kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor some users of FindPrimaryKeypair

This commit is contained in:
John Gardiner Myers 2021-07-10 20:35:54 -07:00
parent 6f06661a68
commit 6ddccf5f79
3 changed files with 9 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
nodeup/pkg/model/context.go
View File

@ -622,25 +622,20 @@ func EvaluateHostnameOverride(hostnameOverride string) (string, error) {
return *(result.Reservations[0].Instances[0].PrivateDnsName), nil return *(result.Reservations[0].Instances[0].PrivateDnsName), nil
} }
// GetPrimaryKeypair is a helper method to retrieve a primary keypair from the store // GetPrimaryKeypair is a helper method to retrieve a primary keypair from the store.
// TODO: Use the KeysetID in NodeupConfig instead of the Primary keypair.
func (c *NodeupModelContext) GetPrimaryKeypair(name string) (cert []byte, key []byte, err error) { func (c *NodeupModelContext) GetPrimaryKeypair(name string) (cert []byte, key []byte, err error) {
certificate, privateKey, err := c.KeyStore.FindPrimaryKeypair(name) keyset, err := c.KeyStore.FindKeyset(name)
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("error fetching certificate: %v from keystore: %v", name, err) return nil, nil, fmt.Errorf("error fetching keyset: %v from keystore: %v", name, err)
}
if certificate == nil {
return nil, nil, fmt.Errorf("unable to find certificate: %s", name)
}
if privateKey == nil {
return nil, nil, fmt.Errorf("unable to find key: %s", name)
} }
cert, err = certificate.AsBytes() cert, err = keyset.Primary.Certificate.AsBytes()
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
key, err = privateKey.AsBytes() key, err = keyset.Primary.PrivateKey.AsBytes()
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }

17
nodeup/pkg/model/kube_apiserver.go
View File

@ -258,28 +258,15 @@ func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.ModelBuilderConte
kubeAPIServer.AuthenticationTokenWebhookConfigFile = fi.String(PathAuthnConfig) kubeAPIServer.AuthenticationTokenWebhookConfigFile = fi.String(PathAuthnConfig)
{ {
caCertificate, _, err := b.NodeupModelContext.KeyStore.FindPrimaryKeypair(fi.CertificateIDCA)
if err != nil {
return fmt.Errorf("error fetching AWS IAM Authentication CA certificate from keystore: %v", err)
}
if caCertificate == nil {
return fmt.Errorf("AWS IAM Authentication CA certificate %q not found", fi.CertificateIDCA)
}
cluster := kubeconfig.KubectlCluster{ cluster := kubeconfig.KubectlCluster{
Server: "https://127.0.0.1:21362/authenticate", Server: "https://127.0.0.1:21362/authenticate",
CertificateAuthorityData: []byte(b.NodeupConfig.CAs[fi.CertificateIDCA]),
} }
context := kubeconfig.KubectlContext{ context := kubeconfig.KubectlContext{
Cluster: "aws-iam-authenticator", Cluster: "aws-iam-authenticator",
User: "kube-apiserver", User: "kube-apiserver",
} }
// Since we're talking to localhost, we don't need the entire certificate bundle.
cluster.CertificateAuthorityData, err = caCertificate.AsBytes()
if err != nil {
return fmt.Errorf("error encoding AWS IAM Authentication CA certificate: %v", err)
}
config := kubeconfig.KubectlConfig{} config := kubeconfig.KubectlConfig{}
config.Clusters = append(config.Clusters, &kubeconfig.KubectlClusterWithName{ config.Clusters = append(config.Clusters, &kubeconfig.KubectlClusterWithName{
Name: "aws-iam-authenticator", Name: "aws-iam-authenticator",

2
nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml
View File

@ -2,7 +2,7 @@ contents: |
apiVersion: "" apiVersion: ""
clusters: clusters:
- cluster: - cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNDZ0F3SUJBZ0lSQUxKWEFrVmo5NjR0cTY3d01TSThvSlF3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4TnpFeU1qY3lNelV5TkRCYUZ3MHlOekV5TWpjeQpNelV5TkRCYU1CVXhFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUURnbkNrU210bm1meEVnUzNxTlBhVUNINVFPQkdESC9pbkhiV0NPRExCQ0s5Z2QKWEVjQmw3RlZ2OFQya0ZyMURZYjBIVkR0TUk3dGl4UlZGRExna3dObFczNHh3V2RaWEI3R2VvRmdVMXhXT1FTWQpPQUNDOEpnWVRRLzEzOUhCRXZncTRzZWo2N3ArL3MvU05jdzM0S2s3SEl1RmhsazFyUms1a01leEtJbEpCS1AxCllZVVlldHNKL1FwVU9rcUo1SFc0R29ldEU3Nll0SG5PUmZZdm55YnZpU01yaDJ3R0dhTjZyL3M0Q2hPYUliWkMKQW44L1lpUEtHSURhWkdwajZHWG5tWEFSUlgvVElkZ1NRa0x3dDBhVERCblBaNFh2dHBJOGFhTDhEWUpJcUF6QQpOUEgyYjQvdU55bGF0NWpEbzBiMEc1NGFnTWk5NysyQVVyQzlVVVhwQWdNQkFBR2pJekFoTUE0R0ExVWREd0VCCi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCVkdSMnIKaHpYelJNVTV3cmlQUUFKU2Nzek5PUnZvQnBYZlpvWjA5Rkl1cHVkRnhCVlUzZDRoVjlTdEtuUWdQU0dBNVhRTwpIRTk3K0J4SkR1QS9yQjVvQlVzTUJqYzd5MWNkZS9UNmhtaTNyTG9FWUJTblN1ZENPWEpFNEc5LzBmOGJ5QUplCnJOOCtObzFyMlZnWnZaaDZwNzRURWtYdi9sM0hCUFdNN0lkVVYwSE85SkRoU2dPVkYxZnlRS0p4UnVMSlI4anQKTzZtUEgyVVgwdk13VmE0anZ3dGtkZHFrMk9BZFlRdkg5cmJEampiemFpVzBLbm1kdWVSbzkyS0hBTjdCc0RaeQpWcFhIcHFvMUt6ZzdEM2ZwYVhDZjVzaTdscXFyZEpWWEg0SkM3Mnp4c1BlaHFnaThlSXVxT0JraURXbVJ4QXhoCjh5R2VSeDlBYmtuSGg0SWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNDZ0F3SUJBZ0lSQUxKWEFrVmo5NjR0cTY3d01TSThvSlF3RFFZSktvWklodmNOQVFFTEJRQXcKRlRFVE1CRUdBMVVFQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4TnpFeU1qY3lNelV5TkRCYUZ3MHlOekV5TWpjeQpNelV5TkRCYU1CVXhFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUURnbkNrU210bm1meEVnUzNxTlBhVUNINVFPQkdESC9pbkhiV0NPRExCQ0s5Z2QKWEVjQmw3RlZ2OFQya0ZyMURZYjBIVkR0TUk3dGl4UlZGRExna3dObFczNHh3V2RaWEI3R2VvRmdVMXhXT1FTWQpPQUNDOEpnWVRRLzEzOUhCRXZncTRzZWo2N3ArL3MvU05jdzM0S2s3SEl1RmhsazFyUms1a01leEtJbEpCS1AxCllZVVlldHNKL1FwVU9rcUo1SFc0R29ldEU3Nll0SG5PUmZZdm55YnZpU01yaDJ3R0dhTjZyL3M0Q2hPYUliWkMKQW44L1lpUEtHSURhWkdwajZHWG5tWEFSUlgvVElkZ1NRa0x3dDBhVERCblBaNFh2dHBJOGFhTDhEWUpJcUF6QQpOUEgyYjQvdU55bGF0NWpEbzBiMEc1NGFnTWk5NysyQVVyQzlVVVhwQWdNQkFBR2pJekFoTUE0R0ExVWREd0VCCi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCVkdSMnIKaHpYelJNVTV3cmlQUUFKU2Nzek5PUnZvQnBYZlpvWjA5Rkl1cHVkRnhCVlUzZDRoVjlTdEtuUWdQU0dBNVhRTwpIRTk3K0J4SkR1QS9yQjVvQlVzTUJqYzd5MWNkZS9UNmhtaTNyTG9FWUJTblN1ZENPWEpFNEc5LzBmOGJ5QUplCnJOOCtObzFyMlZnWnZaaDZwNzRURWtYdi9sM0hCUFdNN0lkVVYwSE85SkRoU2dPVkYxZnlRS0p4UnVMSlI4anQKTzZtUEgyVVgwdk13VmE0anZ3dGtkZHFrMk9BZFlRdkg5cmJEampiemFpVzBLbm1kdWVSbzkyS0hBTjdCc0RaeQpWcFhIcHFvMUt6ZzdEM2ZwYVhDZjVzaTdscXFyZEpWWEg0SkM3Mnp4c1BlaHFnaThlSXVxT0JraURXbVJ4QXhoCjh5R2VSeDlBYmtuSGg0SWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJQlp6Q0NBUkdnQXdJQkFnSUJCREFOQmdrcWhraUc5dzBCQVFzRkFEQWFNUmd3RmdZRFZRUURFdzl6WlhKMgphV05sTFdGalkyOTFiblF3SGhjTk1qRXdOVEF5TWpBek1qRTNXaGNOTXpFd05UQXlNakF6TWpFM1dqQWFNUmd3CkZnWURWUVFERXc5elpYSjJhV05sTFdGalkyOTFiblF3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUEKbzRUcmlkbHNmNFl6M1VBaXVwL3NjU1RpRy9PcXhrVVczRno3ekdLdlZjTGVZajlHRUlLdXpvQjFWRmsxbmJvRApxNGNDdUdMZmR6YVFkQ1FLUElzRHV3SURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVoUGJ4RW1VYndWT0NhK2ZaZ3hyZUZoZjY3VUV3RFFZSktvWkkKaHZjTkFRRUxCUUFEUVFBTE1zeUsyUTdDL2JrMjdlQ3ZYeVpLVWZyTHZvcjEwaEVqd0dodjE0enNLV0RlVGovSgpBMUxQWXA3VTlWdEZmZ0ZPa1Zia0xFOVJzdGMwbHROclBxeEEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://127.0.0.1:21362/authenticate server: https://127.0.0.1:21362/authenticate
name: aws-iam-authenticator name: aws-iam-authenticator
contexts: contexts: