k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cmd/kube-controller-manager/app/options/csrsigningcontroller.go (about) 1 /* 2 Copyright 2018 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package options 18 19 import ( 20 "fmt" 21 22 "github.com/spf13/pflag" 23 24 csrsigningconfig "k8s.io/kubernetes/pkg/controller/certificates/signer/config" 25 ) 26 27 // CSRSigningControllerOptions holds the CSRSigningController options. 28 type CSRSigningControllerOptions struct { 29 *csrsigningconfig.CSRSigningControllerConfiguration 30 } 31 32 // AddFlags adds flags related to CSRSigningController for controller manager to the specified FlagSet. 33 func (o *CSRSigningControllerOptions) AddFlags(fs *pflag.FlagSet) { 34 if o == nil { 35 return 36 } 37 38 fs.StringVar(&o.ClusterSigningCertFile, "cluster-signing-cert-file", o.ClusterSigningCertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue cluster-scoped certificates. If specified, no more specific --cluster-signing-* flag may be specified.") 39 fs.StringVar(&o.ClusterSigningKeyFile, "cluster-signing-key-file", o.ClusterSigningKeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign cluster-scoped certificates. If specified, no more specific --cluster-signing-* flag may be specified.") 40 fs.StringVar(&o.KubeletServingSignerConfiguration.CertFile, "cluster-signing-kubelet-serving-cert-file", o.KubeletServingSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kubelet-serving signer. If specified, --cluster-signing-{cert,key}-file must not be set.") 41 fs.StringVar(&o.KubeletServingSignerConfiguration.KeyFile, "cluster-signing-kubelet-serving-key-file", o.KubeletServingSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kubelet-serving signer. If specified, --cluster-signing-{cert,key}-file must not be set.") 42 fs.StringVar(&o.KubeletClientSignerConfiguration.CertFile, "cluster-signing-kubelet-client-cert-file", o.KubeletClientSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet signer. If specified, --cluster-signing-{cert,key}-file must not be set.") 43 fs.StringVar(&o.KubeletClientSignerConfiguration.KeyFile, "cluster-signing-kubelet-client-key-file", o.KubeletClientSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client-kubelet signer. If specified, --cluster-signing-{cert,key}-file must not be set.") 44 fs.StringVar(&o.KubeAPIServerClientSignerConfiguration.CertFile, "cluster-signing-kube-apiserver-client-cert-file", o.KubeAPIServerClientSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set.") 45 fs.StringVar(&o.KubeAPIServerClientSignerConfiguration.KeyFile, "cluster-signing-kube-apiserver-client-key-file", o.KubeAPIServerClientSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set.") 46 fs.StringVar(&o.LegacyUnknownSignerConfiguration.CertFile, "cluster-signing-legacy-unknown-cert-file", o.LegacyUnknownSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set.") 47 fs.StringVar(&o.LegacyUnknownSignerConfiguration.KeyFile, "cluster-signing-legacy-unknown-key-file", o.LegacyUnknownSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set.") 48 fs.DurationVar(&o.ClusterSigningDuration.Duration, "cluster-signing-duration", o.ClusterSigningDuration.Duration, "The max length of duration signed certificates will be given. Individual CSRs may request shorter certs by setting spec.expirationSeconds.") 49 } 50 51 // ApplyTo fills up CSRSigningController config with options. 52 func (o *CSRSigningControllerOptions) ApplyTo(cfg *csrsigningconfig.CSRSigningControllerConfiguration) error { 53 if o == nil { 54 return nil 55 } 56 57 cfg.ClusterSigningCertFile = o.ClusterSigningCertFile 58 cfg.ClusterSigningKeyFile = o.ClusterSigningKeyFile 59 cfg.KubeletServingSignerConfiguration = o.KubeletServingSignerConfiguration 60 cfg.KubeletClientSignerConfiguration = o.KubeletClientSignerConfiguration 61 cfg.KubeAPIServerClientSignerConfiguration = o.KubeAPIServerClientSignerConfiguration 62 cfg.LegacyUnknownSignerConfiguration = o.LegacyUnknownSignerConfiguration 63 cfg.ClusterSigningDuration = o.ClusterSigningDuration 64 65 return nil 66 } 67 68 // Validate checks validation of CSRSigningControllerOptions. 69 func (o *CSRSigningControllerOptions) Validate() []error { 70 if o == nil { 71 return nil 72 } 73 74 errs := []error{} 75 if err := csrSigningFilesValid(o.KubeletServingSignerConfiguration); err != nil { 76 errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-kubelet-serving", err)) 77 } 78 if err := csrSigningFilesValid(o.KubeletClientSignerConfiguration); err != nil { 79 errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-kube-apiserver-client", err)) 80 } 81 if err := csrSigningFilesValid(o.KubeAPIServerClientSignerConfiguration); err != nil { 82 errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-kube-apiserver", err)) 83 } 84 if err := csrSigningFilesValid(o.LegacyUnknownSignerConfiguration); err != nil { 85 errs = append(errs, fmt.Errorf("%q: %v", "cluster-signing-legacy-unknown", err)) 86 } 87 88 singleSigningFile := len(o.ClusterSigningCertFile) > 0 || len(o.ClusterSigningKeyFile) > 0 89 anySpecificFilesSet := len(o.KubeletServingSignerConfiguration.CertFile) > 0 || len(o.KubeletServingSignerConfiguration.KeyFile) > 0 || 90 len(o.KubeletClientSignerConfiguration.CertFile) > 0 || len(o.KubeletClientSignerConfiguration.KeyFile) > 0 || 91 len(o.KubeAPIServerClientSignerConfiguration.CertFile) > 0 || len(o.KubeAPIServerClientSignerConfiguration.KeyFile) > 0 || 92 len(o.LegacyUnknownSignerConfiguration.CertFile) > 0 || len(o.LegacyUnknownSignerConfiguration.KeyFile) > 0 93 if singleSigningFile && anySpecificFilesSet { 94 errs = append(errs, fmt.Errorf("cannot specify --cluster-signing-{cert,key}-file and other --cluster-signing-*-file flags at the same time")) 95 } 96 97 return errs 98 } 99 100 // both must be specified or both must be empty 101 func csrSigningFilesValid(config csrsigningconfig.CSRSigningConfiguration) error { 102 switch { 103 case (len(config.CertFile) == 0) && (len(config.KeyFile) == 0): 104 return nil 105 case (len(config.CertFile) != 0) && (len(config.KeyFile) != 0): 106 return nil 107 case (len(config.CertFile) == 0) && (len(config.KeyFile) != 0): 108 return fmt.Errorf("cannot specify key without cert") 109 case (len(config.CertFile) != 0) && (len(config.KeyFile) == 0): 110 return fmt.Errorf("cannot specify cert without key") 111 } 112 113 return fmt.Errorf("math broke") 114 }