minio · dvaldivia · Sep 12, 2021 · Sep 10, 2021 · Sep 10, 2021 · Sep 11, 2021
diff --git a/pkg/controller/cluster/csr.go b/pkg/controller/cluster/csr.go
@@ -37,7 +37,7 @@ import (
 
 	miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
 
-	certificates "k8s.io/api/certificates/v1"
+	certificates "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -69,14 +69,15 @@ func isEqual(a, b []string) bool {
 
 // createCertificateSigningRequest is equivalent to kubectl create <csr-name> and kubectl approve csr <csr-name>
 func (c *Controller) createCertificateSigningRequest(ctx context.Context, labels map[string]string, name, namespace string, csrBytes []byte, owner metav1.Object, usage string) error {
-	csrSignerName := "kubernetes.io/kubelet-serving"
+	//csrSignerName := "kubernetes.io/kubelet-serving"
 	csrKeyUsage := []certificates.KeyUsage{
 		certificates.UsageDigitalSignature,
-		certificates.UsageKeyEncipherment,
+		//certificates.UsageKeyEncipherment,
 		certificates.UsageServerAuth,
+		certificates.UsageClientAuth,
 	}
 	if usage == "client" {
-		csrSignerName = "kubernetes.io/kube-apiserver-client"
+		//csrSignerName = "kubernetes.io/kube-apiserver-client"
 		csrKeyUsage = []certificates.KeyUsage{
 			certificates.UsageDigitalSignature,
 			certificates.UsageKeyEncipherment,
@@ -102,14 +103,14 @@ func (c *Controller) createCertificateSigningRequest(ctx context.Context, labels
 			},
 		},
 		Spec: certificates.CertificateSigningRequestSpec{
-			SignerName: csrSignerName,
-			Request:    encodedBytes,
-			Groups:     []string{"system:authenticated", "system:nodes"},
-			Usages:     csrKeyUsage,
+			//SignerName: csrSignerName,
+			Request: encodedBytes,
+			Groups:  []string{"system:authenticated", "system:nodes"},
+			Usages:  csrKeyUsage,
 		},
 	}
 
-	ks, err := c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Create(ctx, kubeCSR, metav1.CreateOptions{})
+	ks, err := c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Create(ctx, kubeCSR, metav1.CreateOptions{})
 	if err != nil && !k8serrors.IsAlreadyExists(err) {
 		return err
 	}
@@ -132,7 +133,7 @@ func (c *Controller) createCertificateSigningRequest(ctx context.Context, labels
 		},
 	}
 
-	_, err = c.kubeClientSet.CertificatesV1().CertificateSigningRequests().UpdateApproval(ctx, name, ks, metav1.UpdateOptions{})
+	_, err = c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(ctx, ks, metav1.UpdateOptions{})
 	if err != nil {
 		return err
 	}
@@ -161,7 +162,7 @@ func (c *Controller) fetchCertificate(ctx context.Context, csrName string) ([]by
 			return nil, fmt.Errorf("%s", s.String())
 
 		case <-tick.C:
-			r, err := c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Get(ctx, csrName, v1.GetOptions{})
+			r, err := c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Get(ctx, csrName, v1.GetOptions{})
 			if err != nil {
 				klog.Errorf("Unexpected error during certificate fetching of csr/%s: %s", csrName, err)
 				return nil, err

diff --git a/pkg/controller/cluster/kes.go b/pkg/controller/cluster/kes.go
@@ -154,7 +154,7 @@ func (c *Controller) checkKESCertificatesStatus(ctx context.Context, tenant *min
 					return err
 				}
 				// TLS secret not found, delete CSR if exists and start certificate generation process again
-				if err = c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Delete(ctx, tenant.MinIOClientCSRName(), metav1.DeleteOptions{}); err != nil {
+				if err = c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Delete(ctx, tenant.MinIOClientCSRName(), metav1.DeleteOptions{}); err != nil {
 					return err
 				}
 			}
@@ -169,7 +169,7 @@ func (c *Controller) checkKESCertificatesStatus(ctx context.Context, tenant *min
 					return err
 				}
 				// TLS secret not found, delete CSR if exists and start certificate generation process again
-				if err = c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Delete(ctx, tenant.KESCSRName(), metav1.DeleteOptions{}); err != nil {
+				if err = c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Delete(ctx, tenant.KESCSRName(), metav1.DeleteOptions{}); err != nil {
 					return err
 				}
 			}
@@ -265,7 +265,7 @@ func (c *Controller) checkKESStatus(ctx context.Context, tenant *miniov2.Tenant,
 }
 
 func (c *Controller) checkAndCreateMinIOClientCSR(ctx context.Context, nsName types.NamespacedName, tenant *miniov2.Tenant) error {
-	if _, err := c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Get(ctx, tenant.MinIOClientCSRName(), metav1.GetOptions{}); err != nil {
+	if _, err := c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Get(ctx, tenant.MinIOClientCSRName(), metav1.GetOptions{}); err != nil {
 		if k8serrors.IsNotFound(err) {
 			if tenant, err = c.updateTenantStatus(ctx, tenant, StatusWaitingMinIOClientCert, 0); err != nil {
 				return err
@@ -284,7 +284,7 @@ func (c *Controller) checkAndCreateMinIOClientCSR(ctx context.Context, nsName ty
 }
 
 func (c *Controller) checkAndCreateKESCSR(ctx context.Context, nsName types.NamespacedName, tenant *miniov2.Tenant) error {
-	if _, err := c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Get(ctx, tenant.KESCSRName(), metav1.GetOptions{}); err != nil {
+	if _, err := c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Get(ctx, tenant.KESCSRName(), metav1.GetOptions{}); err != nil {
 		if k8serrors.IsNotFound(err) {
 			if tenant, err = c.updateTenantStatus(ctx, tenant, StatusWaitingKESCert, 0); err != nil {
 				return err

diff --git a/pkg/controller/cluster/main-controller.go b/pkg/controller/cluster/main-controller.go
@@ -539,7 +539,7 @@ func (c *Controller) syncHandler(key string) error {
 		if tenant.Spec.RequestAutoCert == nil && tenant.APIVersion != "" {
 			// If we get certificate signing requests for MinIO is safe to assume the Tenant v1 was deployed using AutoCert
 			// otherwise AutoCert will be false
-			tenantCSR, err := c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Get(ctx, tenant.MinIOCSRName(), metav1.GetOptions{})
+			tenantCSR, err := c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Get(ctx, tenant.MinIOCSRName(), metav1.GetOptions{})
 			if err != nil || tenantCSR == nil {
 				autoCertEnabled = false
 			}

diff --git a/pkg/controller/cluster/minio.go b/pkg/controller/cluster/minio.go
@@ -40,7 +40,7 @@ import (
 )
 
 func (c *Controller) checkAndCreateMinIOCSR(ctx context.Context, nsName types.NamespacedName, tenant *miniov2.Tenant) error {
-	if _, err := c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Get(ctx, tenant.MinIOCSRName(), metav1.GetOptions{}); err != nil {
+	if _, err := c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Get(ctx, tenant.MinIOCSRName(), metav1.GetOptions{}); err != nil {
 		if k8serrors.IsNotFound(err) {
 			if tenant, err = c.updateTenantStatus(ctx, tenant, StatusWaitingMinIOCert, 0); err != nil {
 				return err
@@ -68,7 +68,7 @@ func (c *Controller) checkMinIOCertificatesStatus(ctx context.Context, tenant *m
 					return err
 				}
 				// TLS secret not found, delete CSR if exists and start certificate generation process again
-				if err = c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Delete(ctx, tenant.MinIOCSRName(), metav1.DeleteOptions{}); err != nil {
+				if err = c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Delete(ctx, tenant.MinIOCSRName(), metav1.DeleteOptions{}); err != nil {
 					return err
 				}
 			} else {

diff --git a/pkg/controller/cluster/operator.go b/pkg/controller/cluster/operator.go
@@ -88,7 +88,7 @@ func (c *Controller) generateTLSCert() (string, string) {
 					klog.Infof("Waiting for the operator certificates to be issued %v", err.Error())
 					time.Sleep(time.Second * 10)
 				} else {
-					if err = c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Delete(ctx, c.operatorCSRName(), metav1.DeleteOptions{}); err != nil {
+					if err = c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Delete(ctx, c.operatorCSRName(), metav1.DeleteOptions{}); err != nil {
 						klog.Infof(err.Error())
 					}
 				}
@@ -233,7 +233,7 @@ func (c *Controller) createOperatorCSR(ctx context.Context, operator metav1.Obje
 }
 
 func (c *Controller) checkAndCreateOperatorCSR(ctx context.Context, operator metav1.Object) error {
-	if _, err := c.kubeClientSet.CertificatesV1().CertificateSigningRequests().Get(ctx, c.operatorCSRName(), metav1.GetOptions{}); err != nil {
+	if _, err := c.kubeClientSet.CertificatesV1beta1().CertificateSigningRequests().Get(ctx, c.operatorCSRName(), metav1.GetOptions{}); err != nil {
 		if k8serrors.IsNotFound(err) {
 			klog.V(2).Infof("Creating a new Certificate Signing Request for Operator Server Certs, cluster %q")
 			if err = c.createOperatorCSR(ctx, operator); err != nil {