_KEY:-}" ]]; then
+    params+=" --cluster-signing-cert-file=/etc/srv/kubernetes/ca.crt"
+    params+=" --cluster-signing-key-file=/etc/srv/kubernetes/ca.key"
+  fi
   if [[ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]]; then
     params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
   fi