Unverified Commit d8f32b29 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #58968 from deads2k/server-07-deadarg

Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. remove --tls-ca-file which had no effect The flag has had no effect since we started configuring loopback based on the direct cert. I've marked it deprecated this release so we don't break launch scripts right away, but its coming. I think we should remove it in 1.11. ```release-note-action-required kube-apiserver flag --tls-ca-file has had no effect for some time. It is now deprecated and slated for removal in 1.11. If you are specifying this flag, you must remove it from your launch config before ugprading to 1.11. ```
parents da601bc7 114711f7
...@@ -554,7 +554,6 @@ function start_apiserver { ...@@ -554,7 +554,6 @@ function start_apiserver {
--secure-port="${API_SECURE_PORT}" \ --secure-port="${API_SECURE_PORT}" \
--tls-cert-file="${CERT_DIR}/serving-kube-apiserver.crt" \ --tls-cert-file="${CERT_DIR}/serving-kube-apiserver.crt" \
--tls-private-key-file="${CERT_DIR}/serving-kube-apiserver.key" \ --tls-private-key-file="${CERT_DIR}/serving-kube-apiserver.key" \
--tls-ca-file="${CERT_DIR}/server-ca.crt" \
--insecure-bind-address="${API_HOST_IP}" \ --insecure-bind-address="${API_HOST_IP}" \
--insecure-port="${API_PORT}" \ --insecure-port="${API_PORT}" \
--storage-backend=${STORAGE_BACKEND} \ --storage-backend=${STORAGE_BACKEND} \
......
...@@ -216,10 +216,6 @@ type SecureServingInfo struct { ...@@ -216,10 +216,6 @@ type SecureServingInfo struct {
// allowed to be in SNICerts. // allowed to be in SNICerts.
Cert *tls.Certificate Cert *tls.Certificate
// CACert is an optional certificate authority used for the loopback connection of the Admission controllers.
// If this is nil, the certificate authority is extracted from Cert or a matching SNI certificate.
CACert *tls.Certificate
// SNICerts are the TLS certificates by name used for SNI. // SNICerts are the TLS certificates by name used for SNI.
SNICerts map[string]*tls.Certificate SNICerts map[string]*tls.Certificate
......
...@@ -18,9 +18,7 @@ package options ...@@ -18,9 +18,7 @@ package options
import ( import (
"crypto/tls" "crypto/tls"
"encoding/pem"
"fmt" "fmt"
"io/ioutil"
"net" "net"
"path" "path"
"strconv" "strconv"
...@@ -69,8 +67,6 @@ type CertKey struct { ...@@ -69,8 +67,6 @@ type CertKey struct {
type GeneratableKeyCert struct { type GeneratableKeyCert struct {
CertKey CertKey CertKey CertKey
// CACertFile is an optional file containing the certificate chain for CertKey.CertFile
CACertFile string
// CertDirectory is a directory that will contain the certificates. If the cert and key aren't specifically set // CertDirectory is a directory that will contain the certificates. If the cert and key aren't specifically set
// this will be used to derive a match with the "pair-name" // this will be used to derive a match with the "pair-name"
CertDirectory string CertDirectory string
...@@ -135,11 +131,6 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -135,11 +131,6 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.ServerCert.CertKey.KeyFile, "tls-private-key-file", s.ServerCert.CertKey.KeyFile, fs.StringVar(&s.ServerCert.CertKey.KeyFile, "tls-private-key-file", s.ServerCert.CertKey.KeyFile,
"File containing the default x509 private key matching --tls-cert-file.") "File containing the default x509 private key matching --tls-cert-file.")
fs.StringVar(&s.ServerCert.CACertFile, "tls-ca-file", s.ServerCert.CACertFile, "If set, this "+
"certificate authority will used for secure access from Admission "+
"Controllers. This must be a valid PEM-encoded CA bundle. Altneratively, the certificate authority "+
"can be appended to the certificate provided by --tls-cert-file.")
fs.StringSliceVar(&s.CipherSuites, "tls-cipher-suites", s.CipherSuites, fs.StringSliceVar(&s.CipherSuites, "tls-cipher-suites", s.CipherSuites,
"Comma-separated list of cipher suites for the server. "+ "Comma-separated list of cipher suites for the server. "+
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+ "Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
...@@ -157,6 +148,11 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -157,6 +148,11 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
"trump over extracted names. For multiple key/certificate pairs, use the "+ "trump over extracted names. For multiple key/certificate pairs, use the "+
"--tls-sni-cert-key multiple times. "+ "--tls-sni-cert-key multiple times. "+
"Examples: \"example.crt,example.key\" or \"foo.crt,foo.key:*.foo.com,foo.com\".") "Examples: \"example.crt,example.key\" or \"foo.crt,foo.key:*.foo.com,foo.com\".")
// TODO remove this flag in 1.11. The flag had no effect before this will prevent scripts from immediately failing on upgrade.
fs.String("tls-ca-file", "", "This flag has no effect.")
fs.MarkDeprecated("tls-ca-file", "This flag has no effect.")
} }
func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) { func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
...@@ -230,24 +226,6 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { ...@@ -230,24 +226,6 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
secureServingInfo.Cert = &tlsCert secureServingInfo.Cert = &tlsCert
} }
// optionally load CA cert
if len(s.ServerCert.CACertFile) != 0 {
pemData, err := ioutil.ReadFile(s.ServerCert.CACertFile)
if err != nil {
return fmt.Errorf("failed to read certificate authority from %q: %v", s.ServerCert.CACertFile, err)
}
block, pemData := pem.Decode(pemData)
if block == nil {
return fmt.Errorf("no certificate found in certificate authority file %q", s.ServerCert.CACertFile)
}
if block.Type != "CERTIFICATE" {
return fmt.Errorf("expected CERTIFICATE block in certiticate authority file %q, found: %s", s.ServerCert.CACertFile, block.Type)
}
secureServingInfo.CACert = &tls.Certificate{
Certificate: [][]byte{block.Bytes},
}
}
if len(s.CipherSuites) != 0 { if len(s.CipherSuites) != 0 {
cipherSuites, err := utilflag.TLSCipherSuites(s.CipherSuites) cipherSuites, err := utilflag.TLSCipherSuites(s.CipherSuites)
if err != nil { if err != nil {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment