kubernetes-sigs · Manoramsharma · Jun 2, 2024 · Jun 2, 2024 · Jun 3, 2024
diff --git a/pkg/kwokctl/components/kube_controller_manager.go b/pkg/kwokctl/components/kube_controller_manager.go
@@ -41,6 +41,8 @@ type BuildKubeControllerManagerComponentConfig struct {
 	CaCertPath                         string
 	AdminCertPath                      string
 	AdminKeyPath                       string
+	KubeControllerManagerCertPath      string // Add field for kube-controller-manager specific cert
+	KubeControllerManagerKeyPath       string
 	KubeAuthorization                  bool
 	KubeconfigPath                     string
 	KubeFeatureGates                   string
@@ -89,13 +91,13 @@ func BuildKubeControllerManagerComponent(conf BuildKubeControllerManagerComponen
 				ReadOnly:  true,
 			},
 			internalversion.Volume{
-				HostPath:  conf.AdminCertPath,
-				MountPath: "/etc/kubernetes/pki/admin.crt",
+				HostPath:  conf.KubeControllerManagerCertPath,
+				MountPath: "/etc/kubernetes/pki/kube-controller-manager.crt",
 				ReadOnly:  true,
 			},
 			internalversion.Volume{
-				HostPath:  conf.AdminKeyPath,
-				MountPath: "/etc/kubernetes/pki/admin.key",
+				HostPath:  conf.KubeControllerManagerKeyPath,
+				MountPath: "/etc/kubernetes/pki/kube-controller-manager.key",
 				ReadOnly:  true,
 			},
 		)
@@ -119,6 +121,8 @@ func BuildKubeControllerManagerComponent(conf BuildKubeControllerManagerComponen
 			kubeControllerManagerArgs = append(kubeControllerManagerArgs,
 				"--bind-address="+conf.BindAddress,
 				"--secure-port=10257",
+				"--tls-cert-file=/etc/kubernetes/pki/kube-controller-manager.crt",        // Add argument for kube-controller-manager specific cert
+				"--tls-private-key-file=/etc/kubernetes/pki/kube-controller-manager.key", // Add argument for kube-controller-manager specific key
 			)
 			if conf.Port > 0 {
 				ports = append(
@@ -133,21 +137,23 @@ func BuildKubeControllerManagerComponent(conf BuildKubeControllerManagerComponen
 				Scheme:             "https",
 				Host:               conf.ProjectName + "-" + consts.ComponentKubeControllerManager + ":10257",
 				Path:               "/metrics",
-				CertPath:           "/etc/kubernetes/pki/admin.crt",
-				KeyPath:            "/etc/kubernetes/pki/admin.key",
+				CertPath:           "/etc/kubernetes/pki/kube-controller-manager.crt", // Update metric to use kube-controller-manager specific cert
+				KeyPath:            "/etc/kubernetes/pki/kube-controller-manager.key", // Update metric to use kube-controller-manager specific key
 				InsecureSkipVerify: true,
 			}
 		} else {
 			kubeControllerManagerArgs = append(kubeControllerManagerArgs,
 				"--bind-address="+conf.BindAddress,
 				"--secure-port="+format.String(conf.Port),
+				"--tls-cert-file="+conf.KubeControllerManagerCertPath,       // Add argument for kube-controller-manager specific cert
+				"--tls-private-key-file="+conf.KubeControllerManagerKeyPath, // Add argument for kube-controller-manager specific key
 			)
 			metric = &internalversion.ComponentMetric{
 				Scheme:             "https",
 				Host:               net.LocalAddress + ":" + format.String(conf.Port),
 				Path:               "/metrics",
-				CertPath:           conf.AdminCertPath,
-				KeyPath:            conf.AdminKeyPath,
+				CertPath:           conf.KubeControllerManagerCertPath, // Update metric to use kube-controller-manager specific cert
+				KeyPath:            conf.KubeControllerManagerKeyPath,  // Update metric to use kube-controller-manager specific key
 				InsecureSkipVerify: true,
 			}
 		}
@@ -197,12 +203,12 @@ func BuildKubeControllerManagerComponent(conf BuildKubeControllerManagerComponen
 		if GetRuntimeMode(conf.Runtime) != RuntimeModeNative {
 			kubeControllerManagerArgs = append(kubeControllerManagerArgs,
 				"--root-ca-file=/etc/kubernetes/pki/ca.crt",
-				"--service-account-private-key-file=/etc/kubernetes/pki/admin.key",
+				"--service-account-private-key-file=/etc/kubernetes/pki/kube-controller-manager.key", // Update to use kube-controller-manager specific key
 			)
 		} else {
 			kubeControllerManagerArgs = append(kubeControllerManagerArgs,
 				"--root-ca-file="+conf.CaCertPath,
-				"--service-account-private-key-file="+conf.AdminKeyPath,
+				"--service-account-private-key-file="+conf.KubeControllerManagerKeyPath, // Update to use kube-controller-manager specific key
 			)
 		}
 	}

diff --git a/pkg/kwokctl/pki/pki.go b/pkg/kwokctl/pki/pki.go
@@ -23,6 +23,7 @@ import (
 	"net"
 	"time"
 
+	"sigs.k8s.io/kwok/pkg/apis/internalversion"
 	"sigs.k8s.io/kwok/pkg/utils/slices"
 )
 
@@ -74,6 +75,44 @@ func GeneratePki(pkiPath string, sans ...string) error {
 	if err != nil {
 		return fmt.Errorf("failed to write admin cert and key: %w", err)
 	}
+
+	// Generate certificates for components
+	components := []internalversion.Component{
+		{
+			Name:  "kube-controller-manager",
+			User:  "system:kube-controller-manager",
+			Links: []string{},
+			Binary: "",
+			Image: "",
+			Command: []string{},
+			Args: []string{},
+			WorkDir: "",
+			Ports: []internalversion.Port{},
+			Envs: []internalversion.Env{},
+			Volumes: []internalversion.Volume{},
+			Metric: nil,
+			MetricsDiscovery: nil,
+			Version: "",
+		},
+		// Add other components here
+	}
+
+	for _, component := range components {
+		if component.Name == "kube-controller-manager" {
+		componentSANs := DefaultAltNames
+		if len(sans) != 0 {
+			componentSANs = append(componentSANs, sans...)
+		}
+		componentCert, componentKey, err := GenerateSignCert(component.User, caCert, caKey, notBefore, notAfter, DefaultGroups, componentSANs)
+		if err != nil {
+			return fmt.Errorf("failed to generate cert and key for %s: %w", component.Name, err)
+		}
+		err = WriteCertAndKey(pkiPath, component.Name, componentCert, componentKey)
+		if err != nil {
+			return fmt.Errorf("failed to write cert and key for %s: %w", component.Name, err)
+		}
+	}
+	}
 	return nil
 }
 

diff --git a/pkg/kwokctl/runtime/binary/cluster.go b/pkg/kwokctl/runtime/binary/cluster.go
@@ -129,21 +129,23 @@ func (c *Cluster) setupPorts(ctx context.Context, used sets.Sets[uint32], ports
 }
 
 type env struct {
-	kwokctlConfig           *internalversion.KwokctlConfiguration
-	verbosity               log.Level
-	inClusterKubeconfigPath string
-	kubeconfigPath          string
-	etcdDataPath            string
-	kwokConfigPath          string
-	pkiPath                 string
-	auditLogPath            string
-	auditPolicyPath         string
-	workdir                 string
-	caCertPath              string
-	adminKeyPath            string
-	adminCertPath           string
-	scheme                  string
-	usedPorts               sets.Sets[uint32]
+	kwokctlConfig                 *internalversion.KwokctlConfiguration
+	verbosity                     log.Level
+	inClusterKubeconfigPath       string
+	kubeconfigPath                string
+	etcdDataPath                  string
+	kwokConfigPath                string
+	pkiPath                       string
+	auditLogPath                  string
+	auditPolicyPath               string
+	workdir                       string
+	caCertPath                    string
+	adminKeyPath                  string
+	adminCertPath                 string
+	kubeControllerManagerCertPath string
+	kubeControllerManagerKeyPath  string
+	scheme                        string
+	usedPorts                     sets.Sets[uint32]
 }
 
 func (c *Cluster) env(ctx context.Context) (*env, error) {
@@ -171,6 +173,8 @@ func (c *Cluster) env(ctx context.Context) (*env, error) {
 	caCertPath := path.Join(pkiPath, "ca.crt")
 	adminKeyPath := path.Join(pkiPath, "admin.key")
 	adminCertPath := path.Join(pkiPath, "admin.crt")
+	kubeControllerManagerKeyPath := path.Join(pkiPath, "kube-controller-manager.key")
+	kubeControllerManagerCertPath := path.Join(pkiPath, "kube-controller-manager.crt")
 	auditLogPath := ""
 	auditPolicyPath := ""
 
@@ -185,21 +189,23 @@ func (c *Cluster) env(ctx context.Context) (*env, error) {
 	usedPorts := runtime.GetUsedPorts(ctx)
 
 	return &env{
-		kwokctlConfig:           config,
-		verbosity:               verbosity,
-		inClusterKubeconfigPath: inClusterKubeconfigPath,
-		kubeconfigPath:          kubeconfigPath,
-		etcdDataPath:            etcdDataPath,
-		kwokConfigPath:          kwokConfigPath,
-		pkiPath:                 pkiPath,
-		auditLogPath:            auditLogPath,
-		auditPolicyPath:         auditPolicyPath,
-		workdir:                 workdir,
-		caCertPath:              caCertPath,
-		adminKeyPath:            adminKeyPath,
-		adminCertPath:           adminCertPath,
-		scheme:                  scheme,
-		usedPorts:               usedPorts,
+		kwokctlConfig:                 config,
+		verbosity:                     verbosity,
+		inClusterKubeconfigPath:       inClusterKubeconfigPath,
+		kubeconfigPath:                kubeconfigPath,
+		etcdDataPath:                  etcdDataPath,
+		kwokConfigPath:                kwokConfigPath,
+		pkiPath:                       pkiPath,
+		auditLogPath:                  auditLogPath,
+		auditPolicyPath:               auditPolicyPath,
+		workdir:                       workdir,
+		caCertPath:                    caCertPath,
+		adminKeyPath:                  adminKeyPath,
+		adminCertPath:                 adminCertPath,
+		kubeControllerManagerKeyPath:  kubeControllerManagerKeyPath,
+		kubeControllerManagerCertPath: kubeControllerManagerCertPath,
+		scheme:                        scheme,
+		usedPorts:                     usedPorts,
 	}, nil
 }
 
@@ -482,6 +488,8 @@ func (c *Cluster) addKubeControllerManager(ctx context.Context, env *env) (err e
 			CaCertPath:                         env.caCertPath,
 			AdminCertPath:                      env.adminCertPath,
 			AdminKeyPath:                       env.adminKeyPath,
+			KubeControllerManagerCertPath:      env.kubeControllerManagerCertPath, // Add path for kube-controller-manager cert
+			KubeControllerManagerKeyPath:       env.kubeControllerManagerKeyPath,
 			KubeAuthorization:                  conf.KubeAuthorization,
 			KubeconfigPath:                     env.inClusterKubeconfigPath,
 			KubeFeatureGates:                   conf.KubeFeatureGates,

diff --git a/pkg/kwokctl/runtime/compose/cluster.go b/pkg/kwokctl/runtime/compose/cluster.go
@@ -184,10 +184,14 @@ type env struct {
 	caCertPath                    string
 	adminKeyPath                  string
 	adminCertPath                 string
+	kubeControllerManagerCertPath string
+	kubeControllerManagerKeyPath  string
 	inClusterPkiPath              string
 	inClusterCaCertPath           string
 	inClusterAdminKeyPath         string
 	inClusterAdminCertPath        string
+	inClusterkubeControllerManagerCertPath       string
+	inClusterkubeControllerManagerKeyPath       string
 	inClusterPort                 uint32
 	scheme                        string
 	usedPorts                     sets.Sets[uint32]
@@ -220,6 +224,8 @@ func (c *Cluster) env(ctx context.Context) (*env, error) {
 	inClusterCaCertPath := path.Join(inClusterPkiPath, "ca.crt")
 	inClusterAdminKeyPath := path.Join(inClusterPkiPath, "admin.key")
 	inClusterAdminCertPath := path.Join(inClusterPkiPath, "admin.crt")
+	inClusterkubeControllerManagerCertPath := path.Join(inClusterPkiPath, "kube-controller-manager.crt")
+	inClusterkubeControllerManagerKeyPath  := path.Join(inClusterPkiPath, "kube-controller-manager.key")
 
 	inClusterPort := uint32(8080)
 	scheme := "http"
@@ -252,6 +258,8 @@ func (c *Cluster) env(ctx context.Context) (*env, error) {
 		inClusterCaCertPath:           inClusterCaCertPath,
 		inClusterAdminKeyPath:         inClusterAdminKeyPath,
 		inClusterAdminCertPath:        inClusterAdminCertPath,
+		inClusterkubeControllerManagerCertPath: inClusterkubeControllerManagerCertPath,
+		inClusterkubeControllerManagerKeyPath: inClusterkubeControllerManagerKeyPath,
 		inClusterPort:                 inClusterPort,
 		scheme:                        scheme,
 		usedPorts:                     usedPorts,
@@ -501,6 +509,8 @@ func (c *Cluster) addKubeControllerManager(ctx context.Context, env *env) (err e
 			CaCertPath:                         env.caCertPath,
 			AdminCertPath:                      env.adminCertPath,
 			AdminKeyPath:                       env.adminKeyPath,
+			KubeControllerManagerCertPath: env.kubeControllerManagerCertPath,
+			KubeControllerManagerKeyPath: env.kubeControllerManagerKeyPath,
 			KubeAuthorization:                  conf.KubeAuthorization,
 			KubeconfigPath:                     env.inClusterOnHostKubeconfigPath,
 			KubeFeatureGates:                   conf.KubeFeatureGates,

diff --git a/pkg/kwokctl/runtime/kind/cluster.go b/pkg/kwokctl/runtime/kind/cluster.go
@@ -586,8 +586,8 @@ func (c *Cluster) addKubeControllerManager(_ context.Context, env *env) (err err
 				Scheme:             "https",
 				Host:               "127.0.0.1:10257",
 				Path:               "/metrics",
-				CertPath:           "/etc/kubernetes/pki/admin.crt",
-				KeyPath:            "/etc/kubernetes/pki/admin.key",
+				CertPath:           "/etc/kubernetes/pki/kube-controller-manager.crt",
+				KeyPath:            "/etc/kubernetes/pki/kube-controller-manager.key",
 				InsecureSkipVerify: true,
 			},
 		})