Use keypair IDs for non-kops-controller-issued worker node certs

2021-07-15 14:04:48 -07:00 · 2021-07-15 14:04:48 -07:00 · 3ae5413f63
parent f24f12f84c
commit 3ae5413f63
3 changed files with 27 additions and 23 deletions
--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@ -289,7 +289,26 @@ func (c *NodeupModelContext) BuildBootstrapKubeconfig(name string, ctx *fi.Model

 		return kubeConfig.GetConfig(), nil
 	} else {
-		cert, key, err := c.GetPrimaryKeypair(name)
+		keyset, err := c.KeyStore.FindKeyset(name)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching keyset: %v from keystore: %v", name, err)
+		}
+
+		keypairID := c.NodeupConfig.KeypairIDs[name]
+		if keypairID == "" {
+			return nil, fmt.Errorf("keypairID for %s missing from NodeupConfig", name)
+		}
+		item := keyset.Items[keypairID]
+		if item == nil {
+			return nil, fmt.Errorf("keypairID %s missing from %s keyset", keypairID, name)
+		}
+
+		cert, err := item.Certificate.AsBytes()
+		if err != nil {
+			return nil, err
+		}
+
+		key, err := item.PrivateKey.AsBytes()
 		if err != nil {
 			return nil, err
 		}
@ -632,27 +651,6 @@ func EvaluateHostnameOverride(hostnameOverride string) (string, error) {
 	return *(result.Reservations[0].Instances[0].PrivateDnsName), nil
 }

-// GetPrimaryKeypair is a helper method to retrieve a primary keypair from the store.
-// TODO: Use the KeysetID in NodeupConfig instead of the Primary keypair.
-func (c *NodeupModelContext) GetPrimaryKeypair(name string) (cert []byte, key []byte, err error) {
-	keyset, err := c.KeyStore.FindKeyset(name)
-	if err != nil {
-		return nil, nil, fmt.Errorf("error fetching keyset: %v from keystore: %v", name, err)
-	}
-
-	cert, err = keyset.Primary.Certificate.AsBytes()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	key, err = keyset.Primary.PrivateKey.AsBytes()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return cert, key, nil
-}
-
 func (b *NodeupModelContext) AddCNIBinAssets(c *fi.ModelBuilderContext, assetNames []string) error {
 	for _, assetName := range assetNames {
 		re, err := regexp.Compile(fmt.Sprintf("^%s$", regexp.QuoteMeta(assetName)))
--- a/nodeup/pkg/model/networking/kube_router.go
+++ b/nodeup/pkg/model/networking/kube_router.go
@ -41,7 +41,7 @@ func (b *KuberouterBuilder) Build(c *fi.ModelBuilderContext) error {
 	var kubeconfig fi.Resource
 	var err error

-	if b.IsMaster {
+	if b.HasAPIServer {
 		kubeconfig = b.BuildIssuedKubeconfig("kube-router", nodetasks.PKIXName{CommonName: rbac.KubeRouter}, c)
 	} else {
 		kubeconfig, err = b.BuildBootstrapKubeconfig("kube-router", c)
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -1349,6 +1349,12 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
 		if err != nil {
 			return nil, nil, fmt.Errorf("encoding service-account keys: %w", err)
 		}
+	} else {
+		for _, key := range []string{"kubelet", "kube-proxy", "kube-router"} {
+			if caTasks[key] != nil {
+				config.KeypairIDs[key] = caTasks[key].Keyset().Primary.Id
+			}
+		}
 	}

 	if isMaster || useGossip {