Issue kube-scheduler cert in nodeup

nodeup/pkg/model/context.go

@@ -17,6 +17,7 @@ limitations under the License.
 package model
 
 import (
+	"crypto/x509/pkix"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -27,7 +28,6 @@ import (
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/util"
 	"k8s.io/kops/pkg/apis/nodeup"
-	"k8s.io/kops/pkg/kubeconfig"
 	"k8s.io/kops/pkg/systemd"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
@@ -193,6 +193,33 @@ func (c *NodeupModelContext) KubeletKubeConfig() string {
 	return "/var/lib/kubelet/kubeconfig"
 }
 
+// BuildIssuedKubeconfig generates a kubeconfig with a locally issued client certificate
+func (c *NodeupModelContext) BuildIssuedKubeconfig(name string, subject pkix.Name, ctx *fi.ModelBuilderContext) *fi.TaskDependentResource {
+	issueCert := &nodetasks.IssueCert{
+		Name:    name,
+		Signer:  fi.CertificateIDCA,
+		Type:    "client",
+		Subject: subject,
+	}
+	ctx.AddTask(issueCert)
+	certResource, keyResource, caResource := issueCert.GetResources()
+
+	kubeConfig := &nodetasks.KubeConfig{
+		Name: name,
+		Cert: certResource,
+		Key:  keyResource,
+		CA:   caResource,
+	}
+	if c.IsMaster {
+		// @note: use https even for local connections, so we can turn off the insecure port
+		kubeConfig.ServerURL = "https://127.0.0.1"
+	} else {
+		kubeConfig.ServerURL = "https://" + c.Cluster.Spec.MasterInternalName
+	}
+	ctx.AddTask(kubeConfig)
+	return kubeConfig.GetConfig()
+}
+
 // BuildPKIKubeconfig generates a kubeconfig
 func (c *NodeupModelContext) BuildPKIKubeconfig(name string) (string, error) {
 	ca, err := c.GetCert(fi.CertificateIDCA)
@@ -215,54 +242,29 @@ func (c *NodeupModelContext) BuildPKIKubeconfig(name string) (string, error) {
 
 // BuildKubeConfig is responsible for building a kubeconfig
 func (c *NodeupModelContext) BuildKubeConfig(username string, ca, certificate, privateKey []byte) (string, error) {
-	user := kubeconfig.KubectlUser{
-		ClientCertificateData: certificate,
-		ClientKeyData:         privateKey,
-	}
-	cluster := kubeconfig.KubectlCluster{
-		CertificateAuthorityData: ca,
+	kubeConfig := &nodetasks.KubeConfig{
+		Name: username,
+		Cert: fi.NewBytesResource(certificate),
+		Key:  fi.NewBytesResource(privateKey),
+		CA:   fi.NewBytesResource(ca),
 	}
-
 	if c.IsMaster {
 		// @note: use https even for local connections, so we can turn off the insecure port
-		cluster.Server = "https://127.0.0.1"
+		kubeConfig.ServerURL = "https://127.0.0.1"
 	} else {
-		cluster.Server = "https://" + c.Cluster.Spec.MasterInternalName
-	}
-
-	config := &kubeconfig.KubectlConfig{
-		ApiVersion: "v1",
-		Kind:       "Config",
-		Users: []*kubeconfig.KubectlUserWithName{
-			{
-				Name: username,
-				User: user,
-			},
-		},
-		Clusters: []*kubeconfig.KubectlClusterWithName{
-			{
-				Name:    "local",
-				Cluster: cluster,
-			},
-		},
-		Contexts: []*kubeconfig.KubectlContextWithName{
-			{
-				Name: "service-account-context",
-				Context: kubeconfig.KubectlContext{
-					Cluster: "local",
-					User:    username,
-				},
-			},
-		},
-		CurrentContext: "service-account-context",
-	}
-
-	yaml, err := kops.ToRawYaml(config)
+		kubeConfig.ServerURL = "https://" + c.Cluster.Spec.MasterInternalName
+	}
+
+	err := kubeConfig.Run(nil)
 	if err != nil {
 		return "", fmt.Errorf("error marshaling kubeconfig to yaml: %v", err)
 	}
 
-	return string(yaml), nil
+	config, err := fi.ResourceAsString(kubeConfig.GetConfig())
+	if err != nil {
+		return "", err
+	}
+	return config, nil
 }
 
 // IsKubernetesGTE checks if the version is greater-than-or-equal

nodeup/pkg/model/kube_scheduler.go

@@ -17,13 +17,15 @@ limitations under the License.
 package model
 
 import (
+	"crypto/x509/pkix"
 	"fmt"
 	"strconv"
 
 	"k8s.io/kops/pkg/configbuilder"
 	"k8s.io/kops/pkg/flagbuilder"
 	"k8s.io/kops/pkg/k8scodecs"
 	"k8s.io/kops/pkg/kubemanifest"
+	"k8s.io/kops/pkg/rbac"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 	"k8s.io/kops/util/pkg/exec"
@@ -83,14 +85,11 @@ func (b *KubeSchedulerBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	{
-		kubeconfig, err := b.BuildPKIKubeconfig("kube-scheduler")
-		if err != nil {
-			return err
-		}
+		kubeconfig := b.BuildIssuedKubeconfig("kube-scheduler", pkix.Name{CommonName: rbac.KubeScheduler}, c)
 
 		c.AddTask(&nodetasks.File{
 			Path:     "/var/lib/kube-scheduler/kubeconfig",
-			Contents: fi.NewStringResource(kubeconfig),
+			Contents: kubeconfig,
 			Type:     nodetasks.FileType_File,
 			Mode:     s("0400"),
 		})

nodeup/pkg/model/tests/golden/minimal/tasks-kube-scheduler.yaml

@@ -63,25 +63,65 @@ mode: "0400"
 path: /var/lib/kube-scheduler/config.yaml
 type: file
 ---
-contents: |
-  apiVersion: v1
-  clusters:
-  - cluster:
-      certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNDZ0F3SUJBZ0lSQUxKWEFrVmo5NjR0cTY3d01TSThvSlF3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4TnpFeU1qY3lNelV5TkRCYUZ3MHlOekV5TWpjeQpNelV5TkRCYU1CVXhFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUURnbkNrU210bm1meEVnUzNxTlBhVUNINVFPQkdESC9pbkhiV0NPRExCQ0s5Z2QKWEVjQmw3RlZ2OFQya0ZyMURZYjBIVkR0TUk3dGl4UlZGRExna3dObFczNHh3V2RaWEI3R2VvRmdVMXhXT1FTWQpPQUNDOEpnWVRRLzEzOUhCRXZncTRzZWo2N3ArL3MvU05jdzM0S2s3SEl1RmhsazFyUms1a01leEtJbEpCS1AxCllZVVlldHNKL1FwVU9rcUo1SFc0R29ldEU3Nll0SG5PUmZZdm55YnZpU01yaDJ3R0dhTjZyL3M0Q2hPYUliWkMKQW44L1lpUEtHSURhWkdwajZHWG5tWEFSUlgvVElkZ1NRa0x3dDBhVERCblBaNFh2dHBJOGFhTDhEWUpJcUF6QQpOUEgyYjQvdU55bGF0NWpEbzBiMEc1NGFnTWk5NysyQVVyQzlVVVhwQWdNQkFBR2pJekFoTUE0R0ExVWREd0VCCi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCVkdSMnIKaHpYelJNVTV3cmlQUUFKU2Nzek5PUnZvQnBYZlpvWjA5Rkl1cHVkRnhCVlUzZDRoVjlTdEtuUWdQU0dBNVhRTwpIRTk3K0J4SkR1QS9yQjVvQlVzTUJqYzd5MWNkZS9UNmhtaTNyTG9FWUJTblN1ZENPWEpFNEc5LzBmOGJ5QUplCnJOOCtObzFyMlZnWnZaaDZwNzRURWtYdi9sM0hCUFdNN0lkVVYwSE85SkRoU2dPVkYxZnlRS0p4UnVMSlI4anQKTzZtUEgyVVgwdk13VmE0anZ3dGtkZHFrMk9BZFlRdkg5cmJEampiemFpVzBLbm1kdWVSbzkyS0hBTjdCc0RaeQpWcFhIcHFvMUt6ZzdEM2ZwYVhDZjVzaTdscXFyZEpWWEg0SkM3Mnp4c1BlaHFnaThlSXVxT0JraURXbVJ4QXhoCjh5R2VSeDlBYmtuSGg0SWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-      server: https://127.0.0.1
-    name: local
-  contexts:
-  - context:
-      cluster: local
-      user: kube-scheduler
-    name: service-account-context
-  current-context: service-account-context
-  kind: Config
-  users:
-  - name: kube-scheduler
-    user:
-      client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNDZ0F3SUJBZ0lSQUxKWEFrVmo5NjR0cTY3d01TSThvSlF3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4TnpFeU1qY3lNelV5TkRCYUZ3MHlOekV5TWpjeQpNelV5TkRCYU1CVXhFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUURnbkNrU210bm1meEVnUzNxTlBhVUNINVFPQkdESC9pbkhiV0NPRExCQ0s5Z2QKWEVjQmw3RlZ2OFQya0ZyMURZYjBIVkR0TUk3dGl4UlZGRExna3dObFczNHh3V2RaWEI3R2VvRmdVMXhXT1FTWQpPQUNDOEpnWVRRLzEzOUhCRXZncTRzZWo2N3ArL3MvU05jdzM0S2s3SEl1RmhsazFyUms1a01leEtJbEpCS1AxCllZVVlldHNKL1FwVU9rcUo1SFc0R29ldEU3Nll0SG5PUmZZdm55YnZpU01yaDJ3R0dhTjZyL3M0Q2hPYUliWkMKQW44L1lpUEtHSURhWkdwajZHWG5tWEFSUlgvVElkZ1NRa0x3dDBhVERCblBaNFh2dHBJOGFhTDhEWUpJcUF6QQpOUEgyYjQvdU55bGF0NWpEbzBiMEc1NGFnTWk5NysyQVVyQzlVVVhwQWdNQkFBR2pJekFoTUE0R0ExVWREd0VCCi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCVkdSMnIKaHpYelJNVTV3cmlQUUFKU2Nzek5PUnZvQnBYZlpvWjA5Rkl1cHVkRnhCVlUzZDRoVjlTdEtuUWdQU0dBNVhRTwpIRTk3K0J4SkR1QS9yQjVvQlVzTUJqYzd5MWNkZS9UNmhtaTNyTG9FWUJTblN1ZENPWEpFNEc5LzBmOGJ5QUplCnJOOCtObzFyMlZnWnZaaDZwNzRURWtYdi9sM0hCUFdNN0lkVVYwSE85SkRoU2dPVkYxZnlRS0p4UnVMSlI4anQKTzZtUEgyVVgwdk13VmE0anZ3dGtkZHFrMk9BZFlRdkg5cmJEampiemFpVzBLbm1kdWVSbzkyS0hBTjdCc0RaeQpWcFhIcHFvMUt6ZzdEM2ZwYVhDZjVzaTdscXFyZEpWWEg0SkM3Mnp4c1BlaHFnaThlSXVxT0JraURXbVJ4QXhoCjh5R2VSeDlBYmtuSGg0SWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-      client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNEp3cEVwclo1bjhSSUV0NmpUMmxBaCtVRGdSZ3gvNHB4MjFnamd5d1FpdllIVnhICkFaZXhWYi9FOXBCYTlRMkc5QjFRN1RDTzdZc1VWUlF5NEpNRFpWdCtNY0ZuV1Z3ZXhucUJZRk5jVmprRW1EZ0EKZ3ZDWUdFMFA5ZC9Sd1JMNEt1TEhvK3U2ZnY3UDBqWE1OK0NwT3h5TGhZWlpOYTBaT1pESHNTaUpTUVNqOVdHRgpHSHJiQ2YwS1ZEcEtpZVIxdUJxSHJSTyttTFI1emtYMkw1OG03NGtqSzRkc0JobWplcS83T0FvVG1pRzJRZ0ovClAySWp5aGlBMm1ScVkraGw1NWx3RVVWLzB5SFlFa0pDOExkR2t3d1p6MmVGNzdhU1BHbWkvQTJDU0tnTXdEVHgKOW0rUDdqY3BXcmVZdzZORzlCdWVHb0RJdmUvdGdGS3d2VkZGNlFJREFRQUJBb0lCQUEwa3RqYVRmeXJBeHNUSQpCZXpiN1pyNU5CVzU1ZHZ1SUkyOTljZDZNSm8rckkvVFJZaHZVdjQ4a1k4SUZYcC9oeVVqemdlREx1bnhtSWY5Ci9aZ3NvaWM5T2w0NC9nNDVtTWR1aGNHWVB6QUFlQ2RjSjVPQjlyUjlWZkRDWHlqWUxsTjhIOGlVMDczNHRUcU0KMFYxM3RROXpkU3FrR1BaT0ljcS9rUi9weWxiT1phUU1lOTdCVGxzQW5PTVNNS0RnbmZ0WTQxMjJMcTNHWXkrdAp2cHIrYktWYVFad3ZrTG9TVTNyRUNDYUthZ2hnd0N5WDdqZnQ5YUVraGRKditLbHdic0dZNldFcnZ4T2FMV0hkCmN1TVFqR2FwWTFGYS80VUQwMG12ckEyNjBOeUtmenJwNitQNDZSclZNd0VZUkpNSVE4WUJBazZONkhoN2RjMEcKOFo2aTFtMENnWUVBOUhlQ0pSMFRTd2JJUTFiRFhVcnpwZnRIdWlkRzVCblNCdGF4L05EOXFJUGhSL0ZCVzVuagoyMm53TGM0OEtreWlybGZJVUxkMGFlNHFWWEpuN3dmWWN1WC9jSk1MRG1TVnRsTTVEem1pLzkxeFJpRmdJengxCkFzYkJ6YUZqSVNQMkhwU2dMK2U5RnRTWGFhcWVaVnJmbGl0VmhZS1VwSS9BS1YzMXFHSGYwNHNDZ1lFQTZ6VFYKOTlTYjQ5V2RsbnM1SWdzZm5YbDZUb1J0dEIxOGxmRUtjVmZqQU00ZnJua2swNkpwRkFaZVIrOUdHS1VYWkhxcwp6MnFjcGx3NGQvbW9DQzZwM3JZUEJNTFhzckdORVVGWnFCbGd6NzJRQTZCQnEzWDBDZzFCYzJaYks1Vkl6d2tnClNUMlNTdXg2Y2NST2ZnVUxtTjVaaUxPdGRVS05FWnBGRjNpM3F0c0NnWUFEVC9zN2RZRmxhdG9iejNrbU1uWEsKc2ZUdTJNbGxIZFJ5czBZR0h1N1E4YmlEdVFraHJKd2h4UFcwS1M4M2c0SlF5bSswYUVmemgzNmJXY2wrdTZSNwpLaEtqKzlvU2Y5cG5kZ2szNDVnSnozNVJiUEpZaCtFdUFITnZ6ZGdDQXZLNngxakVUV2VLZjZidGo1cEYxVTFpClE0UU5Jdy9RaXdJWGpXWmV1YlRHc1FLQmdRQ2JkdUx1MnJMbmx5eUFhSlpNOERsSFp5SDJnQVhiQlpweHFVOFQKdDltdGtKRFVTL0tSaUVvWUdGVjlDcVMwYVhyYXlWTXNEZlhZNkIvUy9VdVpqTzV1N0x0a2xEenFPZjFhS0czUQpkR1hQS2lia25xcUpZSCtiblVOanVZWU5lckVUVjU3bGlqTUdIdVNZQ2Y4dndMbjNveEJmRVJSWDYxTS9EVThaCndvcnovUUtCZ1FEQ1RKSTIramRYZzI2WHVZVW1NNFhYZm5vY2Z6QVhoWEJVTHQxbkVOY29nTmYxZmNwdEFWdHUKQkFpejQvSGlwUUtxb1dWVVlteGZnYmJMUktLTEswczBsT1dLYllkVmpoRW0vbTJaVTh3dFhUYWdOd2tJR295cQpZL0MxTG94NGYxUk9KbkNqYy9oZmNPamN4WDVNOEE4cGVlY0hXbFZ0VVBLVEpneFE3b01LY3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+contents:
+  Resource: null
+  Task:
+    CA:
+      Resource: null
+      Task:
+        Name: kube-scheduler
+        signer: ca
+        subject:
+          CommonName: system:kube-scheduler
+          Country: null
+          ExtraNames: null
+          Locality: null
+          Names: null
+          Organization: null
+          OrganizationalUnit: null
+          PostalCode: null
+          Province: null
+          SerialNumber: ""
+          StreetAddress: null
+        type: client
+    Cert:
+      Resource: null
+      Task:
+        Name: kube-scheduler
+        signer: ca
+        subject:
+          CommonName: system:kube-scheduler
+          Country: null
+          ExtraNames: null
+          Locality: null
+          Names: null
+          Organization: null
+          OrganizationalUnit: null
+          PostalCode: null
+          Province: null
+          SerialNumber: ""
+          StreetAddress: null
+        type: client
+    Key:
+      Resource: null
+      Task:
+        Name: kube-scheduler
+        signer: ca
+        subject:
+          CommonName: system:kube-scheduler
+          Country: null
+          ExtraNames: null
+          Locality: null
+          Names: null
+          Organization: null
+          OrganizationalUnit: null
+          PostalCode: null
+          Province: null
+          SerialNumber: ""
+          StreetAddress: null
+        type: client
+    Name: kube-scheduler
+    ServerURL: https://127.0.0.1
 mode: "0400"
 path: /var/lib/kube-scheduler/kubeconfig
 type: file
@@ -91,3 +131,76 @@ ifNotExists: true
 mode: "0400"
 path: /var/log/kube-scheduler.log
 type: file
+---
+Name: kube-scheduler
+signer: ca
+subject:
+  CommonName: system:kube-scheduler
+  Country: null
+  ExtraNames: null
+  Locality: null
+  Names: null
+  Organization: null
+  OrganizationalUnit: null
+  PostalCode: null
+  Province: null
+  SerialNumber: ""
+  StreetAddress: null
+type: client
+---
+CA:
+  Resource: null
+  Task:
+    Name: kube-scheduler
+    signer: ca
+    subject:
+      CommonName: system:kube-scheduler
+      Country: null
+      ExtraNames: null
+      Locality: null
+      Names: null
+      Organization: null
+      OrganizationalUnit: null
+      PostalCode: null
+      Province: null
+      SerialNumber: ""
+      StreetAddress: null
+    type: client
+Cert:
+  Resource: null
+  Task:
+    Name: kube-scheduler
+    signer: ca
+    subject:
+      CommonName: system:kube-scheduler
+      Country: null
+      ExtraNames: null
+      Locality: null
+      Names: null
+      Organization: null
+      OrganizationalUnit: null
+      PostalCode: null
+      Province: null
+      SerialNumber: ""
+      StreetAddress: null
+    type: client
+Key:
+  Resource: null
+  Task:
+    Name: kube-scheduler
+    signer: ca
+    subject:
+      CommonName: system:kube-scheduler
+      Country: null
+      ExtraNames: null
+      Locality: null
+      Names: null
+      Organization: null
+      OrganizationalUnit: null
+      PostalCode: null
+      Province: null
+      SerialNumber: ""
+      StreetAddress: null
+    type: client
+Name: kube-scheduler
+ServerURL: https://127.0.0.1

pkg/model/pki.go

@@ -72,16 +72,6 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			Signer:    defaultCA,
 		})
 	}
-	{
-		t := &fitasks.Keypair{
-			Name:      fi.String("kube-scheduler"),
-			Lifecycle: b.Lifecycle,
-			Subject:   "cn=" + rbac.KubeScheduler,
-			Type:      "client",
-			Signer:    defaultCA,
-		}
-		c.AddTask(t)
-	}
 
 	{
 		t := &fitasks.Keypair{

upup/pkg/fi/nodeup/nodetasks/BUILD.bazel

@@ -11,6 +11,7 @@ go_library(
         "file.go",
         "group.go",
         "issue_cert.go",
+        "kubeconfig.go",
         "load_image.go",
         "package.go",
         "service.go",
@@ -20,7 +21,9 @@ go_library(
     importpath = "k8s.io/kops/upup/pkg/fi/nodeup/nodetasks",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/apis/kops:go_default_library",
         "//pkg/backoff:go_default_library",
+        "//pkg/kubeconfig:go_default_library",
         "//pkg/pki:go_default_library",
         "//upup/pkg/fi:go_default_library",
         "//upup/pkg/fi/nodeup/cloudinit:go_default_library",