metropolis/node/kubernetes: fix mtls authentication to (controller-manager|scheduler) Previously it wasn't possible to authenticate against the services as they had no CA they trusted for the sent client certificate. Change-Id: Ic7cd2419a9e3496680a9393424c7ca1780c4d38c Reviewed-on: https://review.monogon.dev/c/monogon/+/1951 Tested-by: Jenkins CI Reviewed-by: Serge Bazanski <serge@monogon.tech>

commit: 90613afdf11f7831fc0a673f2fe502c28ab93729 [log] [tgz]
author: Tim Windelschmidt <tim@monogon.tech> Thu Jul 20 14:26:18 2023 +0200
committer: Tim Windelschmidt <tim@monogon.tech> Wed Jul 26 12:04:58 2023 +0000
tree: 1f524cdd0e25a3dd28ff350803d2bc296c3d6fda
parent: 88a76b7a89b3fc81b9135b1197e1ea6fd3698121 [diff] [blame]
diff --git a/metropolis/node/kubernetes/controller-manager.go b/metropolis/node/kubernetes/controller-manager.go
index a6c424b..363571d 100644
--- a/metropolis/node/kubernetes/controller-manager.go
+++ b/metropolis/node/kubernetes/controller-manager.go

@@ -74,6 +74,8 @@
 				pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: config.serviceAccountPrivKey})),
 			args.FileOpt("--root-ca-file", "root-ca.pem",
 				pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
+			args.FileOpt("--client-ca-file", "root-ca.pem",
+				pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
 			"--use-service-account-credentials=true", // Enables things like PSP enforcement
 			fmt.Sprintf("--cluster-cidr=%v", config.clusterNet.String()),
 			args.FileOpt("--tls-cert-file", "server-cert.pem",
commit	90613afdf11f7831fc0a673f2fe502c28ab93729	[log] [tgz]
author	Tim Windelschmidt <tim@monogon.tech>	Thu Jul 20 14:26:18 2023 +0200
committer	Tim Windelschmidt <tim@monogon.tech>	Wed Jul 26 12:04:58 2023 +0000
tree	1f524cdd0e25a3dd28ff350803d2bc296c3d6fda
parent	88a76b7a89b3fc81b9135b1197e1ea6fd3698121 [diff] [blame]