diff --git a/pkg/kwokctl/components/kube_controller_manager.go b/pkg/kwokctl/components/kube_controller_manager.go index 09535a972..570642936 100644 --- a/pkg/kwokctl/components/kube_controller_manager.go +++ b/pkg/kwokctl/components/kube_controller_manager.go @@ -41,6 +41,8 @@ type BuildKubeControllerManagerComponentConfig struct { CaCertPath string AdminCertPath string AdminKeyPath string + KubeControllerManagerCertPath string // Add field for kube-controller-manager specific cert + KubeControllerManagerKeyPath string KubeAuthorization bool KubeconfigPath string KubeFeatureGates string @@ -89,13 +91,13 @@ func BuildKubeControllerManagerComponent(conf BuildKubeControllerManagerComponen ReadOnly: true, }, internalversion.Volume{ - HostPath: conf.AdminCertPath, - MountPath: "/etc/kubernetes/pki/admin.crt", + HostPath: conf.KubeControllerManagerCertPath, + MountPath: "/etc/kubernetes/pki/kube-controller-manager.crt", ReadOnly: true, }, internalversion.Volume{ - HostPath: conf.AdminKeyPath, - MountPath: "/etc/kubernetes/pki/admin.key", + HostPath: conf.KubeControllerManagerKeyPath, + MountPath: "/etc/kubernetes/pki/kube-controller-manager.key", ReadOnly: true, }, ) @@ -119,6 +121,8 @@ func BuildKubeControllerManagerComponent(conf BuildKubeControllerManagerComponen kubeControllerManagerArgs = append(kubeControllerManagerArgs, "--bind-address="+conf.BindAddress, "--secure-port=10257", + "--tls-cert-file=/etc/kubernetes/pki/kube-controller-manager.crt", // Add argument for kube-controller-manager specific cert + "--tls-private-key-file=/etc/kubernetes/pki/kube-controller-manager.key", // Add argument for kube-controller-manager specific key ) if conf.Port > 0 { ports = append( @@ -133,21 +137,23 @@ func BuildKubeControllerManagerComponent(conf BuildKubeControllerManagerComponen Scheme: "https", Host: conf.ProjectName + "-" + consts.ComponentKubeControllerManager + ":10257", Path: "/metrics", - CertPath: "/etc/kubernetes/pki/admin.crt", - KeyPath: "/etc/kubernetes/pki/admin.key", + CertPath: "/etc/kubernetes/pki/kube-controller-manager.crt", // Update metric to use kube-controller-manager specific cert + KeyPath: "/etc/kubernetes/pki/kube-controller-manager.key", // Update metric to use kube-controller-manager specific key InsecureSkipVerify: true, } } else { kubeControllerManagerArgs = append(kubeControllerManagerArgs, "--bind-address="+conf.BindAddress, "--secure-port="+format.String(conf.Port), + "--tls-cert-file="+conf.KubeControllerManagerCertPath, // Add argument for kube-controller-manager specific cert + "--tls-private-key-file="+conf.KubeControllerManagerKeyPath, // Add argument for kube-controller-manager specific key ) metric = &internalversion.ComponentMetric{ Scheme: "https", Host: net.LocalAddress + ":" + format.String(conf.Port), Path: "/metrics", - CertPath: conf.AdminCertPath, - KeyPath: conf.AdminKeyPath, + CertPath: conf.KubeControllerManagerCertPath, // Update metric to use kube-controller-manager specific cert + KeyPath: conf.KubeControllerManagerKeyPath, // Update metric to use kube-controller-manager specific key InsecureSkipVerify: true, } } @@ -197,12 +203,12 @@ func BuildKubeControllerManagerComponent(conf BuildKubeControllerManagerComponen if GetRuntimeMode(conf.Runtime) != RuntimeModeNative { kubeControllerManagerArgs = append(kubeControllerManagerArgs, "--root-ca-file=/etc/kubernetes/pki/ca.crt", - "--service-account-private-key-file=/etc/kubernetes/pki/admin.key", + "--service-account-private-key-file=/etc/kubernetes/pki/kube-controller-manager.key", // Update to use kube-controller-manager specific key ) } else { kubeControllerManagerArgs = append(kubeControllerManagerArgs, "--root-ca-file="+conf.CaCertPath, - "--service-account-private-key-file="+conf.AdminKeyPath, + "--service-account-private-key-file="+conf.KubeControllerManagerKeyPath, // Update to use kube-controller-manager specific key ) } } diff --git a/pkg/kwokctl/pki/pki.go b/pkg/kwokctl/pki/pki.go index c186e52aa..2d9f55990 100644 --- a/pkg/kwokctl/pki/pki.go +++ b/pkg/kwokctl/pki/pki.go @@ -23,6 +23,7 @@ import ( "net" "time" + "sigs.k8s.io/kwok/pkg/apis/internalversion" "sigs.k8s.io/kwok/pkg/utils/slices" ) @@ -74,6 +75,44 @@ func GeneratePki(pkiPath string, sans ...string) error { if err != nil { return fmt.Errorf("failed to write admin cert and key: %w", err) } + + // Generate certificates for components + components := []internalversion.Component{ + { + Name: "kube-controller-manager", + User: "system:kube-controller-manager", + Links: []string{}, + Binary: "", + Image: "", + Command: []string{}, + Args: []string{}, + WorkDir: "", + Ports: []internalversion.Port{}, + Envs: []internalversion.Env{}, + Volumes: []internalversion.Volume{}, + Metric: nil, + MetricsDiscovery: nil, + Version: "", + }, + // Add other components here + } + + for _, component := range components { + if component.Name == "kube-controller-manager" { + componentSANs := DefaultAltNames + if len(sans) != 0 { + componentSANs = append(componentSANs, sans...) + } + componentCert, componentKey, err := GenerateSignCert(component.User, caCert, caKey, notBefore, notAfter, DefaultGroups, componentSANs) + if err != nil { + return fmt.Errorf("failed to generate cert and key for %s: %w", component.Name, err) + } + err = WriteCertAndKey(pkiPath, component.Name, componentCert, componentKey) + if err != nil { + return fmt.Errorf("failed to write cert and key for %s: %w", component.Name, err) + } + } + } return nil } diff --git a/pkg/kwokctl/runtime/binary/cluster.go b/pkg/kwokctl/runtime/binary/cluster.go index 8ec255636..8e860372e 100644 --- a/pkg/kwokctl/runtime/binary/cluster.go +++ b/pkg/kwokctl/runtime/binary/cluster.go @@ -129,21 +129,23 @@ func (c *Cluster) setupPorts(ctx context.Context, used sets.Sets[uint32], ports } type env struct { - kwokctlConfig *internalversion.KwokctlConfiguration - verbosity log.Level - inClusterKubeconfigPath string - kubeconfigPath string - etcdDataPath string - kwokConfigPath string - pkiPath string - auditLogPath string - auditPolicyPath string - workdir string - caCertPath string - adminKeyPath string - adminCertPath string - scheme string - usedPorts sets.Sets[uint32] + kwokctlConfig *internalversion.KwokctlConfiguration + verbosity log.Level + inClusterKubeconfigPath string + kubeconfigPath string + etcdDataPath string + kwokConfigPath string + pkiPath string + auditLogPath string + auditPolicyPath string + workdir string + caCertPath string + adminKeyPath string + adminCertPath string + kubeControllerManagerCertPath string + kubeControllerManagerKeyPath string + scheme string + usedPorts sets.Sets[uint32] } func (c *Cluster) env(ctx context.Context) (*env, error) { @@ -171,6 +173,8 @@ func (c *Cluster) env(ctx context.Context) (*env, error) { caCertPath := path.Join(pkiPath, "ca.crt") adminKeyPath := path.Join(pkiPath, "admin.key") adminCertPath := path.Join(pkiPath, "admin.crt") + kubeControllerManagerKeyPath := path.Join(pkiPath, "kube-controller-manager.key") + kubeControllerManagerCertPath := path.Join(pkiPath, "kube-controller-manager.crt") auditLogPath := "" auditPolicyPath := "" @@ -185,21 +189,23 @@ func (c *Cluster) env(ctx context.Context) (*env, error) { usedPorts := runtime.GetUsedPorts(ctx) return &env{ - kwokctlConfig: config, - verbosity: verbosity, - inClusterKubeconfigPath: inClusterKubeconfigPath, - kubeconfigPath: kubeconfigPath, - etcdDataPath: etcdDataPath, - kwokConfigPath: kwokConfigPath, - pkiPath: pkiPath, - auditLogPath: auditLogPath, - auditPolicyPath: auditPolicyPath, - workdir: workdir, - caCertPath: caCertPath, - adminKeyPath: adminKeyPath, - adminCertPath: adminCertPath, - scheme: scheme, - usedPorts: usedPorts, + kwokctlConfig: config, + verbosity: verbosity, + inClusterKubeconfigPath: inClusterKubeconfigPath, + kubeconfigPath: kubeconfigPath, + etcdDataPath: etcdDataPath, + kwokConfigPath: kwokConfigPath, + pkiPath: pkiPath, + auditLogPath: auditLogPath, + auditPolicyPath: auditPolicyPath, + workdir: workdir, + caCertPath: caCertPath, + adminKeyPath: adminKeyPath, + adminCertPath: adminCertPath, + kubeControllerManagerKeyPath: kubeControllerManagerKeyPath, + kubeControllerManagerCertPath: kubeControllerManagerCertPath, + scheme: scheme, + usedPorts: usedPorts, }, nil } @@ -482,6 +488,8 @@ func (c *Cluster) addKubeControllerManager(ctx context.Context, env *env) (err e CaCertPath: env.caCertPath, AdminCertPath: env.adminCertPath, AdminKeyPath: env.adminKeyPath, + KubeControllerManagerCertPath: env.kubeControllerManagerCertPath, // Add path for kube-controller-manager cert + KubeControllerManagerKeyPath: env.kubeControllerManagerKeyPath, KubeAuthorization: conf.KubeAuthorization, KubeconfigPath: env.inClusterKubeconfigPath, KubeFeatureGates: conf.KubeFeatureGates, diff --git a/pkg/kwokctl/runtime/compose/cluster.go b/pkg/kwokctl/runtime/compose/cluster.go index 249983554..23b12cee0 100644 --- a/pkg/kwokctl/runtime/compose/cluster.go +++ b/pkg/kwokctl/runtime/compose/cluster.go @@ -184,10 +184,14 @@ type env struct { caCertPath string adminKeyPath string adminCertPath string + kubeControllerManagerCertPath string + kubeControllerManagerKeyPath string inClusterPkiPath string inClusterCaCertPath string inClusterAdminKeyPath string inClusterAdminCertPath string + inClusterkubeControllerManagerCertPath string + inClusterkubeControllerManagerKeyPath string inClusterPort uint32 scheme string usedPorts sets.Sets[uint32] @@ -220,6 +224,8 @@ func (c *Cluster) env(ctx context.Context) (*env, error) { inClusterCaCertPath := path.Join(inClusterPkiPath, "ca.crt") inClusterAdminKeyPath := path.Join(inClusterPkiPath, "admin.key") inClusterAdminCertPath := path.Join(inClusterPkiPath, "admin.crt") + inClusterkubeControllerManagerCertPath := path.Join(inClusterPkiPath, "kube-controller-manager.crt") + inClusterkubeControllerManagerKeyPath := path.Join(inClusterPkiPath, "kube-controller-manager.key") inClusterPort := uint32(8080) scheme := "http" @@ -252,6 +258,8 @@ func (c *Cluster) env(ctx context.Context) (*env, error) { inClusterCaCertPath: inClusterCaCertPath, inClusterAdminKeyPath: inClusterAdminKeyPath, inClusterAdminCertPath: inClusterAdminCertPath, + inClusterkubeControllerManagerCertPath: inClusterkubeControllerManagerCertPath, + inClusterkubeControllerManagerKeyPath: inClusterkubeControllerManagerKeyPath, inClusterPort: inClusterPort, scheme: scheme, usedPorts: usedPorts, @@ -501,6 +509,8 @@ func (c *Cluster) addKubeControllerManager(ctx context.Context, env *env) (err e CaCertPath: env.caCertPath, AdminCertPath: env.adminCertPath, AdminKeyPath: env.adminKeyPath, + KubeControllerManagerCertPath: env.kubeControllerManagerCertPath, + KubeControllerManagerKeyPath: env.kubeControllerManagerKeyPath, KubeAuthorization: conf.KubeAuthorization, KubeconfigPath: env.inClusterOnHostKubeconfigPath, KubeFeatureGates: conf.KubeFeatureGates, diff --git a/pkg/kwokctl/runtime/kind/cluster.go b/pkg/kwokctl/runtime/kind/cluster.go index 484ba117f..1e8a191f3 100644 --- a/pkg/kwokctl/runtime/kind/cluster.go +++ b/pkg/kwokctl/runtime/kind/cluster.go @@ -586,8 +586,8 @@ func (c *Cluster) addKubeControllerManager(_ context.Context, env *env) (err err Scheme: "https", Host: "127.0.0.1:10257", Path: "/metrics", - CertPath: "/etc/kubernetes/pki/admin.crt", - KeyPath: "/etc/kubernetes/pki/admin.key", + CertPath: "/etc/kubernetes/pki/kube-controller-manager.crt", + KeyPath: "/etc/kubernetes/pki/kube-controller-manager.key", InsecureSkipVerify: true, }, })