Enable custom CSR signer name (#211)

charts/multicluster-scheduler/README.md

@@ -27,6 +27,7 @@ Admiralty uses [finalizers](https://kubernetes.io/docs/tasks/access-kubernetes-a
 | controllerManager.securityContext | object | `{}` |  |
 | controllerManager.affinity | object | `{}` |  |
 | controllerManager.tolerations | array | `[]` |  |
+| controllerManager.certificateSignerName | string | `"kubernetes.io/kubelet-serving"` | SignerName for the virtual-kubelet certificate signing request
 | scheduler.replicas | integer | `2` |  |
 | scheduler.image.repository | string | `"public.ecr.aws/admiralty/admiralty-scheduler"` |  |
 | scheduler.image.tag | string | `"0.16.0"` |  |

charts/multicluster-scheduler/templates/cr.yaml

@@ -190,7 +190,7 @@ rules:
     resources:
     - signers
     resourceNames:
-    - kubernetes.io/kubelet-serving
+    - {{ .Values.controllerManager.certificateSignerName }}
     verbs:
     - approve
 ---

charts/multicluster-scheduler/templates/deploy.yaml

@@ -35,6 +35,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+            - name: VKUBELET_CSR_SIGNER_NAME
+              value: {{ .Values.controllerManager.certificateSignerName }}
           image: {{ .Values.controllerManager.image.repository }}:{{ default .Chart.AppVersion .Values.controllerManager.image.tag }}
           ports:
               - containerPort: 9443

charts/multicluster-scheduler/values.yaml

@@ -34,6 +34,8 @@ controllerManager:
   # runAsNonRoot: true
   affinity: {}
   tolerations: []
+  # SignerName for the virtual-kubelet certificate signing request
+  certificateSignerName: "kubernetes.io/kubelet-serving"
 
 scheduler:
   replicas: 2

docs/operator_guide/installation.md

@@ -26,3 +26,11 @@ custom_edit_url: https://github.com/admiraltyio/admiralty/edit/master/docs/opera
         --version 0.16.0 \
         --wait
     ```
+
+## Virtual Kubelet certificate
+
+Some cloud control planes, such as [EKS](https://docs.aws.amazon.com/eks/latest/userguide/cert-signing.html) won't sign certificates for the virtual kubelet if they don't have the right CSR SignerName value, meaning that `kubernetes.io/kubelet-serving` would be rejected as a invalid SignerName.
+
+If that's the case, you can set `VKUBELET_CSR_SIGNER_NAME` env var in the `controller-manager` deployment, or set `controllerManager.certificateSignerName` value in the helm chart, which would use the correct SignerName to be signed by the control plane.
+
+In particular, on EKS, use `beta.eks.amazonaws.com/app-serving`.

pkg/vk/csr/csr.go

@@ -85,7 +85,7 @@ func GetCertificateFromKubernetesAPIServer(ctx context.Context, k kubernetes.Int
 	csrK8s := &v1.CertificateSigningRequest{}
 	csrK8s.GenerateName = "admiralty-"
 	csrK8s.Spec.Usages = []v1.KeyUsage{v1.UsageKeyEncipherment, v1.UsageDigitalSignature, v1.UsageServerAuth}
-	csrK8s.Spec.SignerName = v1.KubeletServingSignerName
+	csrK8s.Spec.SignerName = os.Getenv("VKUBELET_CSR_SIGNER_NAME")
 	csrK8s.Spec.Request = csrPEM
 	csrK8s, err = k.CertificatesV1().CertificateSigningRequests().Create(ctx, csrK8s, metav1.CreateOptions{})
 	if err != nil {