Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 90613afdf11f7831fc0a673f2fe502c28ab93729^! / . / metropolis / node / kubernetes
commit90613afdf11f7831fc0a673f2fe502c28ab93729[log] [tgz]
authorTim Windelschmidt <tim@monogon.tech>Thu Jul 20 14:26:18 2023 +0200
committerTim Windelschmidt <tim@monogon.tech>Wed Jul 26 12:04:58 2023 +0000
tree1f524cdd0e25a3dd28ff350803d2bc296c3d6fda
parent88a76b7a89b3fc81b9135b1197e1ea6fd3698121 [diff]
metropolis/node/kubernetes: fix mtls authentication to (controller-manager|scheduler)

Previously it wasn't possible to authenticate against the services
as they had no CA they trusted for the sent client certificate.

Change-Id: Ic7cd2419a9e3496680a9393424c7ca1780c4d38c
Reviewed-on: https://review.monogon.dev/c/monogon/+/1951
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>

diff --git a/metropolis/node/kubernetes/controller-manager.go b/metropolis/node/kubernetes/controller-manager.go
index a6c424b..363571d 100644
--- a/metropolis/node/kubernetes/controller-manager.go
+++ b/metropolis/node/kubernetes/controller-manager.go

@@ -74,6 +74,8 @@
 				pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: config.serviceAccountPrivKey})),
 			args.FileOpt("--root-ca-file", "root-ca.pem",
 				pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
+			args.FileOpt("--client-ca-file", "root-ca.pem",
+				pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
 			"--use-service-account-credentials=true", // Enables things like PSP enforcement
 			fmt.Sprintf("--cluster-cidr=%v", config.clusterNet.String()),
 			args.FileOpt("--tls-cert-file", "server-cert.pem",

diff --git a/metropolis/node/kubernetes/scheduler.go b/metropolis/node/kubernetes/scheduler.go
index 5537dcc..1b9b12c 100644
--- a/metropolis/node/kubernetes/scheduler.go
+++ b/metropolis/node/kubernetes/scheduler.go

@@ -31,11 +31,16 @@
 	kubeConfig []byte
 	serverCert []byte
 	serverKey  []byte
+	rootCA     []byte
 }
 
 func getPKISchedulerConfig(ctx context.Context, kpki *pki.PKI) (*schedulerConfig, error) {
 	var config schedulerConfig
 	var err error
+	config.rootCA, _, err = kpki.Certificate(ctx, pki.IdCA)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get ID root CA: %w", err)
+	}
 	config.serverCert, config.serverKey, err = kpki.Certificate(ctx, pki.Scheduler)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get scheduler serving certificate: %w", err)
@@ -60,6 +65,8 @@
 				pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.serverCert})),
 			args.FileOpt("--tls-private-key-file", "server-key.pem",
 				pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: config.serverKey})),
+			args.FileOpt("--client-ca-file", "root-ca.pem",
+				pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
 		)
 		if args.Error() != nil {
 			return fmt.Errorf("failed to use fileargs: %w", err)