Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 9411f7c2ed0afbbf617075ab37901addc76fadfb^! / . / metropolis / node / kubernetes / apiserver.go
commit9411f7c2ed0afbbf617075ab37901addc76fadfb[log] [tgz]
authorSerge Bazanski <serge@nexantic.com>Wed Mar 10 13:12:53 2021 +0100
committerSerge Bazanski <serge@nexantic.com>Wed Mar 10 13:12:53 2021 +0100
treef1f62aa538ba3c2265815d2dbe942377264850a5
parent0de189355c6afad6f677029d90fa40dee824141b [diff] [blame]
m/node/kubernetes/pki: refactor out CA functionality

This factors out all non-k8s-specific CA functionality from
metropolis/node/kubernetes/pki into metropolis/pkg/pki.

This will allow us to re-use the same PKI-in-CA system to issue
certificates for the Metropolis cluster and nodes.

We also drive-by change some Kubernetes/PKI interactions to make things
cleaner. Notably, this implements Certificate.Mount to return a
fileargs.FileArgs containing all the files neede to use this
Certificate.

Test Plan: covered by current e2e tests. An etcd harness to test this independently would be nice, though.

X-Origin-Diff: phab/D709
GitOrigin-RevId: bdc9ff215b94c9192f65c6da8935fe2818fd14ad

diff --git a/metropolis/node/kubernetes/apiserver.go b/metropolis/node/kubernetes/apiserver.go
index 2757fb2..704b8df 100644
--- a/metropolis/node/kubernetes/apiserver.go
+++ b/metropolis/node/kubernetes/apiserver.go

@@ -31,7 +31,7 @@
 )
 
 type apiserverService struct {
-	KPKI                        *pki.KubernetesPKI
+	KPKI                        *pki.PKI
 	AdvertiseAddress            net.IP
 	ServiceIPRange              net.IPNet
 	EphemeralConsensusDirectory *localstorage.EphemeralConsensusDirectory
@@ -55,7 +55,7 @@
 		name       pki.KubeCertificateName
 	}{
 		{&s.idCA, nil, pki.IdCA},
-		{&s.kubeletClientCert, &s.kubeletClientKey, pki.KubeletClient},
+		{&s.kubeletClientCert, &s.kubeletClientKey, pki.APIServerKubeletClient},
 		{&s.aggregationCA, nil, pki.AggregationCA},
 		{&s.aggregationClientCert, &s.aggregationClientKey, pki.FrontProxyClient},
 		{&s.serverCert, &s.serverKey, pki.APIServer},