metropolis/node/kubernetes: fix mtls authentication to (controller-manager|scheduler)
Previously it wasn't possible to authenticate against the services
as they had no CA they trusted for the sent client certificate.
Change-Id: Ic7cd2419a9e3496680a9393424c7ca1780c4d38c
Reviewed-on: https://review.monogon.dev/c/monogon/+/1951
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/kubernetes/scheduler.go b/metropolis/node/kubernetes/scheduler.go
index 5537dcc..1b9b12c 100644
--- a/metropolis/node/kubernetes/scheduler.go
+++ b/metropolis/node/kubernetes/scheduler.go
@@ -31,11 +31,16 @@
kubeConfig []byte
serverCert []byte
serverKey []byte
+ rootCA []byte
}
func getPKISchedulerConfig(ctx context.Context, kpki *pki.PKI) (*schedulerConfig, error) {
var config schedulerConfig
var err error
+ config.rootCA, _, err = kpki.Certificate(ctx, pki.IdCA)
+ if err != nil {
+ return nil, fmt.Errorf("failed to get ID root CA: %w", err)
+ }
config.serverCert, config.serverKey, err = kpki.Certificate(ctx, pki.Scheduler)
if err != nil {
return nil, fmt.Errorf("failed to get scheduler serving certificate: %w", err)
@@ -60,6 +65,8 @@
pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.serverCert})),
args.FileOpt("--tls-private-key-file", "server-key.pem",
pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: config.serverKey})),
+ args.FileOpt("--client-ca-file", "root-ca.pem",
+ pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
)
if args.Error() != nil {
return fmt.Errorf("failed to use fileargs: %w", err)