From 688278451987db7f00a84670272990e6338af7c1 Mon Sep 17 00:00:00 2001
From: Rafael Vencioneck <rafael.vencioneck@gmail.com>
Date: Sun, 8 Sep 2024 16:44:19 -0300
Subject: [PATCH] Enable custom CSR signer name (#211)

---
 charts/multicluster-scheduler/README.md             | 1 +
 charts/multicluster-scheduler/templates/cr.yaml     | 2 +-
 charts/multicluster-scheduler/templates/deploy.yaml | 2 ++
 charts/multicluster-scheduler/values.yaml           | 2 ++
 docs/operator_guide/installation.md                 | 8 ++++++++
 pkg/vk/csr/csr.go                                   | 2 +-
 6 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/charts/multicluster-scheduler/README.md b/charts/multicluster-scheduler/README.md
index 03a85384..8a99028e 100644
--- a/charts/multicluster-scheduler/README.md
+++ b/charts/multicluster-scheduler/README.md
@@ -27,6 +27,7 @@ Admiralty uses [finalizers](https://kubernetes.io/docs/tasks/access-kubernetes-a
 | controllerManager.securityContext | object | `{}` |  |
 | controllerManager.affinity | object | `{}` |  |
 | controllerManager.tolerations | array | `[]` |  |
+| controllerManager.certificateSignerName | string | `"kubernetes.io/kubelet-serving"` | SignerName for the virtual-kubelet certificate signing request
 | scheduler.replicas | integer | `2` |  |
 | scheduler.image.repository | string | `"public.ecr.aws/admiralty/admiralty-scheduler"` |  |
 | scheduler.image.tag | string | `"0.16.0"` |  |
diff --git a/charts/multicluster-scheduler/templates/cr.yaml b/charts/multicluster-scheduler/templates/cr.yaml
index d14d6d6e..b3e4ad7b 100644
--- a/charts/multicluster-scheduler/templates/cr.yaml
+++ b/charts/multicluster-scheduler/templates/cr.yaml
@@ -190,7 +190,7 @@ rules:
     resources:
     - signers
     resourceNames:
-    - kubernetes.io/kubelet-serving
+    - {{ .Values.controllerManager.certificateSignerName }}
     verbs:
     - approve
 ---
diff --git a/charts/multicluster-scheduler/templates/deploy.yaml b/charts/multicluster-scheduler/templates/deploy.yaml
index ba8cd65b..6d05e7cf 100644
--- a/charts/multicluster-scheduler/templates/deploy.yaml
+++ b/charts/multicluster-scheduler/templates/deploy.yaml
@@ -35,6 +35,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+            - name: VKUBELET_CSR_SIGNER_NAME
+              value: {{ .Values.controllerManager.certificateSignerName }}
           image: {{ .Values.controllerManager.image.repository }}:{{ default .Chart.AppVersion .Values.controllerManager.image.tag }}
           ports:
               - containerPort: 9443
diff --git a/charts/multicluster-scheduler/values.yaml b/charts/multicluster-scheduler/values.yaml
index 1978f7f6..9ac436c1 100644
--- a/charts/multicluster-scheduler/values.yaml
+++ b/charts/multicluster-scheduler/values.yaml
@@ -34,6 +34,8 @@ controllerManager:
   # runAsNonRoot: true
   affinity: {}
   tolerations: []
+  # SignerName for the virtual-kubelet certificate signing request
+  certificateSignerName: "kubernetes.io/kubelet-serving"
 
 scheduler:
   replicas: 2
diff --git a/docs/operator_guide/installation.md b/docs/operator_guide/installation.md
index ef7c5ecf..4d7c2740 100644
--- a/docs/operator_guide/installation.md
+++ b/docs/operator_guide/installation.md
@@ -26,3 +26,11 @@ custom_edit_url: https://github.com/admiraltyio/admiralty/edit/master/docs/opera
         --version 0.16.0 \
         --wait
     ```
+
+## Virtual Kubelet certificate
+
+Some cloud control planes, such as [EKS](https://docs.aws.amazon.com/eks/latest/userguide/cert-signing.html) won't sign certificates for the virtual kubelet if they don't have the right CSR SignerName value, meaning that `kubernetes.io/kubelet-serving` would be rejected as a invalid SignerName.
+
+If that's the case, you can set `VKUBELET_CSR_SIGNER_NAME` env var in the `controller-manager` deployment, or set `controllerManager.certificateSignerName` value in the helm chart, which would use the correct SignerName to be signed by the control plane.
+
+In particular, on EKS, use `beta.eks.amazonaws.com/app-serving`.
\ No newline at end of file
diff --git a/pkg/vk/csr/csr.go b/pkg/vk/csr/csr.go
index 21f9aa97..5e73b21d 100644
--- a/pkg/vk/csr/csr.go
+++ b/pkg/vk/csr/csr.go
@@ -85,7 +85,7 @@ func GetCertificateFromKubernetesAPIServer(ctx context.Context, k kubernetes.Int
 	csrK8s := &v1.CertificateSigningRequest{}
 	csrK8s.GenerateName = "admiralty-"
 	csrK8s.Spec.Usages = []v1.KeyUsage{v1.UsageKeyEncipherment, v1.UsageDigitalSignature, v1.UsageServerAuth}
-	csrK8s.Spec.SignerName = v1.KubeletServingSignerName
+	csrK8s.Spec.SignerName = os.Getenv("VKUBELET_CSR_SIGNER_NAME")
 	csrK8s.Spec.Request = csrPEM
 	csrK8s, err = k.CertificatesV1().CertificateSigningRequests().Create(ctx, csrK8s, metav1.CreateOptions{})
 	if err != nil {