From 17b4c196fe9bc845788bdf707f797b833cd7da2d Mon Sep 17 00:00:00 2001
From: Koichiro Den <den@klaipeden.com>
Date: Sat, 8 Sep 2018 02:33:44 +0900
Subject: [PATCH] kubeadm: ensure leaf certs properly signed in CreateTree

---
 cmd/kubeadm/app/phases/certs/certlist.go | 32 +++++++++++-------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/cmd/kubeadm/app/phases/certs/certlist.go b/cmd/kubeadm/app/phases/certs/certlist.go
index 4874c2e10dc33..56d288ac2c945 100644
--- a/cmd/kubeadm/app/phases/certs/certlist.go
+++ b/cmd/kubeadm/app/phases/certs/certlist.go
@@ -103,14 +103,22 @@ type CertificateTree map[*KubeadmCert]Certificates
 // CreateTree creates the CAs, certs signed by the CAs, and writes them all to disk.
 func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error {
 	for ca, leaves := range t {
-		cfg, err := ca.GetConfig(ic)
+		caCert, caKey, err := LoadCertificateAuthority(ic.CertificatesDir, ca.BaseName)
 		if err != nil {
-			return err
-		}
-
-		caCert, caKey, err := NewCACertAndKey(cfg)
-		if err != nil {
-			return err
+			cfg, err := ca.GetConfig(ic)
+			caCert, caKey, err = NewCACertAndKey(cfg)
+			if err != nil {
+				return err
+			}
+			err = writeCertificateAuthorithyFilesIfNotExist(
+				ic.CertificatesDir,
+				ca.BaseName,
+				caCert,
+				caKey,
+			)
+			if err != nil {
+				return err
+			}
 		}
 
 		for _, leaf := range leaves {
@@ -118,16 +126,6 @@ func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error {
 				return err
 			}
 		}
-
-		err = writeCertificateAuthorithyFilesIfNotExist(
-			ic.CertificatesDir,
-			ca.BaseName,
-			caCert,
-			caKey,
-		)
-		if err != nil {
-			return err
-		}
 	}
 	return nil
 }