Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / dbfc638fa03704d274f78b31f508dde1e37502ee^! / . / core / internal / kubernetes / scheduler.go
commitdbfc638fa03704d274f78b31f508dde1e37502ee[log] [tgz]
authorSerge Bazanski <serge@nexantic.com>Fri Jun 19 20:35:43 2020 +0200
committerSerge Bazanski <serge@nexantic.com>Fri Jun 19 20:35:43 2020 +0200
tree607f2fbd8683bfd5fc855cd03bce700a107f68fd
parent71f7a567f372b41b3ea5cf72dfebd0546e3ff7df [diff] [blame]
core/internal/kubernetes: refactor PKI fully

We move ad-hoc certificate/key creation to a little declarative,
future-inspired API.

The API is split into two distinct layers:
 - an etcd-backed managed certificate storage that understands server
   certificates, client certificates and CAs
 - a Kubernetes PKI object, that understands what certificates are
   needed to bring up a cluster

This allows for deduplicated path names in etcd, some semantic
information about available certificates, and is in general groundwork
for some future improvements, like:
 - a slightly higher level etcd 'data store' api, with
   less-stringly-typed paths
 - simplification of service startup code (there's a bunch of cleanups
   that can be still done in core/internal/kubernetes wrt. to
   certificate marshaling to the filesystem, etc)

Test Plan: covered by existing tests - but this should also now be nicely testable in isolation!

X-Origin-Diff: phab/D564
GitOrigin-RevId: a58620c37ac064a15b7db106b7a5cbe9bd0b7cd0

diff --git a/core/internal/kubernetes/scheduler.go b/core/internal/kubernetes/scheduler.go
index d3ee20b..35b1e64 100644
--- a/core/internal/kubernetes/scheduler.go
+++ b/core/internal/kubernetes/scheduler.go

@@ -26,6 +26,7 @@
 	"go.etcd.io/etcd/clientv3"
 
 	"git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
+	"git.monogon.dev/source/nexantic.git/core/internal/kubernetes/pki"
 	"git.monogon.dev/source/nexantic.git/core/pkg/fileargs"
 )
 
@@ -35,14 +36,14 @@
 	serverKey  []byte
 }
 
-func getPKISchedulerConfig(consensusKV clientv3.KV) (*schedulerConfig, error) {
+func getPKISchedulerConfig(ctx context.Context, kv clientv3.KV, kpki *pki.KubernetesPKI) (*schedulerConfig, error) {
 	var config schedulerConfig
 	var err error
-	config.serverCert, config.serverKey, err = getCert(consensusKV, "scheduler")
+	config.serverCert, config.serverKey, err = kpki.Certificate(ctx, pki.Scheduler, kv)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get scheduler serving certificate: %w", err)
 	}
-	config.kubeConfig, err = getSingle(consensusKV, "scheduler.kubeconfig")
+	config.kubeConfig, err = kpki.Kubeconfig(ctx, pki.SchedulerClient, kv)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get scheduler kubeconfig: %w", err)
 	}