Skip to content

Commit 14b5d8a

Browse files
pacevedompacevedom
committed
Add serving certs to healthz for KCM and KS
1 parent fb553b2 commit 14b5d8a

File tree

2 files changed

+11
-2
lines changed

2 files changed

+11
-2
lines changed

pkg/controllers/kube-controller-manager.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,10 @@ func configure(ctx context.Context, cfg *config.Config) (args []string, applyFn
9898
"v": {strconv.Itoa(cfg.GetVerbosity())},
9999
"tls-cipher-suites": {strings.Join(cfg.ApiServer.TLS.CipherSuites, ",")},
100100
"tls-min-version": {cfg.ApiServer.TLS.MinVersion},
101+
// Use the same certificates as the apiserver for localhost communication
102+
// to avoid creating new certificates just for this component having the same CN/SAN.
103+
"tls-cert-file": {cryptomaterial.ServingCertPath(cryptomaterial.KubeAPIServerLocalhostServingCertDir(cryptomaterial.CertsDirectory(config.DataDir)))},
104+
"tls-private-key-file": {cryptomaterial.ServingKeyPath(cryptomaterial.KubeAPIServerLocalhostServingCertDir(cryptomaterial.CertsDirectory(config.DataDir)))},
101105
},
102106
}
103107

@@ -122,7 +126,7 @@ func (s *KubeControllerManager) Run(ctx context.Context, ready chan<- struct{},
122126
// run readiness check
123127
go func() {
124128
// This endpoint uses a self-signed certificate on purpose, we need to skip verification.
125-
healthcheckStatus := util.RetryInsecureGet(ctx, "https://localhost:10257/healthz")
129+
healthcheckStatus := util.RetryGet(ctx, "https://localhost:10257/healthz", cryptomaterial.CACertPath(cryptomaterial.KubeAPIServerLocalhostSigner(cryptomaterial.CertsDirectory(config.DataDir))))
126130
if healthcheckStatus != 200 {
127131
klog.Errorf("kube-controller-manager failed to start")
128132
errorChannel <- errors.New("kube-controller-manager failed to start")

pkg/controllers/kube-scheduler.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424

2525
"github.com/openshift/microshift/pkg/config"
2626
"github.com/openshift/microshift/pkg/util"
27+
"github.com/openshift/microshift/pkg/util/cryptomaterial"
2728

2829
klog "k8s.io/klog/v2"
2930
kubescheduler "k8s.io/kubernetes/cmd/kube-scheduler/app"
@@ -55,6 +56,10 @@ func (s *KubeScheduler) configure(cfg *config.Config) {
5556
s.options.Authorization.RemoteKubeConfigFile = cfg.KubeConfigPath(config.KubeScheduler)
5657
s.options.SecureServing.MinTLSVersion = cfg.ApiServer.TLS.MinVersion
5758
s.options.SecureServing.CipherSuites = cfg.ApiServer.TLS.CipherSuites
59+
// Use the same certificates as the apiserver for localhost communication
60+
// to avoid creating new certificates just for this component having the same CN/SAN.
61+
s.options.SecureServing.ServerCert.CertKey.CertFile = cryptomaterial.ServingCertPath(cryptomaterial.KubeAPIServerLocalhostServingCertDir(cryptomaterial.CertsDirectory(config.DataDir)))
62+
s.options.SecureServing.ServerCert.CertKey.KeyFile = cryptomaterial.ServingKeyPath(cryptomaterial.KubeAPIServerLocalhostServingCertDir(cryptomaterial.CertsDirectory(config.DataDir)))
5863
s.kubeconfig = cfg.KubeConfigPath(config.KubeScheduler)
5964
}
6065

@@ -80,7 +85,7 @@ func (s *KubeScheduler) Run(ctx context.Context, ready chan<- struct{}, stopped
8085
// run readiness check
8186
go func() {
8287
// This endpoint uses a self-signed certificate on purpose, we need to skip verification.
83-
healthcheckStatus := util.RetryInsecureGet(ctx, "https://localhost:10259/healthz")
88+
healthcheckStatus := util.RetryGet(ctx, "https://localhost:10259/healthz", cryptomaterial.CACertPath(cryptomaterial.KubeAPIServerLocalhostSigner(cryptomaterial.CertsDirectory(config.DataDir))))
8489
if healthcheckStatus != 200 {
8590
klog.Errorf("%s healthcheck failed due to kube-scheduler failure to start", s.Name())
8691
errorChannel <- errors.New("kube-scheduler healthcheck failed")

0 commit comments

Comments
 (0)