diff --git a/cmd/kops-controller/pkg/server/node_config.go b/cmd/kops-controller/pkg/server/node_config.go index f41870115b..dc78bef84b 100644 --- a/cmd/kops-controller/pkg/server/node_config.go +++ b/cmd/kops-controller/pkg/server/node_config.go @@ -61,27 +61,5 @@ func (s *Server) getNodeConfig(ctx context.Context, req *nodeup.BootstrapRequest nodeConfig.NodeupConfig = string(b) } - // We populate some certificates that we know the node will need. - for _, name := range []string{"ca"} { - cert, _, err := s.keystore.FindPrimaryKeypair(name) - if err != nil { - return nil, fmt.Errorf("error getting certificate %q: %w", name, err) - } - - if cert == nil { - return nil, fmt.Errorf("certificate %q not found", name) - } - - certData, err := cert.AsString() - if err != nil { - return nil, fmt.Errorf("error marshalling certificate %q: %w", name, err) - } - - nodeConfig.Certificates = append(nodeConfig.Certificates, &nodeup.NodeConfigCertificate{ - Name: name, - Cert: certData, - }) - } - return nodeConfig, nil } diff --git a/pkg/apis/nodeup/bootstrap.go b/pkg/apis/nodeup/bootstrap.go index fc9bdc1ab3..5b84a7cfec 100644 --- a/pkg/apis/nodeup/bootstrap.go +++ b/pkg/apis/nodeup/bootstrap.go @@ -41,14 +41,11 @@ type BootstrapResponse struct { // NodeConfig holds configuration needed to boot a node (without the kops state store) type NodeConfig struct { - // ClusterFullConfig holds the configuration for the cluster + // ClusterFullConfig holds the completed configuration for the cluster. ClusterFullConfig string `json:"clusterFullConfig,omitempty"` // NodeupConfig holds the nodeup.Config for the node's instance group. NodeupConfig string `json:"nodeupConfig,omitempty"` - - // Certificates holds certificates that are already issued - Certificates []*NodeConfigCertificate `json:"certificates,omitempty"` } // NodeConfigCertificate holds a certificate that the node needs to boot. diff --git a/pkg/configserver/keystore.go b/pkg/configserver/keystore.go index d548388a13..a1ff611eb9 100644 --- a/pkg/configserver/keystore.go +++ b/pkg/configserver/keystore.go @@ -20,7 +20,6 @@ import ( "crypto/x509" "fmt" - "k8s.io/kops/pkg/apis/nodeup" "k8s.io/kops/pkg/pki" "k8s.io/kops/upup/pkg/fi" "k8s.io/kops/util/pkg/vfs" @@ -28,12 +27,12 @@ import ( //configserverKeyStore is a KeyStore backed by the config server. type configserverKeyStore struct { - nodeConfig *nodeup.NodeConfig + caCertificates string } -func NewKeyStore(nodeConfig *nodeup.NodeConfig) fi.CAStore { +func NewKeyStore(caCertificates string) fi.CAStore { return &configserverKeyStore{ - nodeConfig: nodeConfig, + caCertificates: caCertificates, } } @@ -69,15 +68,13 @@ func (s *configserverKeyStore) FindPrivateKey(name string) (*pki.PrivateKey, err // FindCert implements fi.CAStore func (s *configserverKeyStore) FindCert(name string) (*pki.Certificate, error) { - for _, cert := range s.nodeConfig.Certificates { - if cert.Name == name { - // Special case for the CA certificate - c, err := pki.ParsePEMCertificate([]byte(cert.Cert)) - if err != nil { - return nil, fmt.Errorf("error parsing certificate %q: %w", name, err) - } - return c, nil + if name == fi.CertificateIDCA { + // Special case for the CA certificate + c, err := pki.ParsePEMCertificate([]byte(s.caCertificates)) + if err != nil { + return nil, fmt.Errorf("error parsing certificate %q: %w", name, err) } + return c, nil } return nil, fmt.Errorf("FindCert(%q) not supported by configserverKeyStore", name) diff --git a/upup/pkg/fi/nodeup/command.go b/upup/pkg/fi/nodeup/command.go index 96ea18bab8..6014d80525 100644 --- a/upup/pkg/fi/nodeup/command.go +++ b/upup/pkg/fi/nodeup/command.go @@ -240,7 +240,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error { } if nodeConfig != nil { - modelContext.KeyStore = configserver.NewKeyStore(nodeConfig) + modelContext.KeyStore = configserver.NewKeyStore(nodeupConfig.CAs[fi.CertificateIDCA]) } else if c.cluster.Spec.KeyStore != "" { klog.Infof("Building KeyStore at %q", c.cluster.Spec.KeyStore) p, err := vfs.Context.BuildVfsPath(c.cluster.Spec.KeyStore)