add check-endpoints-kubeconfig

openshift · Aug 12, 2020 · 55092ca · 55092ca
1 parent 57a1aa9
commit 55092ca
Show file tree

Hide file tree

Showing 4 changed files with 117 additions and 0 deletions.
diff --git a/bindata/v4.1.0/kube-apiserver/check-endpoints-kubeconfig-cm.yaml b/bindata/v4.1.0/kube-apiserver/check-endpoints-kubeconfig-cm.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: check-endpoints-kubeconfig
+  namespace: openshift-kube-apiserver
+data:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+      - cluster:
+          certificate-authority: /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-server-ca/ca-bundle.crt
+          server: https://localhost:6443
+        name: loopback
+    contexts:
+      - context:
+          cluster: loopback
+          user: check-endpoints
+        name: check-endpoints
+    current-context: check-endpoints
+    kind: Config
+    preferences: {}
+    users:
+      - name: check-endpoints
+        user:
+          client-certificate: /etc/kubernetes/static-pod-certs/secrets/check-endpoints-client-cert-key/tls.crt
+          client-key: /etc/kubernetes/static-pod-certs/secrets/check-endpoints-client-cert-key/tls.key
diff --git a/pkg/operator/certrotationcontroller/certrotationcontroller.go b/pkg/operator/certrotationcontroller/certrotationcontroller.go
@@ -529,6 +529,46 @@ func newCertRotationController(
 	)
 	ret.certRotators = append(ret.certRotators, certRotator)
 
+	certRotator = certrotation.NewCertRotationController(
+		"CheckEndpointsClient",
+		certrotation.SigningRotation{
+			Namespace:              operatorclient.OperatorNamespace,
+			Name:                   "check-endpoints-signer",
+			Validity:               60 * defaultRotationDay,
+			Refresh:                30 * defaultRotationDay,
+			RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
+			Informer:               kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
+			Lister:                 kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
+			Client:                 kubeClient.CoreV1(),
+			EventRecorder:          eventRecorder,
+		},
+		certrotation.CABundleRotation{
+			Namespace:     operatorclient.OperatorNamespace,
+			Name:          "check-endpoints-signer-ca",
+			Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
+			Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
+			Client:        kubeClient.CoreV1(),
+			EventRecorder: eventRecorder,
+		},
+		certrotation.TargetRotation{
+			Namespace:              operatorclient.TargetNamespace,
+			Name:                   "check-endpoints-client-cert-key",
+			Validity:               30 * rotationDay,
+			Refresh:                15 * rotationDay,
+			RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
+			CertCreator: &certrotation.ClientRotation{
+				UserInfo: &user.DefaultInfo{Name: "system:check-endpoints"},
+			},
+			Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets(),
+			Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets().Lister(),
+			Client:        kubeClient.CoreV1(),
+			EventRecorder: eventRecorder,
+		},
+		operatorClient,
+		eventRecorder,
+	)
+	ret.certRotators = append(ret.certRotators, certRotator)
+
 	return ret, nil
 }
 

diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -123,6 +123,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 			"v4.1.0/kube-apiserver/ns.yaml",
 			"v4.1.0/kube-apiserver/svc.yaml",
 			"v4.1.0/kube-apiserver/kubeconfig-cm.yaml",
+			"v4.1.0/kube-apiserver/check-endpoints-kubeconfig-cm.yaml",
 			"v4.1.0/kube-apiserver/control-plane-node-kubeconfig-cm.yaml",
 			"v4.1.0/kube-apiserver/localhost-recovery-client-crb.yaml",
 			"v4.1.0/kube-apiserver/localhost-recovery-sa.yaml",
@@ -357,6 +358,9 @@ var CertConfigMaps = []revision.RevisionResource{
 
 	// kubeconfig that is a system:master.  this ensures a stable location
 	{Name: "control-plane-node-kubeconfig"},
+
+	// kubeconfig for check-endpoints
+	{Name: "check-endpoints-kubeconfig"},
 }
 
 var CertSecrets = []revision.RevisionResource{
@@ -367,6 +371,7 @@ var CertSecrets = []revision.RevisionResource{
 	{Name: "internal-loadbalancer-serving-certkey"},
 	{Name: "bound-service-account-signing-key"},
 	{Name: "control-plane-node-admin-client-cert-key"},
+	{Name: "check-endpoints-client-cert-key"},
 
 	{Name: "user-serving-cert", Optional: true},
 	{Name: "user-serving-cert-000", Optional: true},

diff --git a/pkg/operator/v410_00_assets/bindata.go b/pkg/operator/v410_00_assets/bindata.go