kubeadm: add front-proxy CA certificate to selfhosting controller-manager

Selfhosting pivoting fails when using --store-certs-in-secrets as controller-manager fails to start because of missing front-proxy CA certificate: unable to load client CA file: unable to load client CA file: open /etc/kubernetes/pki/front-proxy-ca.crt: no such file or directory Added required certificate to fix this. This should fix kubernetes/kubeadm#1281
2019-01-09 15:44:25 +02:00 · 2019-01-09 15:44:25 +02:00 · d91861e883
parent bf56c7be42
commit d91861e883
2 changed files with 15 additions and 0 deletions
--- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go
+++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go
@ -225,6 +225,7 @@ spec:
    - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
    - --bind-address=127.0.0.1
    - --use-service-account-credentials=true
+    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    image: k8s.gcr.io/kube-controller-manager-amd64:v1.7.4
    livenessProbe:
      failureThreshold: 8
@ -300,6 +301,7 @@ spec:
        - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
        - --bind-address=127.0.0.1
        - --use-service-account-credentials=true
+        - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
        image: k8s.gcr.io/kube-controller-manager-amd64:v1.7.4
        livenessProbe:
          failureThreshold: 8
--- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
+++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
@ -202,6 +202,19 @@ func controllerManagerCertificatesVolumeSource() v1.VolumeSource {
 						},
 					},
 				},
+				{
+					Secret: &v1.SecretProjection{
+						LocalObjectReference: v1.LocalObjectReference{
+							Name: kubeadmconstants.FrontProxyCACertAndKeyBaseName,
+						},
+						Items: []v1.KeyToPath{
+							{
+								Key:  v1.TLSCertKey,
+								Path: kubeadmconstants.FrontProxyCACertName,
+							},
+						},
+					},
+				},
 			},
 		},
 	}