Simplify config server protocol

cmd/kops-controller/pkg/server/node_config.go

@@ -61,27 +61,5 @@ func (s *Server) getNodeConfig(ctx context.Context, req *nodeup.BootstrapRequest
 		nodeConfig.NodeupConfig = string(b)
 	}
 
-	// We populate some certificates that we know the node will need.
-	for _, name := range []string{"ca"} {
-		cert, _, err := s.keystore.FindPrimaryKeypair(name)
-		if err != nil {
-			return nil, fmt.Errorf("error getting certificate %q: %w", name, err)
-		}
-
-		if cert == nil {
-			return nil, fmt.Errorf("certificate %q not found", name)
-		}
-
-		certData, err := cert.AsString()
-		if err != nil {
-			return nil, fmt.Errorf("error marshalling certificate %q: %w", name, err)
-		}
-
-		nodeConfig.Certificates = append(nodeConfig.Certificates, &nodeup.NodeConfigCertificate{
-			Name: name,
-			Cert: certData,
-		})
-	}
-
 	return nodeConfig, nil
 }

pkg/apis/nodeup/bootstrap.go

@@ -41,14 +41,11 @@ type BootstrapResponse struct {
 
 // NodeConfig holds configuration needed to boot a node (without the kops state store)
 type NodeConfig struct {
-	// ClusterFullConfig holds the configuration for the cluster
+	// ClusterFullConfig holds the completed configuration for the cluster.
 	ClusterFullConfig string `json:"clusterFullConfig,omitempty"`
 
 	// NodeupConfig holds the nodeup.Config for the node's instance group.
 	NodeupConfig string `json:"nodeupConfig,omitempty"`
-
-	// Certificates holds certificates that are already issued
-	Certificates []*NodeConfigCertificate `json:"certificates,omitempty"`
 }
 
 // NodeConfigCertificate holds a certificate that the node needs to boot.

pkg/configserver/keystore.go

@@ -20,7 +20,6 @@ import (
 	"crypto/x509"
 	"fmt"
 
-	"k8s.io/kops/pkg/apis/nodeup"
 	"k8s.io/kops/pkg/pki"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/util/pkg/vfs"
@@ -28,12 +27,12 @@ import (
 
 //configserverKeyStore is a KeyStore backed by the config server.
 type configserverKeyStore struct {
-	nodeConfig *nodeup.NodeConfig
+	caCertificates string
 }
 
-func NewKeyStore(nodeConfig *nodeup.NodeConfig) fi.CAStore {
+func NewKeyStore(caCertificates string) fi.CAStore {
 	return &configserverKeyStore{
-		nodeConfig: nodeConfig,
+		caCertificates: caCertificates,
 	}
 }
 
@@ -69,15 +68,13 @@ func (s *configserverKeyStore) FindPrivateKey(name string) (*pki.PrivateKey, err
 
 // FindCert implements fi.CAStore
 func (s *configserverKeyStore) FindCert(name string) (*pki.Certificate, error) {
-	for _, cert := range s.nodeConfig.Certificates {
-		if cert.Name == name {
-			// Special case for the CA certificate
-			c, err := pki.ParsePEMCertificate([]byte(cert.Cert))
-			if err != nil {
-				return nil, fmt.Errorf("error parsing certificate %q: %w", name, err)
-			}
-			return c, nil
+	if name == fi.CertificateIDCA {
+		// Special case for the CA certificate
+		c, err := pki.ParsePEMCertificate([]byte(s.caCertificates))
+		if err != nil {
+			return nil, fmt.Errorf("error parsing certificate %q: %w", name, err)
 		}
+		return c, nil
 	}
 
 	return nil, fmt.Errorf("FindCert(%q) not supported by configserverKeyStore", name)

upup/pkg/fi/nodeup/command.go

@@ -240,7 +240,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 	}
 
 	if nodeConfig != nil {
-		modelContext.KeyStore = configserver.NewKeyStore(nodeConfig)
+		modelContext.KeyStore = configserver.NewKeyStore(nodeupConfig.CAs[fi.CertificateIDCA])
 	} else if c.cluster.Spec.KeyStore != "" {
 		klog.Infof("Building KeyStore at %q", c.cluster.Spec.KeyStore)
 		p, err := vfs.Context.BuildVfsPath(c.cluster.Spec.KeyStore)