m/node/kubernetes/pki: refactor out CA functionality
This factors out all non-k8s-specific CA functionality from
metropolis/node/kubernetes/pki into metropolis/pkg/pki.
This will allow us to re-use the same PKI-in-CA system to issue
certificates for the Metropolis cluster and nodes.
We also drive-by change some Kubernetes/PKI interactions to make things
cleaner. Notably, this implements Certificate.Mount to return a
fileargs.FileArgs containing all the files neede to use this
Certificate.
Test Plan: covered by current e2e tests. An etcd harness to test this independently would be nice, though.
X-Origin-Diff: phab/D709
GitOrigin-RevId: bdc9ff215b94c9192f65c6da8935fe2818fd14ad
diff --git a/metropolis/node/kubernetes/pki/BUILD.bazel b/metropolis/node/kubernetes/pki/BUILD.bazel
index 5dcfe78..cfbba0c 100644
--- a/metropolis/node/kubernetes/pki/BUILD.bazel
+++ b/metropolis/node/kubernetes/pki/BUILD.bazel
@@ -2,16 +2,13 @@
go_library(
name = "go_default_library",
- srcs = [
- "ca.go",
- "certificate.go",
- "kubernetes.go",
- ],
+ srcs = ["kubernetes.go"],
importpath = "source.monogon.dev/metropolis/node/kubernetes/pki",
visibility = ["//metropolis/node:__subpackages__"],
deps = [
"//metropolis/node:go_default_library",
"//metropolis/pkg/logtree:go_default_library",
+ "//metropolis/pkg/pki:go_default_library",
"@io_etcd_go_etcd//clientv3:go_default_library",
"@io_k8s_client_go//tools/clientcmd:go_default_library",
"@io_k8s_client_go//tools/clientcmd/api:go_default_library",