Merge pull request #9378 from johngmyers/refactor-certs-3

Issue aws-iam-authenticator cert in nodeup
kubernetes · Jun 18, 2020 · e7d5d32 · e7d5d32
2 parents f6e7180 + 23e2d14
commit e7d5d32
Show file tree

Hide file tree

Showing 10 changed files with 402 additions and 122 deletions.
diff --git a/nodeup/pkg/model/BUILD.bazel b/nodeup/pkg/model/BUILD.bazel
@@ -52,7 +52,6 @@ go_library(
         "//pkg/kubemanifest:go_default_library",
         "//pkg/model/components:go_default_library",
         "//pkg/nodelabels:go_default_library",
-        "//pkg/pki:go_default_library",
         "//pkg/rbac:go_default_library",
         "//pkg/systemd:go_default_library",
         "//pkg/tokens:go_default_library",

diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
@@ -245,46 +245,31 @@ func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.ModelBuilderConte
 		}
 
 		{
-			certificate, err := b.NodeupModelContext.KeyStore.FindCert(id)
-			if err != nil {
-				return fmt.Errorf("error fetching %q certificate from keystore: %v", id, err)
-			}
-			if certificate == nil {
-				return fmt.Errorf("certificate %q not found", id)
-			}
-
-			certificateData, err := certificate.AsBytes()
-			if err != nil {
-				return fmt.Errorf("error encoding %q certificate: %v", id, err)
+			issueCert := &nodetasks.IssueCert{
+				Name:    id,
+				Signer:  fi.CertificateIDCA,
+				Type:    "server",
+				Subject: nodetasks.PKIXName{CommonName: id},
+				AlternateNames: []string{
+					"localhost",
+					"127.0.0.1",
+				},
 			}
+			c.AddTask(issueCert)
+			certificate, privateKey, _ := issueCert.GetResources()
 
 			c.AddTask(&nodetasks.File{
 				Path:     "/srv/kubernetes/aws-iam-authenticator/cert.pem",
-				Contents: fi.NewBytesResource(certificateData),
+				Contents: certificate,
 				Type:     nodetasks.FileType_File,
 				Mode:     fi.String("600"),
 				Owner:    fi.String("aws-iam-authenticator"),
 				Group:    fi.String("aws-iam-authenticator"),
 			})
-		}
-
-		{
-			privateKey, err := b.NodeupModelContext.KeyStore.FindPrivateKey(id)
-			if err != nil {
-				return fmt.Errorf("error fetching %q private key from keystore: %v", id, err)
-			}
-			if privateKey == nil {
-				return fmt.Errorf("private key %q not found", id)
-			}
-
-			keyData, err := privateKey.AsBytes()
-			if err != nil {
-				return fmt.Errorf("error encoding %q private key: %v", id, err)
-			}
 
 			c.AddTask(&nodetasks.File{
 				Path:     "/srv/kubernetes/aws-iam-authenticator/key.pem",
-				Contents: fi.NewBytesResource(keyData),
+				Contents: privateKey,
 				Type:     nodetasks.FileType_File,
 				Mode:     fi.String("600"),
 				Owner:    fi.String("aws-iam-authenticator"),

diff --git a/nodeup/pkg/model/kube_apiserver_test.go b/nodeup/pkg/model/kube_apiserver_test.go
@@ -190,3 +190,10 @@ func TestKubeAPIServerBuilder(t *testing.T) {
 		return builder.Build(target)
 	})
 }
+
+func TestAwsIamAuthenticator(t *testing.T) {
+	RunGoldenTest(t, "tests/golden/awsiam", "kube-apiserver", func(nodeupModelContext *NodeupModelContext, target *fi.ModelBuilderContext) error {
+		builder := KubeAPIServerBuilder{NodeupModelContext: nodeupModelContext}
+		return builder.Build(target)
+	})
+}
diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go
@@ -17,7 +17,6 @@ limitations under the License.
 package model
 
 import (
-	"crypto/x509/pkix"
 	"fmt"
 	"path"
 	"path/filepath"
@@ -34,7 +33,6 @@ import (
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/flagbuilder"
 	"k8s.io/kops/pkg/nodelabels"
-	"k8s.io/kops/pkg/pki"
 	"k8s.io/kops/pkg/rbac"
 	"k8s.io/kops/pkg/systemd"
 	"k8s.io/kops/upup/pkg/fi"
@@ -113,11 +111,10 @@ func (b *KubeletBuilder) Build(c *fi.ModelBuilderContext) error {
 			if b.IsMaster {
 				klog.V(3).Info("kubelet bootstrap tokens are enabled and running on a master")
 
-				task, err := b.buildMasterKubeletKubeconfig()
+				err := b.buildMasterKubeletKubeconfig(c)
 				if err != nil {
 					return err
 				}
-				c.AddTask(task)
 			}
 		} else {
 			kubeconfig, err := b.BuildPKIKubeconfig("kubelet")
@@ -553,49 +550,23 @@ func (b *KubeletBuilder) buildKubeletConfigSpec() (*kops.KubeletConfigSpec, erro
 }
 
 // buildMasterKubeletKubeconfig builds a kubeconfig for the master kubelet, self-signing the kubelet cert
-func (b *KubeletBuilder) buildMasterKubeletKubeconfig() (*nodetasks.File, error) {
+func (b *KubeletBuilder) buildMasterKubeletKubeconfig(c *fi.ModelBuilderContext) error {
 	nodeName, err := b.NodeName()
 	if err != nil {
-		return nil, fmt.Errorf("error getting NodeName: %v", err)
+		return fmt.Errorf("error getting NodeName: %v", err)
 	}
-
-	req := &pki.IssueCertRequest{
-		Signer: fi.CertificateIDCA,
-		Type:   "client",
-		Subject: pkix.Name{
-			CommonName:   fmt.Sprintf("system:node:%s", nodeName),
-			Organization: []string{rbac.NodesGroup},
-		},
-		MinValidDays: 455,
-	}
-
-	certificate, privateKey, caCert, err := pki.IssueCert(req, b.KeyStore)
-	if err != nil {
-		return nil, fmt.Errorf("error signing certificate for master kubelet: %v", err)
-	}
-
-	caBytes, err := caCert.AsBytes()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get certificate authority data: %s", err)
-	}
-	certBytes, err := certificate.AsBytes()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get certificate data: %s", err)
-	}
-	keyBytes, err := privateKey.AsBytes()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get private key data: %s", err)
-	}
-
-	content, err := b.BuildKubeConfig("kubelet", caBytes, certBytes, keyBytes)
-	if err != nil {
-		return nil, err
+	certName := nodetasks.PKIXName{
+		CommonName:   fmt.Sprintf("system:node:%s", nodeName),
+		Organization: []string{rbac.NodesGroup},
 	}
 
-	return &nodetasks.File{
+	kubeconfig := b.BuildIssuedKubeconfig("kubelet", certName, c)
+	c.AddTask(&nodetasks.File{
 		Path:     b.KubeletKubeConfig(),
-		Contents: fi.NewStringResource(content),
+		Contents: kubeconfig,
 		Type:     nodetasks.FileType_File,
 		Mode:     s("600"),
-	}, nil
+	})
+
+	return nil
 }
diff --git a/nodeup/pkg/model/tests/golden/awsiam/cluster.yaml b/nodeup/pkg/model/tests/golden/awsiam/cluster.yaml
@@ -0,0 +1,68 @@
+apiVersion: kops.k8s.io/v1alpha2
+kind: Cluster
+metadata:
+  name: minimal.example.com
+spec:
+  kubernetesApiAccess:
+  - 0.0.0.0/0
+  authentication:
+    aws: {}
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://clusters.example.com/minimal.example.com
+  etcdClusters:
+  - cpuRequest: 200m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: main
+    provider: Manager
+    backups:
+      backupStore: memfs://clusters.example.com/minimal.example.com/backups/etcd-main
+  - cpuRequest: 100m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: events
+    provider: Manager
+    backups:
+      backupStore: memfs://clusters.example.com/minimal.example.com/backups/etcd-events
+  kubelet:
+    anonymousAuth: false
+  kubernetesVersion: v1.18.0
+  masterInternalName: api.internal.minimal.example.com
+  masterPublicName: api.minimal.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    kubenet: {}
+  nonMasqueradeCIDR: 100.64.0.0/10
+  sshAccess:
+    - 0.0.0.0/0
+  topology:
+    masters: public
+    nodes: public
+  subnets:
+  - cidr: 172.20.32.0/19
+    name: us-test-1a
+    type: Public
+    zone: us-test-1a
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  name: master-us-test-1a
+  labels:
+    kops.k8s.io/cluster: minimal.example.com
+spec:
+  associatePublicIp: true
+  image: ami-1234
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  subnets:
+  - us-test-1a