Merge pull request #2554 from georgejdli/fix-sa-token-signing

Fix kubespray's ServiceAccount token signing keys

roles/kubernetes/secrets/files/make-ssl.sh

@@ -82,6 +82,17 @@ gen_key_and_cert() {
 
 # Admins
 if [ -n "$MASTERS" ]; then
+
+    # service-account
+    # If --service-account-private-key-file was previously configured to use apiserver-key.pem then copy that to the new dedicated service-account signing key location to avoid disruptions
+    if [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
+       cp $SSLDIR/apiserver-key.pem $SSLDIR/service-account-key.pem
+    fi
+    # Generate dedicated service account signing key if one doesn't exist
+    if ! [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
+        openssl genrsa -out service-account-key.pem 2048 > /dev/null 2>&1
+    fi
+
     # kube-apiserver
     # Generate only if we don't have existing ca and apiserver certs
     if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then

roles/kubernetes/secrets/tasks/gen_certs_script.yml

@@ -75,6 +75,7 @@
                        'kube-controller-manager-key.pem',
                        'front-proxy-client.pem',
                        'front-proxy-client-key.pem',
+                       'service-account-key.pem',
                        {% for node in groups['kube-master'] %}
                        'admin-{{ node }}.pem',
                        'admin-{{ node }}-key.pem',
@@ -86,6 +87,7 @@
                       'apiserver-key.pem',
                       'front-proxy-client.pem',
                       'front-proxy-client-key.pem',
+                      'service-account-key.pem',
                       'kube-scheduler.pem',
                       'kube-scheduler-key.pem',
                       'kube-controller-manager.pem',