Create a single CA for both client and server certs

The following test: "Certificates API [It] should support building a client with a CSR" fails with local-up-cluster, but works in the existing CI jobs. This is because the other CI jobs use a single CA cert while local-up-cluster can use 2 different sets of CA(s). We need a way to mimic the other CI jobs (or alternatively change everything to have separate CA's). Just updating local-up-cluster with a flag seems to be the easy route.
kubernetes · May 7, 2017 · 86881e7 · 86881e7
1 parent f44d3c0
commit 86881e7
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
@@ -443,8 +443,16 @@ function start_apiserver {
     fi
 
     # Create CA signers
-    kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"'
-    kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"'
+    if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then
+        kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"client auth","server auth"'
+        sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key"
+        sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt"
+        sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json"
+    else
+        kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"'
+        kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"'
+    fi
+
     # Create auth proxy client ca
     kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'