m/node/kubernetes/pki: refactor out CA functionality
This factors out all non-k8s-specific CA functionality from
metropolis/node/kubernetes/pki into metropolis/pkg/pki.
This will allow us to re-use the same PKI-in-CA system to issue
certificates for the Metropolis cluster and nodes.
We also drive-by change some Kubernetes/PKI interactions to make things
cleaner. Notably, this implements Certificate.Mount to return a
fileargs.FileArgs containing all the files neede to use this
Certificate.
Test Plan: covered by current e2e tests. An etcd harness to test this independently would be nice, though.
X-Origin-Diff: phab/D709
GitOrigin-RevId: bdc9ff215b94c9192f65c6da8935fe2818fd14ad
diff --git a/metropolis/node/kubernetes/service.go b/metropolis/node/kubernetes/service.go
index 2f9b18e..8d0c795 100644
--- a/metropolis/node/kubernetes/service.go
+++ b/metropolis/node/kubernetes/service.go
@@ -44,7 +44,7 @@
ServiceIPRange net.IPNet
ClusterNet net.IPNet
- KPKI *pki.KubernetesPKI
+ KPKI *pki.PKI
Root *localstorage.Root
CorednsRegistrationChan chan *dns.ExtraDirective
}
@@ -168,10 +168,13 @@
// GetDebugKubeconfig issues a kubeconfig for an arbitrary given identity. Useful for debugging and testing.
func (s *Service) GetDebugKubeconfig(ctx context.Context, request *apb.GetDebugKubeconfigRequest) (*apb.GetDebugKubeconfigResponse, error) {
- ca := s.c.KPKI.Certificates[pki.IdCA]
- debugKubeconfig, err := pki.New(ca, "", pki.Client(request.Id, request.Groups)).Kubeconfig(ctx, s.c.KPKI.KV)
+ client, err := s.c.KPKI.VolatileClient(ctx, request.Id, request.Groups)
+ if err != nil {
+ return nil, status.Errorf(codes.Unavailable, "Failed to get volatile client certificate: %v", err)
+ }
+ kubeconfig, err := pki.Kubeconfig(ctx, s.c.KPKI.KV, client)
if err != nil {
return nil, status.Errorf(codes.Unavailable, "Failed to generate kubeconfig: %v", err)
}
- return &apb.GetDebugKubeconfigResponse{DebugKubeconfig: string(debugKubeconfig)}, nil
+ return &apb.GetDebugKubeconfigResponse{DebugKubeconfig: string(kubeconfig)}, nil
}