apiserver: Add mandatory flags

surajssd · surajssd · commit 0757c8a1d27d · 2021-03-03T13:04:53.000+05:30
In 1.20 release `TokenRequest` has become GA. Hence the kube-apiserver flags `--service-account-signing-key-file` and `--service-account-issuer` are now required. This commit adds those flags. Read more: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md#urgent-upgrade-notes
diff --git a/assets/charts/control-plane/kube-apiserver/templates/_helpers.tpl b/assets/charts/control-plane/kube-apiserver/templates/_helpers.tpl
@@ -40,6 +40,8 @@
         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
         - --secure-port=6443
         - --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
+        - --service-account-signing-key-file=/etc/kubernetes/secrets/service-account.private
+        - --service-account-issuer=kubernetes.default.svc
         - --service-cluster-ip-range={{ .Values.apiserver.serviceCIDR }}
         - --storage-backend=etcd3
         - --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
diff --git a/assets/charts/control-plane/kube-apiserver/templates/kube-apiserver-secret.yaml b/assets/charts/control-plane/kube-apiserver/templates/kube-apiserver-secret.yaml
@@ -2,6 +2,7 @@
   apiserver.key: "{{ .Values.apiserver.apiserverKey }}"
   apiserver.crt: "{{ .Values.apiserver.apiserverCert }}"
   service-account.pub: "{{ .Values.apiserver.serviceAccountPub }}"
+  service-account.private: "{{ .Values.apiserver.serviceAccountPrivate }}"
   ca.crt: "{{ .Values.apiserver.caCert }}"
   etcd-client-ca.crt: "{{ .Values.apiserver.etcdClientCaCert }}"
   etcd-client.crt: "{{ .Values.apiserver.etcdClientCert }}"
diff --git a/assets/charts/control-plane/kube-apiserver/values.yaml b/assets/charts/control-plane/kube-apiserver/values.yaml
@@ -2,6 +2,7 @@ apiserver:
   apiserverKey:
   apiserverCert:
   serviceAccountPub:
+  serviceAccountPrivate:
   caCert:
   etcdClientCaCert:
   etcdClientCert:
diff --git a/assets/terraform-modules/bootkube/assets.tf b/assets/terraform-modules/bootkube/assets.tf
@@ -40,6 +40,7 @@ resource "local_file" "kube-apiserver" {
     apiserver_key           = base64encode(tls_private_key.apiserver.private_key_pem)
     apiserver_cert          = base64encode(tls_locally_signed_cert.apiserver.cert_pem)
     serviceaccount_pub      = base64encode(tls_private_key.service-account.public_key_pem)
+    serviceaccount_private  = base64encode(tls_private_key.service-account.private_key_pem)
     etcd_ca_cert            = base64encode(tls_self_signed_cert.etcd-ca.cert_pem)
     etcd_client_cert        = base64encode(tls_locally_signed_cert.client.cert_pem)
     etcd_client_key         = base64encode(tls_private_key.client.private_key_pem)
diff --git a/assets/terraform-modules/bootkube/resources/bootstrap-manifests/bootstrap-apiserver.yaml b/assets/terraform-modules/bootkube/resources/bootstrap-manifests/bootstrap-apiserver.yaml
@@ -39,6 +39,8 @@ spec:
     - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
     - --secure-port=6443
     - --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
+    - --service-account-signing-key-file=/etc/kubernetes/secrets/service-account.key
+    - --service-account-issuer=kubernetes.default.svc
     - --service-cluster-ip-range=${service_cidr}
     - --storage-backend=etcd3
     - --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
diff --git a/assets/terraform-modules/bootkube/resources/charts/kube-apiserver.yaml b/assets/terraform-modules/bootkube/resources/charts/kube-apiserver.yaml
@@ -2,6 +2,7 @@ apiserver:
   apiserverKey: ${apiserver_key}
   apiserverCert: ${apiserver_cert}
   serviceAccountPub: ${serviceaccount_pub}
+  serviceAccountPrivate: ${serviceaccount_private}
   caCert: ${ca_cert}
   etcdClientCaCert: ${etcd_ca_cert}
   etcdClientCert: ${etcd_client_cert}
