core/internal/kubernetes: refactor PKI fully We move ad-hoc certificate/key creation to a little declarative, future-inspired API. The API is split into two distinct layers: - an etcd-backed managed certificate storage that understands server certificates, client certificates and CAs - a Kubernetes PKI object, that understands what certificates are needed to bring up a cluster This allows for deduplicated path names in etcd, some semantic information about available certificates, and is in general groundwork for some future improvements, like: - a slightly higher level etcd 'data store' api, with less-stringly-typed paths - simplification of service startup code (there's a bunch of cleanups that can be still done in core/internal/kubernetes wrt. to certificate marshaling to the filesystem, etc) Test Plan: covered by existing tests - but this should also now be nicely testable in isolation! X-Origin-Diff: phab/D564 GitOrigin-RevId: a58620c37ac064a15b7db106b7a5cbe9bd0b7cd0

commit: dbfc638fa03704d274f78b31f508dde1e37502ee [log] [tgz]
author: Serge Bazanski <serge@nexantic.com> Fri Jun 19 20:35:43 2020 +0200
committer: Serge Bazanski <serge@nexantic.com> Fri Jun 19 20:35:43 2020 +0200
tree: 607f2fbd8683bfd5fc855cd03bce700a107f68fd
parent: 71f7a567f372b41b3ea5cf72dfebd0546e3ff7df [diff] [blame]
diff --git a/core/internal/kubernetes/controller-manager.go b/core/internal/kubernetes/controller-manager.go
index 20d4605..0934ae1 100644
--- a/core/internal/kubernetes/controller-manager.go
+++ b/core/internal/kubernetes/controller-manager.go

@@ -27,6 +27,7 @@
 	"go.etcd.io/etcd/clientv3"
 
 	"git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
+	"git.monogon.dev/source/nexantic.git/core/internal/kubernetes/pki"
 	"git.monogon.dev/source/nexantic.git/core/pkg/fileargs"
 )
 
@@ -40,22 +41,22 @@
 	serverKey             []byte
 }
 
-func getPKIControllerManagerConfig(consensusKV clientv3.KV) (*controllerManagerConfig, error) {
+func getPKIControllerManagerConfig(ctx context.Context, kv clientv3.KV, kpki *pki.KubernetesPKI) (*controllerManagerConfig, error) {
 	var config controllerManagerConfig
 	var err error
-	config.rootCA, _, err = getCert(consensusKV, "id-ca")
+	config.rootCA, _, err = kpki.Certificate(ctx, pki.IdCA, kv)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get ID root CA: %w", err)
 	}
-	config.serverCert, config.serverKey, err = getCert(consensusKV, "controller-manager")
+	config.serverCert, config.serverKey, err = kpki.Certificate(ctx, pki.ControllerManager, kv)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get controller-manager serving certificate: %w", err)
 	}
-	config.serviceAccountPrivKey, err = getSingle(consensusKV, "service-account-privkey.der")
+	config.serviceAccountPrivKey, err = kpki.ServiceAccountKey(ctx, kv)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get serviceaccount privkey: %w", err)
 	}
-	config.kubeConfig, err = getSingle(consensusKV, "controller-manager.kubeconfig")
+	config.kubeConfig, err = kpki.Kubeconfig(ctx, pki.ControllerManagerClient, kv)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get controller-manager kubeconfig: %w", err)
 	}
commit	dbfc638fa03704d274f78b31f508dde1e37502ee	[log] [tgz]
author	Serge Bazanski <serge@nexantic.com>	Fri Jun 19 20:35:43 2020 +0200
committer	Serge Bazanski <serge@nexantic.com>	Fri Jun 19 20:35:43 2020 +0200
tree	607f2fbd8683bfd5fc855cd03bce700a107f68fd
parent	71f7a567f372b41b3ea5cf72dfebd0546e3ff7df [diff] [blame]