commit ad86a55c9c507478e2c4989f50912d7869164066
author Serge Bazanski <serge@monogon.tech> Wed Jan 31 17:46:47 2024 +0100
committer Serge Bazanski <serge@monogon.tech> Thu Feb 08 11:10:07 2024 +0000
tree 214d48bcad4ede5909af88ce7deaadedd2d9fbe0
parent 7dbf18c1932b5c7945a2ba53d7580a6857cda5d3

m/n/kubernetes: serve authproxy with node certificate

We are currently serving authproxy with the Kubernetes node certificate,
which is somewhat useless, considering that this certificate isn't even
issued by the same CA that the client certificates (which are Metropolis
certificates) presented.

This changes the authproxy to serve with Metropolis node certificates
instead.

Change-Id: I03ff19c919c6a9fa72c98997432cc06a59e9958e
Reviewed-on: https://review.monogon.dev/c/monogon/+/2740
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

metropolis/node/kubernetes/authproxy/authproxy.go

diff --git a/metropolis/node/kubernetes/authproxy/authproxy.go b/metropolis/node/kubernetes/authproxy/authproxy.go
index 957cb8a..e8e6fd8 100644
--- a/metropolis/node/kubernetes/authproxy/authproxy.go
+++ b/metropolis/node/kubernetes/authproxy/authproxy.go
@@ -26,8 +26,8 @@
 type Service struct {
 	// KPKI is a reference to the Kubernetes PKI
 	KPKI *pki.PKI
-	// Node contains the node identity
-	Node *identity.Node
+	// Node contains the node credentials
+	Node *identity.NodeCredentials
 }
 
 func (s *Service) getTLSCert(ctx context.Context, name pki.KubeCertificateName) (*tls.Certificate, error) {
@@ -109,10 +109,7 @@
 	standardProxy.ErrorHandler = errorHandler
 	noHTTP2Proxy.ErrorHandler = errorHandler
 
-	serverCert, err := s.getTLSCert(ctx, pki.APIServer)
-	if err != nil {
-		return err
-	}
+	serverCert := s.Node.TLSCredentials()
 	clientCAs := x509.NewCertPool()
 	clientCAs.AddCert(s.Node.ClusterCA())
 	server := &http.Server{
@@ -122,7 +119,7 @@
 			NextProtos:   []string{"h2", "http/1.1"},
 			ClientAuth:   tls.RequireAndVerifyClientCert,
 			ClientCAs:    clientCAs,
-			Certificates: []tls.Certificate{*serverCert},
+			Certificates: []tls.Certificate{serverCert},
 		},
 		// Limits match @io_k8s_apiserver/pkg/server:secure_serving.go Serve()
 		MaxHeaderBytes:    1 << 20,

metropolis/node/kubernetes/service_controller.go

diff --git a/metropolis/node/kubernetes/service_controller.go b/metropolis/node/kubernetes/service_controller.go
index fbeabca..804a210 100644
--- a/metropolis/node/kubernetes/service_controller.go
+++ b/metropolis/node/kubernetes/service_controller.go
@@ -48,7 +48,7 @@
 	KPKI    *pki.PKI
 	Root    *localstorage.Root
 	Network *network.Service
-	Node    *identity.Node
+	Node    *identity.NodeCredentials
 }
 
 type Controller struct {