Merge pull request kubernetes#127326 from stlaz/ctb_new_signer

trustbundles: add a new kube-apiserver-serving signer

Author: k8s-ci-robot

cmd/kube-controller-manager/app/certificates.go

@@ -23,14 +23,21 @@ import (
 	"context"
 	"fmt"
 
+	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/component-base/featuregate"
 	"k8s.io/controller-manager/controller"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/controller/certificates/approver"
 	"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
+	ctbpublisher "k8s.io/kubernetes/pkg/controller/certificates/clustertrustbundlepublisher"
 	"k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher"
 	"k8s.io/kubernetes/pkg/controller/certificates/signer"
 	csrsigningconfig "k8s.io/kubernetes/pkg/controller/certificates/signer/config"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 func newCertificateSigningRequestSigningControllerDescriptor() *ControllerDescriptor {
@@ -200,16 +207,9 @@ func newRootCACertificatePublisherControllerDescriptor() *ControllerDescriptor {
 }
 
 func startRootCACertificatePublisherController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	var (
-		rootCA []byte
-		err    error
-	)
-	if controllerContext.ComponentConfig.SAController.RootCAFile != "" {
-		if rootCA, err = readCA(controllerContext.ComponentConfig.SAController.RootCAFile); err != nil {
-			return nil, true, fmt.Errorf("error parsing root-ca-file at %s: %v", controllerContext.ComponentConfig.SAController.RootCAFile, err)
-		}
-	} else {
-		rootCA = controllerContext.ClientBuilder.ConfigOrDie("root-ca-cert-publisher").CAData
+	rootCA, err := getKubeAPIServerCAFileContents(controllerContext)
+	if err != nil {
+		return nil, true, err
 	}
 
 	sac, err := rootcacertpublisher.NewPublisher(
@@ -224,3 +224,77 @@ func startRootCACertificatePublisherController(ctx context.Context, controllerCo
 	go sac.Run(ctx, 1)
 	return nil, true, nil
 }
+
+func newKubeAPIServerSignerClusterTrustBundledPublisherDescriptor() *ControllerDescriptor {
+	return &ControllerDescriptor{
+		name:                 names.KubeAPIServerClusterTrustBundlePublisherController,
+		initFunc:             newKubeAPIServerSignerClusterTrustBundledPublisherController,
+		requiredFeatureGates: []featuregate.Feature{features.ClusterTrustBundle},
+	}
+}
+
+func newKubeAPIServerSignerClusterTrustBundledPublisherController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+	rootCA, err := getKubeAPIServerCAFileContents(controllerContext)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if len(rootCA) == 0 || !utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
+		return nil, false, nil
+	}
+
+	apiserverSignerClient := controllerContext.ClientBuilder.ClientOrDie("kube-apiserver-serving-clustertrustbundle-publisher")
+	ctbAvailable, err := clusterTrustBundlesAvailable(apiserverSignerClient)
+	if err != nil {
+		return nil, false, fmt.Errorf("discovery failed for ClusterTrustBundle: %w", err)
+	}
+
+	if !ctbAvailable {
+		return nil, false, nil
+	}
+
+	servingSigners, err := dynamiccertificates.NewStaticCAContent("kube-apiserver-serving", rootCA)
+	if err != nil {
+		return nil, false, fmt.Errorf("failed to create a static CA content provider for the kube-apiserver-serving signer: %w", err)
+	}
+
+	ctbPublisher, err := ctbpublisher.NewClusterTrustBundlePublisher(
+		"kubernetes.io/kube-apiserver-serving",
+		servingSigners,
+		apiserverSignerClient,
+	)
+	if err != nil {
+		return nil, false, fmt.Errorf("error creating kube-apiserver-serving signer certificates publisher: %w", err)
+	}
+
+	go ctbPublisher.Run(ctx)
+	return nil, true, nil
+}
+
+func clusterTrustBundlesAvailable(client kubernetes.Interface) (bool, error) {
+	resList, err := client.Discovery().ServerResourcesForGroupVersion(certificatesv1alpha1.SchemeGroupVersion.String())
+
+	if resList != nil {
+		// even in case of an error above there might be a partial list for APIs that
+		// were already successfully discovered
+		for _, r := range resList.APIResources {
+			if r.Name == "clustertrustbundles" {
+				return true, nil
+			}
+		}
+	}
+	return false, err
+}
+
+func getKubeAPIServerCAFileContents(controllerContext ControllerContext) ([]byte, error) {
+	if controllerContext.ComponentConfig.SAController.RootCAFile == "" {
+		return controllerContext.ClientBuilder.ConfigOrDie("root-ca-cert-publisher").CAData, nil
+	}
+
+	rootCA, err := readCA(controllerContext.ComponentConfig.SAController.RootCAFile)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing root-ca-file at %s: %w", controllerContext.ComponentConfig.SAController.RootCAFile, err)
+	}
+	return rootCA, nil
+
+}

cmd/kube-controller-manager/app/controllermanager.go

@@ -570,6 +570,7 @@ func NewControllerDescriptors() map[string]*ControllerDescriptor {
 	register(newVolumeAttributesClassProtectionControllerDescriptor())
 	register(newTTLAfterFinishedControllerDescriptor())
 	register(newRootCACertificatePublisherControllerDescriptor())
+	register(newKubeAPIServerSignerClusterTrustBundledPublisherDescriptor())
 	register(newEphemeralVolumeControllerDescriptor())
 
 	// feature gated

cmd/kube-controller-manager/app/controllermanager_test.go

@@ -89,6 +89,7 @@ func TestControllerNamesDeclaration(t *testing.T) {
 		names.VolumeAttributesClassProtectionController,
 		names.TTLAfterFinishedController,
 		names.RootCACertificatePublisherController,
+		names.KubeAPIServerClusterTrustBundlePublisherController,
 		names.EphemeralVolumeController,
 		names.StorageVersionGarbageCollectorController,
 		names.ResourceClaimController,

cmd/kube-controller-manager/names/controller_names.go

@@ -42,48 +42,49 @@ package names
 //     3.2. when defined flag's help mentions a controller name
 //  4. defining a new service account for a new controller (old controllers may have inconsistent service accounts to stay backwards compatible)
 const (
-	ServiceAccountTokenController                = "serviceaccount-token-controller"
-	EndpointsController                          = "endpoints-controller"
-	EndpointSliceController                      = "endpointslice-controller"
-	EndpointSliceMirroringController             = "endpointslice-mirroring-controller"
-	ReplicationControllerController              = "replicationcontroller-controller"
-	PodGarbageCollectorController                = "pod-garbage-collector-controller"
-	ResourceQuotaController                      = "resourcequota-controller"
-	NamespaceController                          = "namespace-controller"
-	ServiceAccountController                     = "serviceaccount-controller"
-	GarbageCollectorController                   = "garbage-collector-controller"
-	DaemonSetController                          = "daemonset-controller"
-	JobController                                = "job-controller"
-	DeploymentController                         = "deployment-controller"
-	ReplicaSetController                         = "replicaset-controller"
-	HorizontalPodAutoscalerController            = "horizontal-pod-autoscaler-controller"
-	DisruptionController                         = "disruption-controller"
-	StatefulSetController                        = "statefulset-controller"
-	CronJobController                            = "cronjob-controller"
-	CertificateSigningRequestSigningController   = "certificatesigningrequest-signing-controller"
-	CertificateSigningRequestApprovingController = "certificatesigningrequest-approving-controller"
-	CertificateSigningRequestCleanerController   = "certificatesigningrequest-cleaner-controller"
-	TTLController                                = "ttl-controller"
-	BootstrapSignerController                    = "bootstrap-signer-controller"
-	TokenCleanerController                       = "token-cleaner-controller"
-	NodeIpamController                           = "node-ipam-controller"
-	NodeLifecycleController                      = "node-lifecycle-controller"
-	TaintEvictionController                      = "taint-eviction-controller"
-	PersistentVolumeBinderController             = "persistentvolume-binder-controller"
-	PersistentVolumeAttachDetachController       = "persistentvolume-attach-detach-controller"
-	PersistentVolumeExpanderController           = "persistentvolume-expander-controller"
-	ClusterRoleAggregationController             = "clusterrole-aggregation-controller"
-	PersistentVolumeClaimProtectionController    = "persistentvolumeclaim-protection-controller"
-	PersistentVolumeProtectionController         = "persistentvolume-protection-controller"
-	TTLAfterFinishedController                   = "ttl-after-finished-controller"
-	RootCACertificatePublisherController         = "root-ca-certificate-publisher-controller"
-	EphemeralVolumeController                    = "ephemeral-volume-controller"
-	StorageVersionGarbageCollectorController     = "storageversion-garbage-collector-controller"
-	ResourceClaimController                      = "resourceclaim-controller"
-	LegacyServiceAccountTokenCleanerController   = "legacy-serviceaccount-token-cleaner-controller"
-	ValidatingAdmissionPolicyStatusController    = "validatingadmissionpolicy-status-controller"
-	VolumeAttributesClassProtectionController    = "volumeattributesclass-protection-controller"
-	ServiceCIDRController                        = "service-cidr-controller"
-	StorageVersionMigratorController             = "storage-version-migrator-controller"
-	SELinuxWarningController                     = "selinux-warning-controller"
+	ServiceAccountTokenController                      = "serviceaccount-token-controller"
+	EndpointsController                                = "endpoints-controller"
+	EndpointSliceController                            = "endpointslice-controller"
+	EndpointSliceMirroringController                   = "endpointslice-mirroring-controller"
+	ReplicationControllerController                    = "replicationcontroller-controller"
+	PodGarbageCollectorController                      = "pod-garbage-collector-controller"
+	ResourceQuotaController                            = "resourcequota-controller"
+	NamespaceController                                = "namespace-controller"
+	ServiceAccountController                           = "serviceaccount-controller"
+	GarbageCollectorController                         = "garbage-collector-controller"
+	DaemonSetController                                = "daemonset-controller"
+	JobController                                      = "job-controller"
+	DeploymentController                               = "deployment-controller"
+	ReplicaSetController                               = "replicaset-controller"
+	HorizontalPodAutoscalerController                  = "horizontal-pod-autoscaler-controller"
+	DisruptionController                               = "disruption-controller"
+	StatefulSetController                              = "statefulset-controller"
+	CronJobController                                  = "cronjob-controller"
+	CertificateSigningRequestSigningController         = "certificatesigningrequest-signing-controller"
+	CertificateSigningRequestApprovingController       = "certificatesigningrequest-approving-controller"
+	CertificateSigningRequestCleanerController         = "certificatesigningrequest-cleaner-controller"
+	TTLController                                      = "ttl-controller"
+	BootstrapSignerController                          = "bootstrap-signer-controller"
+	TokenCleanerController                             = "token-cleaner-controller"
+	NodeIpamController                                 = "node-ipam-controller"
+	NodeLifecycleController                            = "node-lifecycle-controller"
+	TaintEvictionController                            = "taint-eviction-controller"
+	PersistentVolumeBinderController                   = "persistentvolume-binder-controller"
+	PersistentVolumeAttachDetachController             = "persistentvolume-attach-detach-controller"
+	PersistentVolumeExpanderController                 = "persistentvolume-expander-controller"
+	ClusterRoleAggregationController                   = "clusterrole-aggregation-controller"
+	PersistentVolumeClaimProtectionController          = "persistentvolumeclaim-protection-controller"
+	PersistentVolumeProtectionController               = "persistentvolume-protection-controller"
+	TTLAfterFinishedController                         = "ttl-after-finished-controller"
+	RootCACertificatePublisherController               = "root-ca-certificate-publisher-controller"
+	KubeAPIServerClusterTrustBundlePublisherController = "kube-apiserver-serving-clustertrustbundle-publisher-controller"
+	EphemeralVolumeController                          = "ephemeral-volume-controller"
+	StorageVersionGarbageCollectorController           = "storageversion-garbage-collector-controller"
+	ResourceClaimController                            = "resourceclaim-controller"
+	LegacyServiceAccountTokenCleanerController         = "legacy-serviceaccount-token-cleaner-controller"
+	ValidatingAdmissionPolicyStatusController          = "validatingadmissionpolicy-status-controller"
+	VolumeAttributesClassProtectionController          = "volumeattributesclass-protection-controller"
+	ServiceCIDRController                              = "service-cidr-controller"
+	StorageVersionMigratorController                   = "storage-version-migrator-controller"
+	SELinuxWarningController                           = "selinux-warning-controller"
 )

pkg/controller/certificates/clustertrustbundlepublisher/metrics.go

@@ -0,0 +1,78 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clustertrustbundlepublisher
+
+import (
+	"errors"
+	"strconv"
+	"sync"
+	"time"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/legacyregistry"
+)
+
+// clustertrustbundlePublisher - subsystem name used by clustertrustbundle_publisher
+const (
+	clustertrustbundlePublisher = "clustertrustbundle_publisher"
+)
+
+var (
+	syncCounter = metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Subsystem:      clustertrustbundlePublisher,
+			Name:           "sync_total",
+			Help:           "Number of syncs that occurred in cluster trust bundle publisher.",
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"code"},
+	)
+	syncLatency = metrics.NewHistogramVec(
+		&metrics.HistogramOpts{
+			Subsystem:      clustertrustbundlePublisher,
+			Name:           "sync_duration_seconds",
+			Help:           "The time it took to sync a cluster trust bundle.",
+			Buckets:        metrics.ExponentialBuckets(0.001, 2, 15),
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"code"},
+	)
+)
+
+func recordMetrics(start time.Time, err error) {
+	code := "500"
+	if err == nil {
+		code = "200"
+	} else {
+		var statusErr apierrors.APIStatus
+		if errors.As(err, &statusErr) && statusErr.Status().Code != 0 {
+			code = strconv.Itoa(int(statusErr.Status().Code))
+		}
+	}
+	syncLatency.WithLabelValues(code).Observe(time.Since(start).Seconds())
+	syncCounter.WithLabelValues(code).Inc()
+}
+
+var once sync.Once
+
+func registerMetrics() {
+	once.Do(func() {
+		legacyregistry.MustRegister(syncCounter)
+		legacyregistry.MustRegister(syncLatency)
+	})
+}