From bfe0c7479311bb9a5df9900118c612f08e7af7b7 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Sun, 6 Jan 2019 17:23:58 -0800
Subject: [PATCH] Enable the certificates.k8s.io API to issue cluster
 certificates

* System components that require certificates signed by the cluster
CA can submit a CSR to the apiserver, have an administrator inspect
and approve it, and be issued a certificate
* Configure kube-controller-manager to sign Approved CSR's using the
cluster CA private key
* Admins are responsible for approving or denying CSRs, otherwise,
no certificate is issued. Read the Kubernetes docs carefully and
verify the entity making the request and the authorization level
* https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
---
 CHANGES.md                                           | 2 ++
 aws/container-linux/kubernetes/bootkube.tf           | 2 +-
 aws/fedora-atomic/kubernetes/bootkube.tf             | 2 +-
 azure/container-linux/kubernetes/bootkube.tf         | 2 +-
 bare-metal/container-linux/kubernetes/bootkube.tf    | 2 +-
 bare-metal/fedora-atomic/kubernetes/bootkube.tf      | 2 +-
 digital-ocean/container-linux/kubernetes/bootkube.tf | 2 +-
 digital-ocean/fedora-atomic/kubernetes/bootkube.tf   | 2 +-
 google-cloud/container-linux/kubernetes/bootkube.tf  | 2 +-
 google-cloud/fedora-atomic/kubernetes/bootkube.tf    | 2 +-
 10 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 0828a2a3..2abfac2e 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -7,6 +7,8 @@ Notable changes between versions.
 * Add ServiceAccounts for `kube-apiserver` and `kube-scheduler` ([#370](https://github.com/poseidon/typhoon/pull/370))
 * Use a lower-privilege TLS client certificate with org `system:nodes` for Kubelets ([#372](https://github.com/poseidon/typhoon/pull/372))
   * Bind the `system:nodes` group to the `system:node` ClusterRole
+* Allow the `certificates.k8s.io` API to issue certificates signed by the cluster CA ([#376](https://github.com/poseidon/typhoon/pull/376))
+  * Configure controller manager to sign CSRs that are manually [approved](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster) by an administrator
 * Update CoreDNS from v1.2.6 to [v1.3.0](https://coredns.io/2018/12/15/coredns-1.3.0-release/)
 
 #### AWS
diff --git a/aws/container-linux/kubernetes/bootkube.tf b/aws/container-linux/kubernetes/bootkube.tf
index 96982825..8dc22c4c 100644
--- a/aws/container-linux/kubernetes/bootkube.tf
+++ b/aws/container-linux/kubernetes/bootkube.tf
@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
diff --git a/aws/fedora-atomic/kubernetes/bootkube.tf b/aws/fedora-atomic/kubernetes/bootkube.tf
index 5185e4ab..e056882b 100644
--- a/aws/fedora-atomic/kubernetes/bootkube.tf
+++ b/aws/fedora-atomic/kubernetes/bootkube.tf
@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
diff --git a/azure/container-linux/kubernetes/bootkube.tf b/azure/container-linux/kubernetes/bootkube.tf
index c6477a3d..019cf6a0 100644
--- a/azure/container-linux/kubernetes/bootkube.tf
+++ b/azure/container-linux/kubernetes/bootkube.tf
@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
diff --git a/bare-metal/container-linux/kubernetes/bootkube.tf b/bare-metal/container-linux/kubernetes/bootkube.tf
index 68135280..34f1e0ed 100644
--- a/bare-metal/container-linux/kubernetes/bootkube.tf
+++ b/bare-metal/container-linux/kubernetes/bootkube.tf
@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name                    = "${var.cluster_name}"
   api_servers                     = ["${var.k8s_domain_name}"]
diff --git a/bare-metal/fedora-atomic/kubernetes/bootkube.tf b/bare-metal/fedora-atomic/kubernetes/bootkube.tf
index f50aa763..829c8bb1 100644
--- a/bare-metal/fedora-atomic/kubernetes/bootkube.tf
+++ b/bare-metal/fedora-atomic/kubernetes/bootkube.tf
@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${var.k8s_domain_name}"]
diff --git a/digital-ocean/container-linux/kubernetes/bootkube.tf b/digital-ocean/container-linux/kubernetes/bootkube.tf
index 8cf4c8d4..842a3ee4 100644
--- a/digital-ocean/container-linux/kubernetes/bootkube.tf
+++ b/digital-ocean/container-linux/kubernetes/bootkube.tf
@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
diff --git a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf
index 0f8afb02..b08a7a2f 100644
--- a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf
+++ b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf
@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
diff --git a/google-cloud/container-linux/kubernetes/bootkube.tf b/google-cloud/container-linux/kubernetes/bootkube.tf
index ae8a9952..8b51fb2c 100644
--- a/google-cloud/container-linux/kubernetes/bootkube.tf
+++ b/google-cloud/container-linux/kubernetes/bootkube.tf
@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
diff --git a/google-cloud/fedora-atomic/kubernetes/bootkube.tf b/google-cloud/fedora-atomic/kubernetes/bootkube.tf
index 378f2cd4..5954bb2e 100644
--- a/google-cloud/fedora-atomic/kubernetes/bootkube.tf
+++ b/google-cloud/fedora-atomic/kubernetes/bootkube.tf
@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]