...

Source file src/k8s.io/kubernetes/cmd/kube-controller-manager/app/options/csrsigningcontroller.go

Documentation: k8s.io/kubernetes/cmd/kube-controller-manager/app/options 

     1  /*
     2  Copyright 2018 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package options
    18  
    19  import (
    20  	"fmt"
    21  
    22  	"github.com/spf13/pflag"
    23  
    24  	csrsigningconfig "k8s.io/kubernetes/pkg/controller/certificates/signer/config"
    25  )
    26  
    27  // CSRSigningControllerOptions holds the CSRSigningController options.
    28  type CSRSigningControllerOptions struct {
    29  	*csrsigningconfig.CSRSigningControllerConfiguration
    30  }
    31  
    32  // AddFlags adds flags related to CSRSigningController for controller manager to the specified FlagSet.
    33  func (o *CSRSigningControllerOptions) AddFlags(fs *pflag.FlagSet) {
    34  	if o == nil {
    35  		return
    36  	}
    37  
    38  	fs.StringVar(&o.ClusterSigningCertFile, "cluster-signing-cert-file", o.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates.  If specified, no more specific --cluster-signing-* flag may be specified.")
    39  	fs.StringVar(&o.ClusterSigningKeyFile, "cluster-signing-key-file", o.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates.  If specified, no more specific --cluster-signing-* flag may be specified.")
    40  	fs.StringVar(&o.KubeletServingSignerConfiguration.CertFile, "cluster-signing-kubelet-serving-cert-file", o.KubeletServingSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kubelet-serving signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
    41  	fs.StringVar(&o.KubeletServingSignerConfiguration.KeyFile, "cluster-signing-kubelet-serving-key-file", o.KubeletServingSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kubelet-serving signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
    42  	fs.StringVar(&o.KubeletClientSignerConfiguration.CertFile, "cluster-signing-kubelet-client-cert-file", o.KubeletClientSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
    43  	fs.StringVar(&o.KubeletClientSignerConfiguration.KeyFile, "cluster-signing-kubelet-client-key-file", o.KubeletClientSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client-kubelet signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
    44  	fs.StringVar(&o.KubeAPIServerClientSignerConfiguration.CertFile, "cluster-signing-kube-apiserver-client-cert-file", o.KubeAPIServerClientSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
    45  	fs.StringVar(&o.KubeAPIServerClientSignerConfiguration.KeyFile, "cluster-signing-kube-apiserver-client-key-file", o.KubeAPIServerClientSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
    46  	fs.StringVar(&o.LegacyUnknownSignerConfiguration.CertFile, "cluster-signing-legacy-unknown-cert-file", o.LegacyUnknownSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/legacy-unknown signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
    47  	fs.StringVar(&o.LegacyUnknownSignerConfiguration.KeyFile, "cluster-signing-legacy-unknown-key-file", o.LegacyUnknownSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/legacy-unknown signer.  If specified, --cluster-signing-{cert,key}-file must not be set.")
    48  	fs.DurationVar(&o.ClusterSigningDuration.Duration, "cluster-signing-duration", o.ClusterSigningDuration.Duration, "The max length of duration signed certificates will be given.  Individual CSRs may request shorter certs by setting spec.expirationSeconds.")
    49  }
    50  
    51  // ApplyTo fills up CSRSigningController config with options.
    52  func (o *CSRSigningControllerOptions) ApplyTo(cfg *csrsigningconfig.CSRSigningControllerConfiguration) error {
    53  	if o == nil {
    54  		return nil
    55  	}
    56  
    57  	cfg.ClusterSigningCertFile = o.ClusterSigningCertFile
    58  	cfg.ClusterSigningKeyFile = o.ClusterSigningKeyFile
    59  	cfg.KubeletServingSignerConfiguration = o.KubeletServingSignerConfiguration
    60  	cfg.KubeletClientSignerConfiguration = o.KubeletClientSignerConfiguration
    61  	cfg.KubeAPIServerClientSignerConfiguration = o.KubeAPIServerClientSignerConfiguration
    62  	cfg.LegacyUnknownSignerConfiguration = o.LegacyUnknownSignerConfiguration
    63  	cfg.ClusterSigningDuration = o.ClusterSigningDuration
    64  
    65  	return nil
    66  }
    67  
    68  // Validate checks validation of CSRSigningControllerOptions.
    69  func (o *CSRSigningControllerOptions) Validate() []error {
    70  	if o == nil {
    71  		return nil
    72  	}
    73  
    74  	errs := []error{}
    75  	if err := csrSigningFilesValid(o.KubeletServingSignerConfiguration); err != nil {
    76  		errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-kubelet-serving", err))
    77  	}
    78  	if err := csrSigningFilesValid(o.KubeletClientSignerConfiguration); err != nil {
    79  		errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-kube-apiserver-client", err))
    80  	}
    81  	if err := csrSigningFilesValid(o.KubeAPIServerClientSignerConfiguration); err != nil {
    82  		errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-kube-apiserver", err))
    83  	}
    84  	if err := csrSigningFilesValid(o.LegacyUnknownSignerConfiguration); err != nil {
    85  		errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-legacy-unknown", err))
    86  	}
    87  
    88  	singleSigningFile := len(o.ClusterSigningCertFile) > 0 || len(o.ClusterSigningKeyFile) > 0
    89  	anySpecificFilesSet := len(o.KubeletServingSignerConfiguration.CertFile) > 0 || len(o.KubeletServingSignerConfiguration.KeyFile) > 0 ||
    90  		len(o.KubeletClientSignerConfiguration.CertFile) > 0 || len(o.KubeletClientSignerConfiguration.KeyFile) > 0 ||
    91  		len(o.KubeAPIServerClientSignerConfiguration.CertFile) > 0 || len(o.KubeAPIServerClientSignerConfiguration.KeyFile) > 0 ||
    92  		len(o.LegacyUnknownSignerConfiguration.CertFile) > 0 || len(o.LegacyUnknownSignerConfiguration.KeyFile) > 0
    93  	if singleSigningFile && anySpecificFilesSet {
    94  		errs = append(errs, fmt.Errorf("cannot specify --cluster-signing-{cert,key}-file and other --cluster-signing-*-file flags at the same time"))
    95  	}
    96  
    97  	return errs
    98  }
    99  
   100  // both must be specified or both must be empty
   101  func csrSigningFilesValid(config csrsigningconfig.CSRSigningConfiguration) error {
   102  	switch {
   103  	case (len(config.CertFile) == 0) && (len(config.KeyFile) == 0):
   104  		return nil
   105  	case (len(config.CertFile) != 0) && (len(config.KeyFile) != 0):
   106  		return nil
   107  	case (len(config.CertFile) == 0) && (len(config.KeyFile) != 0):
   108  		return fmt.Errorf("cannot specify key without cert")
   109  	case (len(config.CertFile) != 0) && (len(config.KeyFile) == 0):
   110  		return fmt.Errorf("cannot specify cert without key")
   111  	}
   112  
   113  	return fmt.Errorf("math broke")
   114  }
   115  

View as plain text