Rename the "ca" keyset to "kubernetes-ca"

cmd/kops/create_keypair.go

@@ -80,8 +80,8 @@ type CreateKeypairOptions struct {
 
 var rotatableKeysets = sets.NewString(
 	"apiserver-aggregator-ca",
-	"ca",
 	"etcd-clients-ca-cilium",
+	"kubernetes-ca",
 	"service-account",
 )
 
@@ -177,7 +177,7 @@ func RunCreateKeypair(ctx context.Context, f *util.Factory, out io.Writer, optio
 		}
 
 		commonName := options.Keyset
-		if commonName == "ca" {
+		if commonName == "kubernetes-ca" {
 			commonName = "kubernetes"
 		}
 		req := pki.IssueCertRequest{

nodeup/pkg/model/kubelet_test.go

@@ -288,8 +288,8 @@ func BuildNodeupModelContext(model *testutils.Model) (*NodeupModelContext, error
 	}
 
 	// Are we mocking out too much of the apply_cluster logic?
-	nodeupModelContext.NodeupConfig.CAs["ca"] = dummyCertificate + nextCertificate
-	nodeupModelContext.NodeupConfig.KeypairIDs["ca"] = "3"
+	nodeupModelContext.NodeupConfig.CAs["kubernetes-ca"] = dummyCertificate + nextCertificate
+	nodeupModelContext.NodeupConfig.KeypairIDs["kubernetes-ca"] = "3"
 
 	if nodeupModelContext.NodeupConfig.APIServerConfig != nil {
 		saPublicKeys, _ := rotatingPrivateKeyset().ToPublicKeys()
@@ -379,15 +379,15 @@ func RunGoldenTest(t *testing.T, basedir string, key string, builder func(*Nodeu
 	keystore.T = t
 	saKeyset, _ := rotatingPrivateKeyset().ToAPIObject("service-account", true)
 	keystore.privateKeysets = map[string]*kops.Keyset{
-		"ca":                      simplePrivateKeyset(dummyCertificate, dummyKey),
+		"kubernetes-ca":           simplePrivateKeyset(dummyCertificate, dummyKey),
 		"apiserver-aggregator-ca": simplePrivateKeyset(dummyCertificate, dummyKey),
 		"kube-controller-manager": simplePrivateKeyset(dummyCertificate, dummyKey),
 		"kube-proxy":              simplePrivateKeyset(dummyCertificate, dummyKey),
 		"kube-scheduler":          simplePrivateKeyset(dummyCertificate, dummyKey),
 		"service-account":         saKeyset,
 	}
 	keystore.certs = map[string]*pki.Certificate{
-		"ca":                      mustParseCertificate(dummyCertificate),
+		"kubernetes-ca":           mustParseCertificate(dummyCertificate),
 		"apiserver-aggregator-ca": mustParseCertificate(dummyCertificate),
 		"kube-controller-manager": mustParseCertificate(dummyCertificate),
 		"kube-proxy":              mustParseCertificate(dummyCertificate),

pkg/model/bootstrapscript.go

@@ -212,7 +212,7 @@ func (b *BootstrapScript) buildEnvironmentVariables(cluster *kops.Cluster) (map[
 // ResourceNodeUp generates and returns a nodeup (bootstrap) script from a
 // template file, substituting in specific env vars & cluster spec configuration
 func (b *BootstrapScriptBuilder) ResourceNodeUp(c *fi.ModelBuilderContext, ig *kops.InstanceGroup) (fi.Resource, error) {
-	keypairs := []string{"ca"}
+	keypairs := []string{"kubernetes-ca"}
 	if model.UseCiliumEtcd(b.Cluster) {
 		keypairs = append(keypairs, "etcd-clients-ca-cilium")
 		if !model.UseKopsControllerForNodeBootstrap(b.Cluster) {

upup/pkg/fi/ca.go

@@ -31,7 +31,7 @@ import (
 	"k8s.io/kops/util/pkg/vfs"
 )
 
-const CertificateIDCA = "ca"
+const CertificateIDCA = "kubernetes-ca"
 
 const (
 	// SecretNameSSHPrimary is the Name for the primary SSH key

upup/pkg/fi/vfs_castore.go

@@ -216,15 +216,23 @@ func (c *VFSCAStore) FindPrimaryKeypair(name string) (*pki.Certificate, *pki.Pri
 	return FindPrimaryKeypair(c, name)
 }
 
+var legacyKeysetMappings = map[string]string{
+	// The strange name is because kOps prior to 1.19 used the api-server TLS key for this.
+	"service-account": "master",
+	// Renamed in kOps 1.22
+	"kubernetes-ca": "ca",
+}
+
 func (c *VFSCAStore) FindKeyset(id string) (*Keyset, error) {
 	certs, err := c.loadKeyset(c.buildCertificatePoolPath(id))
 
-	if (certs == nil || os.IsNotExist(err)) && id == "service-account" {
-		// The strange name is because Kops prior to 1.19 used the api-server TLS key for this.
-		id = "master"
-		certs, err = c.loadKeyset(c.buildCertificatePoolPath(id))
-		if certs != nil {
-			certs.LegacyFormat = true
+	if certs == nil || os.IsNotExist(err) {
+		if legacyId := legacyKeysetMappings[id]; legacyId != "" {
+			certs, err = c.loadKeyset(c.buildCertificatePoolPath(legacyId))
+			if certs != nil {
+				id = legacyId
+				certs.LegacyFormat = true
+			}
 		}
 	}
 

upup/pkg/fi/vfs_castore_test.go

@@ -82,7 +82,7 @@ func TestVFSCAStoreRoundTrip(t *testing.T) {
 			},
 			Primary: item,
 		}
-		if err := s.StoreKeyset("ca", keyset); err != nil {
+		if err := s.StoreKeyset("kubernetes-ca", keyset); err != nil {
 			t.Fatalf("error from StoreKeyset: %v", err)
 		}
 	}
@@ -98,8 +98,8 @@ func TestVFSCAStoreRoundTrip(t *testing.T) {
 	}
 
 	for _, p := range []string{
-		"memfs://tests/issued/ca/keyset.yaml",
-		"memfs://tests/private/ca/keyset.yaml",
+		"memfs://tests/issued/kubernetes-ca/keyset.yaml",
+		"memfs://tests/private/kubernetes-ca/keyset.yaml",
 	} {
 		if _, found := pathMap[p]; !found {
 			t.Fatalf("file not found: %v", p)
@@ -110,19 +110,19 @@ func TestVFSCAStoreRoundTrip(t *testing.T) {
 		t.Fatalf("unexpected pathMap: %v", pathMap)
 	}
 
-	// Check issued/ca/keyset.yaml round-tripped
+	// Check issued/kubernetes-ca/keyset.yaml round-tripped
 	{
-		issuedKeysetYaml, err := pathMap["memfs://tests/issued/ca/keyset.yaml"].ReadFile()
+		issuedKeysetYaml, err := pathMap["memfs://tests/issued/kubernetes-ca/keyset.yaml"].ReadFile()
 		if err != nil {
-			t.Fatalf("error reading file memfs://tests/issued/ca/keyset.yaml: %v", err)
+			t.Fatalf("error reading file memfs://tests/issued/kubernetes-ca/keyset.yaml: %v", err)
 		}
 
 		expected := `
 apiVersion: kops.k8s.io/v1alpha2
 kind: Keyset
 metadata:
   creationTimestamp: null
-  name: ca
+  name: kubernetes-ca
 spec:
   keys:
   - id: "237054359138908419352140518924933177492"
@@ -135,7 +135,7 @@ spec:
 			t.Fatalf("unexpected issued/ca/keyset.yaml: %q", string(issuedKeysetYaml))
 		}
 
-		keyset, err := s.FindKeyset("ca")
+		keyset, err := s.FindKeyset("kubernetes-ca")
 		if err != nil {
 			t.Fatalf("error reading certificate keyset: %v", err)
 		}
@@ -154,19 +154,19 @@ spec:
 		}
 	}
 
-	// Check private/ca/keyset.yaml round-tripped
+	// Check private/kubernetes-ca/keyset.yaml round-tripped
 	{
-		privateKeysetYaml, err := pathMap["memfs://tests/private/ca/keyset.yaml"].ReadFile()
+		privateKeysetYaml, err := pathMap["memfs://tests/private/kubernetes-ca/keyset.yaml"].ReadFile()
 		if err != nil {
-			t.Fatalf("error reading file memfs://tests/private/ca/keyset.yaml: %v", err)
+			t.Fatalf("error reading file memfs://tests/private/kubernetes-ca/keyset.yaml: %v", err)
 		}
 
 		expected := `
 apiVersion: kops.k8s.io/v1alpha2
 kind: Keyset
 metadata:
   creationTimestamp: null
-  name: ca
+  name: kubernetes-ca
 spec:
   keys:
   - id: "237054359138908419352140518924933177492"
@@ -180,7 +180,7 @@ spec:
 			t.Fatalf("unexpected private/ca/keyset.yaml: %q", string(privateKeysetYaml))
 		}
 
-		key, err := s.FindPrivateKey("ca")
+		key, err := s.FindPrivateKey("kubernetes-ca")
 		if err != nil {
 			t.Fatalf("error reading certificate pool: %v", err)
 		}
@@ -242,7 +242,7 @@ func TestVFSCAStoreRoundTripWithVault(t *testing.T) {
 		},
 		Primary: item,
 	}
-	if err := s.StoreKeyset("ca", keyset); err != nil {
+	if err := s.StoreKeyset("kubernetes-ca", keyset); err != nil {
 		t.Fatalf("error from StoreKeyset: %v", err)
 	}
 
@@ -295,7 +295,7 @@ spec:
 			t.Fatalf("unexpected issued/ca/keyset.yaml: %q", string(issuedKeysetYaml))
 		}
 
-		keyset, err := s.FindKeyset("ca")
+		keyset, err := s.FindKeyset("kubernetes-ca")
 		if err != nil {
 			t.Fatalf("error reading certificate keyset: %v", err)
 		}
@@ -339,7 +339,7 @@ spec:
 			t.Fatalf("unexpected private/ca/keyset.yaml: %q", string(privateKeysetYaml))
 		}
 
-		key, err := s.FindPrivateKey("ca")
+		key, err := s.FindPrivateKey("kubernetes-ca")
 		if err != nil {
 			t.Fatalf("error reading certificate pool: %v", err)
 		}