m/node/kubernetes/pki: refactor out CA functionality This factors out all non-k8s-specific CA functionality from metropolis/node/kubernetes/pki into metropolis/pkg/pki. This will allow us to re-use the same PKI-in-CA system to issue certificates for the Metropolis cluster and nodes. We also drive-by change some Kubernetes/PKI interactions to make things cleaner. Notably, this implements Certificate.Mount to return a fileargs.FileArgs containing all the files neede to use this Certificate. Test Plan: covered by current e2e tests. An etcd harness to test this independently would be nice, though. X-Origin-Diff: phab/D709 GitOrigin-RevId: bdc9ff215b94c9192f65c6da8935fe2818fd14ad

commit: 9411f7c2ed0afbbf617075ab37901addc76fadfb [log] [tgz]
author: Serge Bazanski <serge@nexantic.com> Wed Mar 10 13:12:53 2021 +0100
committer: Serge Bazanski <serge@nexantic.com> Wed Mar 10 13:12:53 2021 +0100
tree: f1f62aa538ba3c2265815d2dbe942377264850a5
parent: 0de189355c6afad6f677029d90fa40dee824141b [diff] [blame]
diff --git a/metropolis/node/core/main.go b/metropolis/node/core/main.go
index 3cf75ce..0f6ebd1 100644
--- a/metropolis/node/core/main.go
+++ b/metropolis/node/core/main.go

@@ -197,7 +197,7 @@
 
 			// Ensure Kubernetes PKI objects exist in etcd.
 			kpkiKV := m.ConsensusKV("cluster", "kpki")
-			kpki := pki.NewKubernetes(lt.MustLeveledFor("pki.kubernetes"), kpkiKV)
+			kpki := pki.New(lt.MustLeveledFor("pki.kubernetes"), kpkiKV)
 			if err := kpki.EnsureAll(ctx); err != nil {
 				return fmt.Errorf("failed to ensure kubernetes PKI present: %w", err)
 			}
commit	9411f7c2ed0afbbf617075ab37901addc76fadfb	[log] [tgz]
author	Serge Bazanski <serge@nexantic.com>	Wed Mar 10 13:12:53 2021 +0100
committer	Serge Bazanski <serge@nexantic.com>	Wed Mar 10 13:12:53 2021 +0100
tree	f1f62aa538ba3c2265815d2dbe942377264850a5
parent	0de189355c6afad6f677029d90fa40dee824141b [diff] [blame]