unify service account key and signing keys (#180)

* unify service account key and signing keys * use x509 certificate for kube-apiserver service-account-key-file
openshift · Jul 26, 2021 · 22be2c1 · 22be2c1
1 parent 13acd7a
commit 22be2c1
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 6 deletions.
diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go
@@ -77,10 +77,6 @@ func initCerts(cfg *config.MicroshiftConfig) error {
 		"service-account.crt", "service-account.key"); err != nil {
 		return err
 	}
-	if err := util.GenKeys(cfg.DataDir+"/resources/kube-apiserver/secrets/service-account-signing-key",
-		"service-account.crt", "service-account.key"); err != nil {
-		return err
-	}
 	if err := util.GenCerts("system:masters", cfg.DataDir+"/certs/kube-apiserver/secrets/aggregator-client",
 		"tls.crt", "tls.key",
 		[]string{"system:admin", "system:masters"}); err != nil {

diff --git a/pkg/controllers/kube-api.go b/pkg/controllers/kube-api.go
@@ -99,8 +99,8 @@ func (s *KubeAPIServer) configure(cfg *config.MicroshiftConfig) {
 		"--requestheader-group-headers=X-Remote-Group",
 		"--requestheader-username-headers=X-Remote-User",
 		"--service-account-issuer=https://kubernetes.svc",
-		"--service-account-key-file=" + cfg.DataDir + "/resources/kube-apiserver/secrets/service-account-key/service-account.key",
-		"--service-account-signing-key-file=" + cfg.DataDir + "/resources/kube-apiserver/secrets/service-account-signing-key/service-account.key",
+		"--service-account-key-file=" + cfg.DataDir + "/resources/kube-apiserver/secrets/service-account-key/service-account.crt",
+		"--service-account-signing-key-file=" + cfg.DataDir + "/resources/kube-apiserver/secrets/service-account-key/service-account.key",
 		"--service-cluster-ip-range=" + cfg.Cluster.ServiceCIDR,
 		"--storage-backend=etcd3",
 		"--tls-cert-file=" + cfg.DataDir + "/certs/kube-apiserver/secrets/service-network-serving-certkey/tls.crt",