Rotate kubeconfig

bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap-with-policy.yaml

@@ -1,7 +1,7 @@
 apiVersion: componentconfig/v1alpha1
 kind: KubeSchedulerConfiguration
 clientConnection:
-  kubeconfig: /etc/kubernetes/static-pod-resources/secrets/scheduler-kubeconfig/kubeconfig
+  kubeconfig: /etc/kubernetes/static-pod-resources/configmaps/scheduler-kubeconfig/kubeconfig
 algorithmSource:
   policy:
     configMap:

bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap.yaml

@@ -1,4 +1,4 @@
 apiVersion: componentconfig/v1alpha1
 kind: KubeSchedulerConfiguration
 clientConnection:
-  kubeconfig: /etc/kubernetes/static-pod-resources/secrets/scheduler-kubeconfig/kubeconfig
+  kubeconfig: /etc/kubernetes/static-pod-resources/configmaps/scheduler-kubeconfig/kubeconfig

bindata/v3.11.0/kube-scheduler/kubeconfig-cm.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: scheduler-kubeconfig
+  namespace: openshift-kube-scheduler
+data:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+      - cluster:
+          certificate-authority: /etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt
+          server: https://localhost:6443
+        name: loopback
+    contexts:
+      - context:
+          cluster: loopback
+          user: kube-scheduler
+        name: kube-scheduler
+    current-context: kube-scheduler
+    kind: Config
+    preferences: {}
+    users:
+      - name: kube-scheduler
+        user:
+          client-certificate: /etc/kubernetes/static-pod-resources/secrets/kube-scheduler-client-cert-key/tls.crt
+          client-key: /etc/kubernetes/static-pod-resources/secrets/kube-scheduler-client-cert-key/tls.key

bindata/v3.11.0/kube-scheduler/leader-election-rolebinding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: kube-system
+  name: system:openshift:leader-locking-kube-scheduler
+roleRef:
+  kind: Role
+  name: system::leader-locking-kube-scheduler
+subjects:
+  - kind: User
+    name: system:kube-scheduler

pkg/operator/resourcesynccontroller/resourcesynccontroller.go

@@ -27,5 +27,11 @@ func NewResourceSyncController(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "policy-configmap"}); err != nil {
 		return nil, err
 	}
+	if err := resourceSyncController.SyncSecret(
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-scheduler-client-cert-key"},
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-scheduler-client-cert-key"},
+	); err != nil {
+		return nil, err
+	}
 	return resourceSyncController, nil
 }

pkg/operator/starter.go

@@ -153,11 +153,14 @@ func RunOperator(ctx *controllercmd.ControllerContext) error {
 // the first element should be the configmap that contains the static pod manifest
 var deploymentConfigMaps = []revision.RevisionResource{
 	{Name: "kube-scheduler-pod"},
+
 	{Name: "config"},
+	{Name: "scheduler-kubeconfig"},
+	{Name: "serviceaccount-ca"},
 	{Name: "policy-configmap", Optional: true},
 }
 
 // deploymentSecrets is a list of secrets that are directly copied for the current values.  A different actor/controller modifies these.
 var deploymentSecrets = []revision.RevisionResource{
-	{Name: "scheduler-kubeconfig"},
+	{Name: "kube-scheduler-client-cert-key"},
 }

pkg/operator/target_config_reconciler_v311_00.go

@@ -17,6 +17,7 @@ import (
 	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
 	"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceread"
+	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 )
 
@@ -28,6 +29,8 @@ func createTargetConfigReconciler_v311_00_to_latest(c TargetConfigReconciler, re
 
 	directResourceResults := resourceapply.ApplyDirectly(c.kubeClient, c.eventRecorder, v311_00_assets.Asset,
 		"v3.11.0/kube-scheduler/ns.yaml",
+		"v3.11.0/kube-scheduler/kubeconfig-cm.yaml",
+		"v3.11.0/kube-scheduler/leader-election-rolebinding.yaml",
 		"v3.11.0/kube-scheduler/scheduler-clusterrolebinding.yaml",
 		"v3.11.0/kube-scheduler/svc.yaml",
 		"v3.11.0/kube-scheduler/sa.yaml",
@@ -41,6 +44,10 @@ func createTargetConfigReconciler_v311_00_to_latest(c TargetConfigReconciler, re
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap", err))
 	}
+	_, _, err = manageServiceAccountCABundle(c.configMapLister, c.kubeClient.CoreV1(), recorder)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q: %v", "configmap/serviceaccount-ca", err))
+	}
 	_, _, err = managePod_v311_00_to_latest(c.kubeClient.CoreV1(), recorder, operatorConfig, c.targetImagePullSpec)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-scheduler-pod", err))
@@ -130,3 +137,19 @@ func managePod_v311_00_to_latest(client coreclientv1.ConfigMapsGetter, recorder
 	configMap.Data["version"] = version.Get().String()
 	return resourceapply.ApplyConfigMap(client, recorder, configMap)
 }
+
+func manageServiceAccountCABundle(lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
+	requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "serviceaccount-ca"},
+		lister, client, recorder,
+		// include the ca bundle needed to recognize the server
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-apiserver-server-ca"},
+		// include the ca bundle needed to recognize default
+		// certificates generated by cluster-ingress-operator
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "router-ca"},
+	)
+	if err != nil {
+		return nil, false, err
+	}
+	return resourceapply.ApplyConfigMap(client, recorder, requiredConfigMap)
+}