Create controller CA ConfigMap in the controller deployement Namespace

No more use the fixed "kube-system" Namespace for the CA ConfigMap.
Also updated the deployment YAML and docs/securing-control-plane.md
about the descriptions about CA ConfigMap and TLS Secret Namespace.

Fixes: antrea-io#876

build/yamls/antrea-eks.yml

@@ -428,17 +428,19 @@ data:
     #enablePrometheusMetrics: false
 
     # Indicates whether to use auto-generated self-signed TLS certificate.
-    # If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
+    # If false, A secret named "antrea-controller-tls" must be provided with the following keys:
     #   ca.crt: <CA certificate>
     #   tls.crt: <TLS certificate>
     #   tls.key: <TLS private key>
+    # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+    # antrea-controller container.
     #selfSignedCert: true
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-2k49hdb86m
+  name: antrea-config-tt676t229h
   namespace: kube-system
 ---
 apiVersion: v1
@@ -543,7 +545,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-2k49hdb86m
+          name: antrea-config-tt676t229h
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -757,7 +759,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-2k49hdb86m
+          name: antrea-config-tt676t229h
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -428,17 +428,19 @@ data:
     #enablePrometheusMetrics: false
 
     # Indicates whether to use auto-generated self-signed TLS certificate.
-    # If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
+    # If false, A secret named "antrea-controller-tls" must be provided with the following keys:
     #   ca.crt: <CA certificate>
     #   tls.crt: <TLS certificate>
     #   tls.key: <TLS private key>
+    # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+    # antrea-controller container.
     #selfSignedCert: true
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-cfhgb2tt48
+  name: antrea-config-f256f62f68
   namespace: kube-system
 ---
 apiVersion: v1
@@ -543,7 +545,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-cfhgb2tt48
+          name: antrea-config-f256f62f68
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -755,7 +757,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-cfhgb2tt48
+          name: antrea-config-f256f62f68
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -428,17 +428,19 @@ data:
     #enablePrometheusMetrics: false
 
     # Indicates whether to use auto-generated self-signed TLS certificate.
-    # If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
+    # If false, A secret named "antrea-controller-tls" must be provided with the following keys:
     #   ca.crt: <CA certificate>
     #   tls.crt: <TLS certificate>
     #   tls.key: <TLS private key>
+    # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+    # antrea-controller container.
     #selfSignedCert: true
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-57kg4gbmk6
+  name: antrea-config-tdfc4k5cb7
   namespace: kube-system
 ---
 apiVersion: v1
@@ -552,7 +554,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-57kg4gbmk6
+          name: antrea-config-tdfc4k5cb7
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -799,7 +801,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-57kg4gbmk6
+          name: antrea-config-tdfc4k5cb7
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -428,17 +428,19 @@ data:
     #enablePrometheusMetrics: false
 
     # Indicates whether to use auto-generated self-signed TLS certificate.
-    # If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
+    # If false, A secret named "antrea-controller-tls" must be provided with the following keys:
     #   ca.crt: <CA certificate>
     #   tls.crt: <TLS certificate>
     #   tls.key: <TLS private key>
+    # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+    # antrea-controller container.
     #selfSignedCert: true
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-cd7tt4t2f8
+  name: antrea-config-f64gkf79gm
   namespace: kube-system
 ---
 apiVersion: v1
@@ -543,7 +545,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-cd7tt4t2f8
+          name: antrea-config-f64gkf79gm
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -755,7 +757,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-cd7tt4t2f8
+          name: antrea-config-f64gkf79gm
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-controller.conf

@@ -10,8 +10,10 @@
 #enablePrometheusMetrics: false
 
 # Indicates whether to use auto-generated self-signed TLS certificate.
-# If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
+# If false, A secret named "antrea-controller-tls" must be provided with the following keys:
 #   ca.crt: <CA certificate>
 #   tls.crt: <TLS certificate>
 #   tls.key: <TLS private key>
+# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+# antrea-controller container.
 #selfSignedCert: true

cmd/antrea-controller/config.go

@@ -31,10 +31,12 @@ type ControllerConfig struct {
 	// Defaults to false.
 	EnablePrometheusMetrics bool `yaml:"enablePrometheusMetrics,omitempty"`
 	// Indicates whether to use auto-generated self-signed TLS certificate.
-	// If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
+	// If false, A secret named "antrea-controller-tls" must be provided with the following keys:
 	//   ca.crt: <CA certificate>
 	//   tls.crt: <TLS certificate>
 	//   tls.key: <TLS private key>
 	// Defaults to true.
+	// And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+	// antrea-controller container.
 	SelfSignedCert bool `yaml:"selfSignedCert,omitempty"`
 }

docs/configuration.md

@@ -92,11 +92,13 @@ clientConnection:
 #apiPort: 10349
 
 # Indicates whether to use auto-generated self-signed TLS certificate.
-# If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
+# If false, A secret named "antrea-controller-tls" must be provided with the following keys:
 #   ca.crt: <CA certificate>
 #   tls.crt: <TLS certificate>
 #   tls.key: <TLS private key>
 #selfSignedCert: true
+# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+# antrea-controller container.
 ```
 
 ## CNI configuration

docs/securing-control-plane.md

@@ -33,20 +33,23 @@ for client authentication.
 By default, antrea-controller generates a self-signed certificate. You can
 override the behavior by [providing your own certificates](#providing-your-own-certificates).
 Either way, the antrea-controller will distribute the CA certificate as a
-ConfigMap named `antrea-ca` in the `kube-system` Namespace and inject it into
-the APIServices resources created by Antrea in order to allow its clients (i.e.
-antrea-agent, kube-apiserver) to perform authentication.
+ConfigMap named `antrea-ca` in the antrea-controller's Namespace and inject it
+into the APIServices resources created by Antrea in order to allow its clients
+(i.e. antrea-agent, kube-apiserver) to perform authentication.
 
 Typically, clients that wish to access the antrea-controller API can
 authenticate the server by validating against the CA certificate published in
-the `kube-system/antrea-ca` ConfigMap.
+the `antrea-ca` ConfigMap.
 
 ## Providing your own certificates
 
 Since Antrea v0.7.0, you can provide your own certificates to Antrea. To do so,
 you must set the `selfSignedCert` field of `antrea-controller.conf` to `false`,
 so that the antrea-controller will read the certificate key pair from the
-`kube-system/antrea-controller-tls` Secret.
+`antrea-controller-tls` Secret. The example manifests and descriptions below
+assume Antrea is deployed in the `kube-system` Namespace. If you deploy Antrea
+in a different Namepace, please update the Namespace name in the manifests
+accordingly.
 
 ```yaml
 apiVersion: v1
@@ -77,8 +80,8 @@ DNS names:
 **Note: It assumes you are using `cluster.local` as the cluster domain, you
 should replace it with the actual one of your Kubernetes cluster.**
 
-You can then create the `kube-system/antrea-controller-tls` Secret with the
-certificate key pair and the CA certificate in the following form:
+You can then create the `antrea-controller-tls` Secret with the certificate key
+pair and the CA certificate in the following form:
 ```yaml
 apiVersion: v1
 kind: Secret
@@ -147,7 +150,7 @@ to the antrea-controller Pod if the Pod starts before the Secret is created.**
 ## Certificate rotation
 
 Antrea v0.7.0 and higher supports certificate rotation. It can be achieved by
-simply updating the `kube-system/antrea-controller-tls` Secret. The
+simply updating the `antrea-controller-tls` Secret. The
 antrea-controller will react to the change, updating its serving certificate and
 re-distributing the latest CA certificate (if applicable).
 

pkg/agent/client.go

@@ -54,7 +54,12 @@ func NewAntreaClientProvider(config config.ClientConnectionConfiguration, kubeCl
 	// The key "ca.crt" may not exist at the beginning, no need to fail as the CA provider will watch the ConfigMap
 	// and notify antreaClientProvider of any update. The consumers of antreaClientProvider are supposed to always
 	// call GetAntreaClient() to get a client and not cache it.
-	antreaCAProvider, _ := dynamiccertificates.NewDynamicCAFromConfigMapController("antrea-ca", cert.CAConfigMapNamespace, cert.CAConfigMapName, cert.CAConfigMapKey, kubeClient)
+	antreaCAProvider, _ := dynamiccertificates.NewDynamicCAFromConfigMapController(
+		"antrea-ca",
+		cert.GetCAConfigMapNamespace(),
+		cert.CAConfigMapName,
+		cert.CAConfigMapKey,
+		kubeClient)
 	antreaClientProvider := &antreaClientProvider{
 		config:            config,
 		caContentProvider: antreaCAProvider,

pkg/apiserver/certificate/cacert_controller.go

@@ -27,17 +27,21 @@ import (
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog"
 	"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
+
+	"github.com/vmware-tanzu/antrea/pkg/util/env"
 )
 
 const (
-	// The namespace and name of the ConfigMap that will hold the CA certificate
-	// that signs the TLS certificate of antrea-controller.
-	CAConfigMapNamespace = "kube-system"
-	CAConfigMapName      = "antrea-ca"
-	CAConfigMapKey       = "ca.crt"
+	// Name of the ConfigMap that will hold the CA certificate that signs the TLS
+	// certificate of antrea-controller.
+	CAConfigMapName = "antrea-ca"
+	CAConfigMapKey  = "ca.crt"
 )
 
 var (
+	// Use the Antrea Pod Namespace for the CA cert ConfigMap.
+	caConfigMapNamespace = GetCAConfigMapNamespace()
+
 	// apiServiceNames contains all the APIServices backed by antrea-controller.
 	apiServiceNames = []string{
 		"v1beta1.networking.antrea.tanzu.vmware.com",
@@ -59,6 +63,16 @@ type CACertController struct {
 
 var _ dynamiccertificates.Listener = &CACertController{}
 
+func GetCAConfigMapNamespace() string {
+	namespace := env.GetPodNamespace()
+	if namespace != "" {
+		return namespace
+	}
+
+	klog.Warning("Failed to get Pod Namespace from environment. Use \"kube-system\" as the CA ConfigMap Namespace")
+	return "kube-system"
+}
+
 func newCACertController(caContentProvider dynamiccertificates.CAContentProvider,
 	client kubernetes.Interface,
 	aggregatorClient clientset.Interface,
@@ -116,7 +130,7 @@ func (c *CACertController) syncAPIServices(caCert []byte) error {
 // syncConfigMap updates the ConfigMap that holds the CA bundle, which will be read by API clients, e.g. antrea-agent.
 func (c *CACertController) syncConfigMap(caCert []byte) error {
 	klog.Info("Syncing CA certificate with ConfigMap")
-	caConfigMap, err := c.client.CoreV1().ConfigMaps(CAConfigMapNamespace).Get(context.TODO(), CAConfigMapName, v1.GetOptions{})
+	caConfigMap, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Get(context.TODO(), CAConfigMapName, v1.GetOptions{})
 	if err != nil {
 		return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
 	}
@@ -126,7 +140,7 @@ func (c *CACertController) syncConfigMap(caCert []byte) error {
 	caConfigMap.Data = map[string]string{
 		CAConfigMapKey: string(caCert),
 	}
-	if _, err := c.client.CoreV1().ConfigMaps(CAConfigMapNamespace).Update(context.TODO(), caConfigMap, v1.UpdateOptions{}); err != nil {
+	if _, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Update(context.TODO(), caConfigMap, v1.UpdateOptions{}); err != nil {
 		return fmt.Errorf("error updating ConfigMap %s: %v", CAConfigMapName, err)
 	}
 	return nil

pkg/apiserver/certificate/certificate.go

@@ -35,18 +35,15 @@ var (
 	// certReadyTimeout is the timeout we will wait for the TLS Secret being ready. Declaring it as a variable for testing.
 	certReadyTimeout = 2 * time.Minute
 	// The DNS names that the TLS certificate will be signed with.
-	// TODO: Although antrea-agent and kube-aggregator only verify the server name "antrea.kube-system.svc",
-	// We should add the whole FQDN "antrea.kube-system.svc.<Cluster Domain>" as an alternate DNS name when
+	// TODO: Although antrea-agent and kube-aggregator only verify the server name "antrea.<Namespace>.svc",
+	// We should add the whole FQDN "antrea.<Namespace>.svc.<Cluster Domain>" as an alternate DNS name when
 	// other clients need to access it directly with that name.
 	AntreaServerNames = []string{
 		"antrea.kube-system.svc",
 	}
 )
 
 const (
-	// The namespace and name of the Secret that holds user-provided TLS certificate.
-	TLSSecretNamespace = "kube-system"
-	TLSSecretName      = "antrea-controller-tls"
 	// The names of the files that should contain the CA certificate and the TLS key pair.
 	CACertFile  = "ca.crt"
 	TLSCertFile = "tls.crt"
@@ -87,7 +84,7 @@ func ApplyServerCert(selfSignedCert bool, client kubernetes.Interface, aggregato
 			}
 			return true, nil
 		}); err != nil {
-			return nil, fmt.Errorf("error reading TLS certificate and/or key. Please make sure the Secret '%s' is present and has '%s', '%s', and '%s' when selfSignedCert is set to false", TLSSecretName, CACertFile, TLSCertFile, TLSKeyFile)
+			return nil, fmt.Errorf("error reading TLS certificate and/or key. Please make sure the TLS CA (%s), cert (%s), and key (%s) files are provided when selfSignedCert is set to false", CACertFile, TLSCertFile, TLSKeyFile)
 		}
 		// Since 1.17.0 (https://github.com/kubernetes/kubernetes/commit/3f5fbfbfac281f40c11de2f57d58cc332affc37b),
 		// apiserver reloads certificate cert and key file from disk every minute, allowing serving tls config to be updated.