From d91861e883aa4691afe1a1430845f1d5191d017f Mon Sep 17 00:00:00 2001
From: Ed Bartosh <eduard.bartosh@intel.com>
Date: Wed, 9 Jan 2019 15:44:25 +0200
Subject: [PATCH] kubeadm: add front-proxy CA certificate to selfhosting
 controller-manager

Selfhosting pivoting fails when using --store-certs-in-secrets
as controller-manager fails to start because of missing front-proxy CA
certificate:
    unable to load client CA file: unable to load client CA file: open
    /etc/kubernetes/pki/front-proxy-ca.crt: no such file or directory

Added required certificate to fix this.

This should fix kubernetes/kubeadm#1281
---
 .../app/phases/selfhosting/selfhosting_test.go      |  2 ++
 .../app/phases/selfhosting/selfhosting_volumes.go   | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go b/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go
index c7ab648cf2..71ebb95f1f 100644
--- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go
+++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go
@@ -225,6 +225,7 @@ spec:
     - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
     - --bind-address=127.0.0.1
     - --use-service-account-credentials=true
+    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
     image: k8s.gcr.io/kube-controller-manager-amd64:v1.7.4
     livenessProbe:
       failureThreshold: 8
@@ -300,6 +301,7 @@ spec:
         - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
         - --bind-address=127.0.0.1
         - --use-service-account-credentials=true
+        - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
         image: k8s.gcr.io/kube-controller-manager-amd64:v1.7.4
         livenessProbe:
           failureThreshold: 8
diff --git a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
index d685b39fc8..91ffa338ee 100644
--- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
+++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
@@ -202,6 +202,19 @@ func controllerManagerCertificatesVolumeSource() v1.VolumeSource {
 						},
 					},
 				},
+				{
+					Secret: &v1.SecretProjection{
+						LocalObjectReference: v1.LocalObjectReference{
+							Name: kubeadmconstants.FrontProxyCACertAndKeyBaseName,
+						},
+						Items: []v1.KeyToPath{
+							{
+								Key:  v1.TLSCertKey,
+								Path: kubeadmconstants.FrontProxyCACertName,
+							},
+						},
+					},
+				},
 			},
 		},
 	}