Revert "scripts/create_container: fix cockroachdb startup"
This reverts commit 25aee769a555d34ae3c9f12560a8a29986601034.
This was uh messed up in phabricator and contains changes that shouldn't
have landed.
Test Plan: it's a revert.
X-Origin-Diff: phab/D567
GitOrigin-RevId: 0dee3a91f708a9c2aba6cc7dbc929c3c887647c3
diff --git a/core/internal/kubernetes/BUILD.bazel b/core/internal/kubernetes/BUILD.bazel
index 97387df..f3304cc 100644
--- a/core/internal/kubernetes/BUILD.bazel
+++ b/core/internal/kubernetes/BUILD.bazel
@@ -4,6 +4,7 @@
name = "go_default_library",
srcs = [
"apiserver.go",
+ "auth.go",
"controller-manager.go",
"csi.go",
"kubelet.go",
@@ -18,7 +19,6 @@
"//core/internal/common:go_default_library",
"//core/internal/common/supervisor:go_default_library",
"//core/internal/consensus:go_default_library",
- "//core/internal/kubernetes/pki:go_default_library",
"//core/internal/kubernetes/reconciler:go_default_library",
"//core/internal/storage:go_default_library",
"//core/pkg/fileargs:go_default_library",
@@ -39,6 +39,7 @@
"@io_k8s_client_go//kubernetes/typed/core/v1:go_default_library",
"@io_k8s_client_go//tools/cache:go_default_library",
"@io_k8s_client_go//tools/clientcmd:go_default_library",
+ "@io_k8s_client_go//tools/clientcmd/api:go_default_library",
"@io_k8s_client_go//tools/record:go_default_library",
"@io_k8s_client_go//tools/reference:go_default_library",
"@io_k8s_client_go//util/workqueue:go_default_library",
diff --git a/core/internal/kubernetes/apiserver.go b/core/internal/kubernetes/apiserver.go
index b5bab3d..9bc32f3 100644
--- a/core/internal/kubernetes/apiserver.go
+++ b/core/internal/kubernetes/apiserver.go
@@ -27,11 +27,11 @@
"path"
"git.monogon.dev/source/nexantic.git/core/internal/common"
- "git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
- "git.monogon.dev/source/nexantic.git/core/internal/kubernetes/pki"
- "git.monogon.dev/source/nexantic.git/core/pkg/fileargs"
"go.etcd.io/etcd/clientv3"
+
+ "git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
+ "git.monogon.dev/source/nexantic.git/core/pkg/fileargs"
)
type apiserverConfig struct {
@@ -52,12 +52,12 @@
func getPKIApiserverConfig(consensusKV clientv3.KV) (*apiserverConfig, error) {
var config apiserverConfig
var err error
- config.idCA, _, err = pki.GetCert(consensusKV, "id-ca")
- config.kubeletClientCert, config.kubeletClientKey, err = pki.GetCert(consensusKV, "kubelet-client")
- config.aggregationCA, _, err = pki.GetCert(consensusKV, "aggregation-ca")
- config.aggregationClientCert, config.aggregationClientKey, err = pki.GetCert(consensusKV, "front-proxy-client")
- config.serverCert, config.serverKey, err = pki.GetCert(consensusKV, "apiserver")
- saPrivkey, err := consensusKV.Get(context.Background(), path.Join(pki.EtcdPath, "service-account-privkey.der"))
+ config.idCA, _, err = getCert(consensusKV, "id-ca")
+ config.kubeletClientCert, config.kubeletClientKey, err = getCert(consensusKV, "kubelet-client")
+ config.aggregationCA, _, err = getCert(consensusKV, "aggregation-ca")
+ config.aggregationClientCert, config.aggregationClientKey, err = getCert(consensusKV, "front-proxy-client")
+ config.serverCert, config.serverKey, err = getCert(consensusKV, "apiserver")
+ saPrivkey, err := consensusKV.Get(context.Background(), path.Join(etcdPath, "service-account-privkey.der"))
if err != nil {
return nil, fmt.Errorf("failed to get serviceaccount privkey: %w", err)
}
diff --git a/core/internal/kubernetes/pki/auth.go b/core/internal/kubernetes/auth.go
similarity index 76%
rename from core/internal/kubernetes/pki/auth.go
rename to core/internal/kubernetes/auth.go
index 21d998c..fe2fe59 100644
--- a/core/internal/kubernetes/pki/auth.go
+++ b/core/internal/kubernetes/auth.go
@@ -14,7 +14,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-package pki
+package kubernetes
import (
"context"
@@ -28,7 +28,6 @@
"encoding/asn1"
"encoding/pem"
"fmt"
- "io/ioutil"
"math/big"
"net"
"os"
@@ -43,7 +42,7 @@
)
const (
- EtcdPath = "/kube-pki/"
+ etcdPath = "/kube-pki/"
)
var (
@@ -53,7 +52,7 @@
// Directly derived from Kubernetes PKI requirements documented at
// https://kubernetes.io/docs/setup/best-practices/certificates/#configure-certificates-manually
-func ClientCertTemplate(identity string, groups []string) x509.Certificate {
+func clientCertTemplate(identity string, groups []string) x509.Certificate {
return x509.Certificate{
Subject: pkix.Name{
CommonName: identity,
@@ -63,7 +62,7 @@
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}
}
-func ServerCertTemplate(dnsNames []string, ips []net.IP) x509.Certificate {
+func serverCertTemplate(dnsNames []string, ips []net.IP) x509.Certificate {
return x509.Certificate{
Subject: pkix.Name{},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
@@ -134,8 +133,8 @@
}
func storeCert(consensusKV clientv3.KV, name string, cert []byte, key []byte) error {
- certPath := path.Join(EtcdPath, fmt.Sprintf("%v-cert.der", name))
- keyPath := path.Join(EtcdPath, fmt.Sprintf("%v-key.der", name))
+ certPath := path.Join(etcdPath, fmt.Sprintf("%v-cert.der", name))
+ keyPath := path.Join(etcdPath, fmt.Sprintf("%v-key.der", name))
if _, err := consensusKV.Put(context.Background(), certPath, string(cert)); err != nil {
return fmt.Errorf("failed to store certificate: %w", err)
}
@@ -145,9 +144,9 @@
return nil
}
-func GetCert(consensusKV clientv3.KV, name string) (cert []byte, key []byte, err error) {
- certPath := path.Join(EtcdPath, fmt.Sprintf("%v-cert.der", name))
- keyPath := path.Join(EtcdPath, fmt.Sprintf("%v-key.der", name))
+func getCert(consensusKV clientv3.KV, name string) (cert []byte, key []byte, err error) {
+ certPath := path.Join(etcdPath, fmt.Sprintf("%v-cert.der", name))
+ keyPath := path.Join(etcdPath, fmt.Sprintf("%v-key.der", name))
certRes, err := consensusKV.Get(context.Background(), certPath)
if err != nil {
err = fmt.Errorf("failed to get certificate: %w", err)
@@ -167,8 +166,8 @@
return
}
-func GetSingle(consensusKV clientv3.KV, name string) ([]byte, error) {
- res, err := consensusKV.Get(context.Background(), path.Join(EtcdPath, name))
+func getSingle(consensusKV clientv3.KV, name string) ([]byte, error) {
+ res, err := consensusKV.Get(context.Background(), path.Join(etcdPath, name))
if err != nil {
return []byte{}, fmt.Errorf("failed to get PKI item: %w", err)
}
@@ -183,7 +182,7 @@
// the need for revocation and makes the logic much simpler. Thus PKI data can NEVER be stored
// outside of etcd or other secure storage locations. All PKI data is stored in DER form and not
// PEM encoded since that would require more logic to deal with it.
-func NewCluster(consensusKV clientv3.KV) error {
+func newCluster(consensusKV clientv3.KV) error {
// This whole issuance procedure is pretty repetitive, but abstracts badly because a lot of it
// is subtly different.
idCA, idKey, err := newCA("Smalltown Kubernetes ID CA")
@@ -210,14 +209,14 @@
if err != nil {
panic(err) // Always a programmer error
}
- _, err = consensusKV.Put(context.Background(), path.Join(EtcdPath, "service-account-privkey.der"),
+ _, err = consensusKV.Put(context.Background(), path.Join(etcdPath, "service-account-privkey.der"),
string(serviceAccountPrivKey))
if err != nil {
return fmt.Errorf("failed to store service-account-privkey.der: %w", err)
}
- apiserverCert, apiserverKey, err := IssueCertificate(
- ServerCertTemplate([]string{
+ apiserverCert, apiserverKey, err := issueCertificate(
+ serverCertTemplate([]string{
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
@@ -235,8 +234,8 @@
return err
}
- kubeletClientCert, kubeletClientKey, err := IssueCertificate(
- ClientCertTemplate("smalltown:apiserver-kubelet-client", []string{}),
+ kubeletClientCert, kubeletClientKey, err := issueCertificate(
+ clientCertTemplate("smalltown:apiserver-kubelet-client", []string{}),
idCA, idKey,
)
if err != nil {
@@ -246,8 +245,8 @@
return err
}
- frontProxyClientCert, frontProxyClientKey, err := IssueCertificate(
- ClientCertTemplate("front-proxy-client", []string{}),
+ frontProxyClientCert, frontProxyClientKey, err := issueCertificate(
+ clientCertTemplate("front-proxy-client", []string{}),
aggregationCA, aggregationKey,
)
if err != nil {
@@ -257,28 +256,28 @@
return err
}
- controllerManagerClientCert, controllerManagerClientKey, err := IssueCertificate(
- ClientCertTemplate("system:kube-controller-manager", []string{}),
+ controllerManagerClientCert, controllerManagerClientKey, err := issueCertificate(
+ clientCertTemplate("system:kube-controller-manager", []string{}),
idCA, idKey,
)
if err != nil {
return fmt.Errorf("failed to issue certificate for controller-manager client: %w", err)
}
- controllerManagerKubeconfig, err := MakeLocalKubeconfig(idCA, controllerManagerClientCert,
+ controllerManagerKubeconfig, err := makeLocalKubeconfig(idCA, controllerManagerClientCert,
controllerManagerClientKey)
if err != nil {
return fmt.Errorf("failed to create kubeconfig for controller-manager: %w", err)
}
- _, err = consensusKV.Put(context.Background(), path.Join(EtcdPath, "controller-manager.kubeconfig"),
+ _, err = consensusKV.Put(context.Background(), path.Join(etcdPath, "controller-manager.kubeconfig"),
string(controllerManagerKubeconfig))
if err != nil {
return fmt.Errorf("failed to store controller-manager kubeconfig: %w", err)
}
- controllerManagerCert, controllerManagerKey, err := IssueCertificate(
- ServerCertTemplate([]string{"kube-controller-manager.local"}, []net.IP{}),
+ controllerManagerCert, controllerManagerKey, err := issueCertificate(
+ serverCertTemplate([]string{"kube-controller-manager.local"}, []net.IP{}),
idCA, idKey,
)
if err != nil {
@@ -288,27 +287,27 @@
return err
}
- schedulerClientCert, schedulerClientKey, err := IssueCertificate(
- ClientCertTemplate("system:kube-scheduler", []string{}),
+ schedulerClientCert, schedulerClientKey, err := issueCertificate(
+ clientCertTemplate("system:kube-scheduler", []string{}),
idCA, idKey,
)
if err != nil {
return fmt.Errorf("failed to issue certificate for scheduler client: %w", err)
}
- schedulerKubeconfig, err := MakeLocalKubeconfig(idCA, schedulerClientCert, schedulerClientKey)
+ schedulerKubeconfig, err := makeLocalKubeconfig(idCA, schedulerClientCert, schedulerClientKey)
if err != nil {
return fmt.Errorf("failed to create kubeconfig for scheduler: %w", err)
}
- _, err = consensusKV.Put(context.Background(), path.Join(EtcdPath, "scheduler.kubeconfig"),
+ _, err = consensusKV.Put(context.Background(), path.Join(etcdPath, "scheduler.kubeconfig"),
string(schedulerKubeconfig))
if err != nil {
return fmt.Errorf("failed to store controller-manager kubeconfig: %w", err)
}
- schedulerCert, schedulerKey, err := IssueCertificate(
- ServerCertTemplate([]string{"kube-scheduler.local"}, []net.IP{}),
+ schedulerCert, schedulerKey, err := issueCertificate(
+ serverCertTemplate([]string{"kube-scheduler.local"}, []net.IP{}),
idCA, idKey,
)
if err != nil {
@@ -318,21 +317,21 @@
return err
}
- masterClientCert, masterClientKey, err := IssueCertificate(
- ClientCertTemplate("smalltown:master", []string{"system:masters"}),
+ masterClientCert, masterClientKey, err := issueCertificate(
+ clientCertTemplate("smalltown:master", []string{"system:masters"}),
idCA, idKey,
)
if err != nil {
return fmt.Errorf("failed to issue certificate for master client: %w", err)
}
- masterClientKubeconfig, err := MakeLocalKubeconfig(idCA, masterClientCert,
+ masterClientKubeconfig, err := makeLocalKubeconfig(idCA, masterClientCert,
masterClientKey)
if err != nil {
return fmt.Errorf("failed to create kubeconfig for master client: %w", err)
}
- _, err = consensusKV.Put(context.Background(), path.Join(EtcdPath, "master.kubeconfig"),
+ _, err = consensusKV.Put(context.Background(), path.Join(etcdPath, "master.kubeconfig"),
string(masterClientKubeconfig))
if err != nil {
return fmt.Errorf("failed to store master kubeconfig: %w", err)
@@ -349,7 +348,7 @@
return nil
}
-func IssueCertificate(template x509.Certificate, caCert []byte, privateKey interface{}) (cert []byte, privkey []byte, err error) {
+func issueCertificate(template x509.Certificate, caCert []byte, privateKey interface{}) (cert []byte, privkey []byte, err error) {
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
@@ -381,7 +380,7 @@
return
}
-func MakeLocalKubeconfig(ca, cert, key []byte) ([]byte, error) {
+func makeLocalKubeconfig(ca, cert, key []byte) ([]byte, error) {
kubeconfig := configapi.NewConfig()
cluster := configapi.NewCluster()
cluster.Server = fmt.Sprintf("https://127.0.0.1:%v", common.KubernetesAPIPort)
@@ -398,41 +397,3 @@
kubeconfig.CurrentContext = "default"
return clientcmd.Write(*kubeconfig)
}
-
-func bootstrapLocalKubelet(consensusKV clientv3.KV, nodeName string) error {
- idCA, idKeyRaw, err := GetCert(consensusKV, "id-ca")
- if err != nil {
- return err
- }
- idKey := ed25519.PrivateKey(idKeyRaw)
- cert, key, err := IssueCertificate(ClientCertTemplate("system:node:"+nodeName, []string{"system:nodes"}), idCA, idKey)
- if err != nil {
- return err
- }
- kubeconfig, err := MakeLocalKubeconfig(idCA, cert, key)
- if err != nil {
- return err
- }
-
- serverCert, serverKey, err := IssueCertificate(ServerCertTemplate([]string{nodeName}, []net.IP{}), idCA, idKey)
- if err != nil {
- return err
- }
- if err := os.MkdirAll("/data/kubernetes", 0755); err != nil {
- return err
- }
- if err := ioutil.WriteFile("/data/kubernetes/kubelet.kubeconfig", kubeconfig, 0400); err != nil {
- return err
- }
- if err := ioutil.WriteFile("/data/kubernetes/ca.crt", pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: idCA}), 0400); err != nil {
- return err
- }
- if err := ioutil.WriteFile("/data/kubernetes/kubelet.crt", pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverCert}), 0400); err != nil {
- return err
- }
- if err := ioutil.WriteFile("/data/kubernetes/kubelet.key", pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: serverKey}), 0400); err != nil {
- return err
- }
-
- return nil
-}
diff --git a/core/internal/kubernetes/controller-manager.go b/core/internal/kubernetes/controller-manager.go
index a6b4b5d..20d4605 100644
--- a/core/internal/kubernetes/controller-manager.go
+++ b/core/internal/kubernetes/controller-manager.go
@@ -27,7 +27,6 @@
"go.etcd.io/etcd/clientv3"
"git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
- "git.monogon.dev/source/nexantic.git/core/internal/kubernetes/pki"
"git.monogon.dev/source/nexantic.git/core/pkg/fileargs"
)
@@ -44,19 +43,19 @@
func getPKIControllerManagerConfig(consensusKV clientv3.KV) (*controllerManagerConfig, error) {
var config controllerManagerConfig
var err error
- config.rootCA, _, err = pki.GetCert(consensusKV, "id-ca")
+ config.rootCA, _, err = getCert(consensusKV, "id-ca")
if err != nil {
return nil, fmt.Errorf("failed to get ID root CA: %w", err)
}
- config.serverCert, config.serverKey, err = pki.GetCert(consensusKV, "controller-manager")
+ config.serverCert, config.serverKey, err = getCert(consensusKV, "controller-manager")
if err != nil {
return nil, fmt.Errorf("failed to get controller-manager serving certificate: %w", err)
}
- config.serviceAccountPrivKey, err = pki.GetSingle(consensusKV, "service-account-privkey.der")
+ config.serviceAccountPrivKey, err = getSingle(consensusKV, "service-account-privkey.der")
if err != nil {
return nil, fmt.Errorf("failed to get serviceaccount privkey: %w", err)
}
- config.kubeConfig, err = pki.GetSingle(consensusKV, "controller-manager.kubeconfig")
+ config.kubeConfig, err = getSingle(consensusKV, "controller-manager.kubeconfig")
if err != nil {
return nil, fmt.Errorf("failed to get controller-manager kubeconfig: %w", err)
}
diff --git a/core/internal/kubernetes/kubelet.go b/core/internal/kubernetes/kubelet.go
index e9d0332..3b0d966 100644
--- a/core/internal/kubernetes/kubelet.go
+++ b/core/internal/kubernetes/kubelet.go
@@ -18,16 +18,21 @@
import (
"context"
+ "crypto/ed25519"
"encoding/json"
+ "encoding/pem"
"fmt"
"io"
+ "io/ioutil"
"net"
+ "os"
"os/exec"
"git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
"git.monogon.dev/source/nexantic.git/core/internal/kubernetes/reconciler"
"git.monogon.dev/source/nexantic.git/core/pkg/fileargs"
+ "go.etcd.io/etcd/clientv3"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kubeletconfig "k8s.io/kubelet/config/v1beta1"
)
@@ -36,6 +41,44 @@
clusterDNS []net.IP
}
+func bootstrapLocalKubelet(consensusKV clientv3.KV, nodeName string) error {
+ idCA, idKeyRaw, err := getCert(consensusKV, "id-ca")
+ if err != nil {
+ return err
+ }
+ idKey := ed25519.PrivateKey(idKeyRaw)
+ cert, key, err := issueCertificate(clientCertTemplate("system:node:"+nodeName, []string{"system:nodes"}), idCA, idKey)
+ if err != nil {
+ return err
+ }
+ kubeconfig, err := makeLocalKubeconfig(idCA, cert, key)
+ if err != nil {
+ return err
+ }
+
+ serverCert, serverKey, err := issueCertificate(serverCertTemplate([]string{nodeName}, []net.IP{}), idCA, idKey)
+ if err != nil {
+ return err
+ }
+ if err := os.MkdirAll("/data/kubernetes", 0755); err != nil {
+ return err
+ }
+ if err := ioutil.WriteFile("/data/kubernetes/kubelet.kubeconfig", kubeconfig, 0400); err != nil {
+ return err
+ }
+ if err := ioutil.WriteFile("/data/kubernetes/ca.crt", pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: idCA}), 0400); err != nil {
+ return err
+ }
+ if err := ioutil.WriteFile("/data/kubernetes/kubelet.crt", pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverCert}), 0400); err != nil {
+ return err
+ }
+ if err := ioutil.WriteFile("/data/kubernetes/kubelet.key", pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: serverKey}), 0400); err != nil {
+ return err
+ }
+
+ return nil
+}
+
func runKubelet(spec *KubeletSpec, output io.Writer) supervisor.Runnable {
return func(ctx context.Context) error {
fargs, err := fileargs.New()
diff --git a/core/internal/kubernetes/pki/BUILD.bazel b/core/internal/kubernetes/pki/BUILD.bazel
deleted file mode 100644
index 605ca64..0000000
--- a/core/internal/kubernetes/pki/BUILD.bazel
+++ /dev/null
@@ -1,14 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
- name = "go_default_library",
- srcs = ["auth.go"],
- importpath = "git.monogon.dev/source/nexantic.git/core/internal/kubernetes/pki",
- visibility = ["//core:__subpackages__"],
- deps = [
- "//core/internal/common:go_default_library",
- "@io_etcd_go_etcd//clientv3:go_default_library",
- "@io_k8s_client_go//tools/clientcmd:go_default_library",
- "@io_k8s_client_go//tools/clientcmd/api:go_default_library",
- ],
-)
diff --git a/core/internal/kubernetes/scheduler.go b/core/internal/kubernetes/scheduler.go
index e3be0a0..d3ee20b 100644
--- a/core/internal/kubernetes/scheduler.go
+++ b/core/internal/kubernetes/scheduler.go
@@ -26,7 +26,6 @@
"go.etcd.io/etcd/clientv3"
"git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
- "git.monogon.dev/source/nexantic.git/core/internal/kubernetes/pki"
"git.monogon.dev/source/nexantic.git/core/pkg/fileargs"
)
@@ -39,11 +38,11 @@
func getPKISchedulerConfig(consensusKV clientv3.KV) (*schedulerConfig, error) {
var config schedulerConfig
var err error
- config.serverCert, config.serverKey, err = pki.GetCert(consensusKV, "scheduler")
+ config.serverCert, config.serverKey, err = getCert(consensusKV, "scheduler")
if err != nil {
return nil, fmt.Errorf("failed to get scheduler serving certificate: %w", err)
}
- config.kubeConfig, err = pki.GetSingle(consensusKV, "scheduler.kubeconfig")
+ config.kubeConfig, err = getSingle(consensusKV, "scheduler.kubeconfig")
if err != nil {
return nil, fmt.Errorf("failed to get scheduler kubeconfig: %w", err)
}
diff --git a/core/internal/kubernetes/service.go b/core/internal/kubernetes/service.go
index b8c3cf8..b2d340e 100644
--- a/core/internal/kubernetes/service.go
+++ b/core/internal/kubernetes/service.go
@@ -35,7 +35,6 @@
schema "git.monogon.dev/source/nexantic.git/core/generated/api"
"git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
"git.monogon.dev/source/nexantic.git/core/internal/consensus"
- "git.monogon.dev/source/nexantic.git/core/internal/kubernetes/pki"
"git.monogon.dev/source/nexantic.git/core/internal/kubernetes/reconciler"
"git.monogon.dev/source/nexantic.git/core/internal/storage"
"git.monogon.dev/source/nexantic.git/core/pkg/logbuffer"
@@ -75,7 +74,7 @@
}
func (s *Service) NewCluster() error {
- return pki.NewCluster(s.getKV())
+ return newCluster(s.getKV())
}
// GetComponentLogs grabs logs from various Kubernetes binaries
@@ -99,16 +98,16 @@
if !s.consensusService.IsReady() {
return nil, status.Error(codes.Unavailable, "Consensus not ready yet")
}
- idCA, idKeyRaw, err := pki.GetCert(s.getKV(), "id-ca")
+ idCA, idKeyRaw, err := getCert(s.getKV(), "id-ca")
idKey := ed25519.PrivateKey(idKeyRaw)
if err != nil {
return nil, status.Errorf(codes.Unavailable, "Failed to load ID CA: %v", err)
}
- debugCert, debugKey, err := pki.IssueCertificate(pki.ClientCertTemplate(request.Id, request.Groups), idCA, idKey)
+ debugCert, debugKey, err := issueCertificate(clientCertTemplate(request.Id, request.Groups), idCA, idKey)
if err != nil {
return nil, status.Errorf(codes.Unavailable, "Failed to issue certs for kubeconfig: %v\n", err)
}
- debugKubeconfig, err := pki.MakeLocalKubeconfig(idCA, debugCert, debugKey)
+ debugKubeconfig, err := makeLocalKubeconfig(idCA, debugCert, debugKey)
if err != nil {
return nil, status.Errorf(codes.Unavailable, "Failed to generate kubeconfig: %v", err)
}
@@ -152,7 +151,7 @@
return err
}
- masterKubeconfig, err := pki.GetSingle(consensusKV, "master.kubeconfig")
+ masterKubeconfig, err := getSingle(consensusKV, "master.kubeconfig")
if err != nil {
return err
}