Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 4ac7112b135518b610a84a3a6db535dbb41f1fcf^! / .
commit4ac7112b135518b610a84a3a6db535dbb41f1fcf[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Mon Jul 24 13:08:34 2023 +0200
committerSerge Bazanski <serge@monogon.tech>Wed Jul 26 10:47:46 2023 +0000
tree19bcc8dd598928d6413d6721ef52ee211406a8d9
parente5abee60401840f9af83d9181f9ce36f886b10ce [diff]
metropolis/node/core/rpc: decouple from pki

Change-Id: I15d3e7d1142f0f95081e73c985d96f8d103df55e
Reviewed-on: https://review.monogon.dev/c/monogon/+/1961
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI

diff --git a/metropolis/node/core/rpc/BUILD.bazel b/metropolis/node/core/rpc/BUILD.bazel
index e1017d7..bdddb1e 100644
--- a/metropolis/node/core/rpc/BUILD.bazel
+++ b/metropolis/node/core/rpc/BUILD.bazel

@@ -15,7 +15,6 @@
     deps = [
         "//metropolis/node/core/identity",
         "//metropolis/pkg/logtree",
-        "//metropolis/pkg/pki",
         "//metropolis/proto/api",
         "//metropolis/proto/ext",
         "@org_golang_google_grpc//:go_default_library",

diff --git a/metropolis/node/core/rpc/client.go b/metropolis/node/core/rpc/client.go
index 656fee5..aeaed7e 100644
--- a/metropolis/node/core/rpc/client.go
+++ b/metropolis/node/core/rpc/client.go

@@ -14,10 +14,20 @@
 	"google.golang.org/grpc/status"
 
 	"source.monogon.dev/metropolis/node/core/identity"
-	"source.monogon.dev/metropolis/pkg/pki"
 	apb "source.monogon.dev/metropolis/proto/api"
 )
 
+// UnknownNotAfter is a copy of //metroplis/pkg/pki.UnknownNotAfter.
+//
+// We copy it so that we can decouple the rpc package from the pki package, the
+// former being used by metroctl (and thus needing to be portable), the latter
+// having a dependency on fileargs (which isn't portable). The correct solution
+// here is to clarify portability policy of each workspace path, and apply it.
+// But this will do for now.
+//
+// TODO(issues/252): clean up and merge this back.
+var UnknownNotAfter = time.Unix(253402300799, 0)
+
 type verifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
 
 func verifyClusterCertificateAndNodeID(ca *x509.Certificate, nodeID string) verifyPeerCertificate {
@@ -70,7 +80,7 @@
 	template := x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		NotBefore:    time.Now(),
-		NotAfter:     pki.UnknownNotAfter,
+		NotAfter:     UnknownNotAfter,
 
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},