m/n/kubernetes: serve authproxy with node certificate
We are currently serving authproxy with the Kubernetes node certificate,
which is somewhat useless, considering that this certificate isn't even
issued by the same CA that the client certificates (which are Metropolis
certificates) presented.
This changes the authproxy to serve with Metropolis node certificates
instead.
Change-Id: I03ff19c919c6a9fa72c98997432cc06a59e9958e
Reviewed-on: https://review.monogon.dev/c/monogon/+/2740
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/metropolis/node/core/roleserve/worker_kubernetes.go b/metropolis/node/core/roleserve/worker_kubernetes.go
index 03ded17..3c05551 100644
--- a/metropolis/node/core/roleserve/worker_kubernetes.go
+++ b/metropolis/node/core/roleserve/worker_kubernetes.go
@@ -45,7 +45,7 @@
roles *cpb.NodeRoles
lcp *localControlPlane
curator ipb.CuratorClient
- node *identity.Node
+ node *identity.NodeCredentials
}
// changed informs the Kubernetes launcher whether two different
@@ -103,7 +103,7 @@
startupV.Set(&kubernetesStartup{
roles: lr,
lcp: lcp,
- node: &cc.credentials.Node,
+ node: cc.credentials,
curator: ipb.NewCuratorClient(cc.conn),
})
}
diff --git a/metropolis/node/kubernetes/authproxy/authproxy.go b/metropolis/node/kubernetes/authproxy/authproxy.go
index 957cb8a..e8e6fd8 100644
--- a/metropolis/node/kubernetes/authproxy/authproxy.go
+++ b/metropolis/node/kubernetes/authproxy/authproxy.go
@@ -26,8 +26,8 @@
type Service struct {
// KPKI is a reference to the Kubernetes PKI
KPKI *pki.PKI
- // Node contains the node identity
- Node *identity.Node
+ // Node contains the node credentials
+ Node *identity.NodeCredentials
}
func (s *Service) getTLSCert(ctx context.Context, name pki.KubeCertificateName) (*tls.Certificate, error) {
@@ -109,10 +109,7 @@
standardProxy.ErrorHandler = errorHandler
noHTTP2Proxy.ErrorHandler = errorHandler
- serverCert, err := s.getTLSCert(ctx, pki.APIServer)
- if err != nil {
- return err
- }
+ serverCert := s.Node.TLSCredentials()
clientCAs := x509.NewCertPool()
clientCAs.AddCert(s.Node.ClusterCA())
server := &http.Server{
@@ -122,7 +119,7 @@
NextProtos: []string{"h2", "http/1.1"},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCAs,
- Certificates: []tls.Certificate{*serverCert},
+ Certificates: []tls.Certificate{serverCert},
},
// Limits match @io_k8s_apiserver/pkg/server:secure_serving.go Serve()
MaxHeaderBytes: 1 << 20,
diff --git a/metropolis/node/kubernetes/service_controller.go b/metropolis/node/kubernetes/service_controller.go
index fbeabca..804a210 100644
--- a/metropolis/node/kubernetes/service_controller.go
+++ b/metropolis/node/kubernetes/service_controller.go
@@ -48,7 +48,7 @@
KPKI *pki.PKI
Root *localstorage.Root
Network *network.Service
- Node *identity.Node
+ Node *identity.NodeCredentials
}
type Controller struct {