Refactor out some legacy interfaces

2021-07-10 19:54:15 -07:00 · 2021-07-10 19:54:15 -07:00 · a33a30a859
parent a397a881a1
commit a33a30a859
10 changed files with 21 additions and 152 deletions
--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@ -485,16 +485,16 @@ func (c *NodeupModelContext) buildCertificatePairTask(ctx *fi.ModelBuilderContex

 // BuildCertificateTask builds a task to create a certificate file.
 func (c *NodeupModelContext) BuildCertificateTask(ctx *fi.ModelBuilderContext, name, filename string, owner *string) error {
-	cert, err := c.KeyStore.FindCert(name)
+	keyset, err := c.KeyStore.FindKeyset(name)
 	if err != nil {
 		return err
 	}

-	if cert == nil {
-		return fmt.Errorf("certificate %q not found", name)
+	if keyset == nil {
+		return fmt.Errorf("keyset %q not found", name)
 	}

-	serialized, err := cert.AsString()
+	serialized, err := keyset.Primary.Certificate.AsString()
 	if err != nil {
 		return err
 	}
@ -516,16 +516,16 @@ func (c *NodeupModelContext) BuildCertificateTask(ctx *fi.ModelBuilderContext, n

 // BuildLegacyPrivateKeyTask builds a task to create a private key file.
 func (c *NodeupModelContext) BuildLegacyPrivateKeyTask(ctx *fi.ModelBuilderContext, name, filename string, owner *string) error {
-	cert, err := c.KeyStore.FindPrivateKey(name)
+	keyset, err := c.KeyStore.FindKeyset(name)
 	if err != nil {
 		return err
 	}

-	if cert == nil {
-		return fmt.Errorf("private key %q not found", name)
+	if keyset == nil {
+		return fmt.Errorf("keyset %q not found", name)
 	}

-	serialized, err := cert.AsString()
+	serialized, err := keyset.Primary.PrivateKey.AsString()
 	if err != nil {
 		return err
 	}
--- a/nodeup/pkg/model/etcd_manager_tls.go
+++ b/nodeup/pkg/model/etcd_manager_tls.go
@ -17,11 +17,7 @@ limitations under the License.
 package model

 import (
-	"fmt"
-	"path/filepath"
-
 	"k8s.io/kops/upup/pkg/fi"
-	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 )

 // EtcdManagerTLSBuilder configures TLS support for etcd-manager
@ -54,22 +50,7 @@ func (b *EtcdManagerTLSBuilder) Build(ctx *fi.ModelBuilderContext) error {
 		}

 		for fileName, keystoreName := range keys {
-			cert, err := b.KeyStore.FindCert(keystoreName)
-			if err != nil {
-				return err
-			}
-			if cert == nil {
-				return fmt.Errorf("keypair %q not found", keystoreName)
-			}
-
-			ctx.AddTask(&nodetasks.File{
-				Path:     filepath.Join(d, fileName+".crt"),
-				Contents: fi.NewStringResource(b.NodeupConfig.CAs[keystoreName]),
-				Type:     nodetasks.FileType_File,
-				Mode:     fi.String("0600"),
-			})
-
-			if err := b.BuildPrivateKeyTask(ctx, keystoreName, d, fileName, nil, nil); err != nil {
+			if err := b.buildCertificatePairTask(ctx, keystoreName, d, fileName, nil, nil, true); err != nil {
 				return err
 			}
 		}
--- a/nodeup/pkg/model/fakes_test.go
+++ b/nodeup/pkg/model/fakes_test.go
@ -31,7 +31,6 @@ import (
 type fakeCAStore struct {
 	T              *testing.T
 	privateKeysets map[string]*kops.Keyset
-	certs          map[string]*pki.Certificate
 }

 var _ fi.CAStore = &fakeCAStore{}
@ -95,20 +94,6 @@ func (k fakeCAStore) MirrorTo(basedir vfs.Path) error {
 	panic("fakeCAStore does not implement MirrorTo")
 }

-func (k fakeCAStore) FindPrivateKey(name string) (*pki.PrivateKey, error) {
-	primaryId := k.privateKeysets[name].Spec.PrimaryId
-	for _, item := range k.privateKeysets[name].Spec.Keys {
-		if item.Id == primaryId {
-			return pki.ParsePEMPrivateKey(item.PrivateMaterial)
-		}
-	}
-	return nil, nil
-}
-
-func (k fakeCAStore) FindCert(name string) (*pki.Certificate, error) {
-	return k.certs[name], nil
-}
-
 func (k fakeCAStore) ListKeysets() (map[string]*fi.Keyset, error) {
 	panic("fakeCAStore does not implement ListKeysets")
 }
--- a/nodeup/pkg/model/kubelet_test.go
+++ b/nodeup/pkg/model/kubelet_test.go
@ -387,13 +387,6 @@ func RunGoldenTest(t *testing.T, basedir string, key string, builder func(*Nodeu
 		"kube-scheduler":          simplePrivateKeyset(dummyCertificate, dummyKey),
 		"service-account":         saKeyset,
 	}
-	keystore.certs = map[string]*pki.Certificate{
-		"kubernetes-ca":           mustParseCertificate(dummyCertificate),
-		"apiserver-aggregator-ca": mustParseCertificate(dummyCertificate),
-		"kube-controller-manager": mustParseCertificate(dummyCertificate),
-		"kube-proxy":              mustParseCertificate(dummyCertificate),
-		"kube-scheduler":          mustParseCertificate(dummyCertificate),
-	}

 	nodeupModelContext, err := BuildNodeupModelContext(model)
 	if err != nil {
--- a/pkg/configserver/keystore.go
+++ b/pkg/configserver/keystore.go
@ -26,14 +26,10 @@ import (
 )

 //configserverKeyStore is a KeyStore backed by the config server.
-type configserverKeyStore struct {
-	caCertificates string
-}
+type configserverKeyStore struct{}

-func NewKeyStore(caCertificates string) fi.CAStore {
-	return &configserverKeyStore{
-		caCertificates: caCertificates,
-	}
+func NewKeyStore() fi.CAStore {
+	return &configserverKeyStore{}
 }

 // FindPrimaryKeypair implements pki.Keystore
@ -61,25 +57,6 @@ func (s *configserverKeyStore) MirrorTo(basedir vfs.Path) error {
 	return fmt.Errorf("MirrorTo not supported by configserverKeyStore")
 }

-// FindPrivateKey implements fi.CAStore
-func (s *configserverKeyStore) FindPrivateKey(name string) (*pki.PrivateKey, error) {
-	return nil, fmt.Errorf("FindPrivateKey not supported by configserverKeyStore")
-}
-
-// FindCert implements fi.CAStore
-func (s *configserverKeyStore) FindCert(name string) (*pki.Certificate, error) {
-	if name == fi.CertificateIDCA {
-		// Special case for the CA certificate
-		c, err := pki.ParsePEMCertificate([]byte(s.caCertificates))
-		if err != nil {
-			return nil, fmt.Errorf("error parsing certificate %q: %w", name, err)
-		}
-		return c, nil
-	}
-
-	return nil, fmt.Errorf("FindCert(%q) not supported by configserverKeyStore", name)
-}
-
 // ListKeysets implements fi.CAStore
 func (s *configserverKeyStore) ListKeysets() (map[string]*fi.Keyset, error) {
 	return nil, fmt.Errorf("ListKeysets not supported by configserverKeyStore")
--- a/upup/pkg/fi/ca.go
+++ b/upup/pkg/fi/ca.go
@ -92,12 +92,6 @@ type HasVFSPath interface {
 type CAStore interface {
 	Keystore

-	// FindPrivateKey returns the named private key, or (nil,nil) if not found
-	FindPrivateKey(name string) (*pki.PrivateKey, error)
-
-	// FindCert returns the specified certificate, if it exists, or nil if not found
-	FindCert(name string) (*pki.Certificate, error)
-
 	// ListKeysets will return all the KeySets.
 	ListKeysets() (map[string]*Keyset, error)
 }
--- a/upup/pkg/fi/clientset_castore.go
+++ b/upup/pkg/fi/clientset_castore.go
@ -163,21 +163,6 @@ func (c *ClientsetCAStore) FindKeyset(name string) (*Keyset, error) {
 	return c.loadKeyset(ctx, name)
 }

-// FindCert implements CAStore::FindCert
-func (c *ClientsetCAStore) FindCert(name string) (*pki.Certificate, error) {
-	ctx := context.TODO()
-	keyset, err := c.loadKeyset(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-
-	if keyset != nil && keyset.Primary != nil {
-		return keyset.Primary.Certificate, nil
-	}
-
-	return nil, nil
-}
-
 // ListKeysets implements CAStore::ListKeysets
 func (c *ClientsetCAStore) ListKeysets() (map[string]*Keyset, error) {
 	ctx := context.TODO()
@ -237,20 +222,6 @@ func (c *ClientsetCAStore) StoreKeyset(name string, keyset *Keyset) error {
 	return c.storeKeyset(ctx, name, keyset)
 }

-// FindPrivateKey implements CAStore::FindPrivateKey
-func (c *ClientsetCAStore) FindPrivateKey(name string) (*pki.PrivateKey, error) {
-	ctx := context.TODO()
-	keyset, err := c.loadKeyset(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-
-	if keyset != nil && keyset.Primary != nil {
-		return keyset.Primary.PrivateKey, nil
-	}
-	return nil, nil
-}
-
 // storeKeyset saves the specified keyset to the registry.
 func (c *ClientsetCAStore) storeKeyset(ctx context.Context, name string, keyset *Keyset) error {
 	create := false
--- a/upup/pkg/fi/nodeup/command.go
+++ b/upup/pkg/fi/nodeup/command.go
@ -240,7 +240,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 	}

 	if nodeConfig != nil {
-		modelContext.KeyStore = configserver.NewKeyStore(nodeupConfig.CAs[fi.CertificateIDCA])
+		modelContext.KeyStore = configserver.NewKeyStore()
 	} else if c.cluster.Spec.KeyStore != "" {
 		klog.Infof("Building KeyStore at %q", c.cluster.Spec.KeyStore)
 		p, err := vfs.Context.BuildVfsPath(c.cluster.Spec.KeyStore)
--- a/upup/pkg/fi/vfs_castore.go
+++ b/upup/pkg/fi/vfs_castore.go
@ -265,25 +265,6 @@ func (c *VFSCAStore) FindKeyset(id string) (*Keyset, error) {
 	return keys, nil
 }

-func (c *VFSCAStore) findCert(name string) (*pki.Certificate, bool, error) {
-	p := c.buildCertificatePoolPath(name)
-	certs, err := c.loadKeyset(p)
-	if err != nil {
-		return nil, false, fmt.Errorf("error in 'FindCert' attempting to load cert %q: %v", name, err)
-	}
-
-	if certs != nil && certs.Primary != nil {
-		return certs.Primary.Certificate, certs.LegacyFormat, nil
-	}
-
-	return nil, false, nil
-}
-
-func (c *VFSCAStore) FindCert(name string) (*pki.Certificate, error) {
-	cert, _, err := c.findCert(name)
-	return cert, err
-}
-
 // ListKeysets implements CAStore::ListKeysets
 func (c *VFSCAStore) ListKeysets() (map[string]*Keyset, error) {
 	baseDir := c.basedir.Join("private")
@ -490,19 +471,6 @@ func (c *VFSCAStore) findPrivateKeyset(id string) (*Keyset, error) {
 	return keys, nil
 }

-func (c *VFSCAStore) FindPrivateKey(id string) (*pki.PrivateKey, error) {
-	keys, err := c.findPrivateKeyset(id)
-	if err != nil {
-		return nil, err
-	}
-
-	var key *pki.PrivateKey
-	if keys != nil && keys.Primary != nil {
-		key = keys.Primary.PrivateKey
-	}
-	return key, nil
-}
-
 // AddSSHPublicKey stores an SSH public key
 func (c *VFSCAStore) AddSSHPublicKey(name string, pubkey []byte) error {
 	id, err := sshcredentials.Fingerprint(string(pubkey))
--- a/upup/pkg/fi/vfs_castore_test.go
+++ b/upup/pkg/fi/vfs_castore_test.go
@ -180,16 +180,16 @@ spec:
 			t.Fatalf("unexpected private/ca/keyset.yaml: %q", string(privateKeysetYaml))
 		}

-		key, err := s.FindPrivateKey("kubernetes-ca")
+		keyset, err := s.FindKeyset("kubernetes-ca")
 		if err != nil {
 			t.Fatalf("error reading certificate pool: %v", err)
 		}

-		if key == nil {
-			t.Fatalf("private key was nil")
+		if keyset == nil {
+			t.Fatalf("private keyset was nil")
 		}

-		roundTrip, err := key.AsString()
+		roundTrip, err := keyset.Primary.PrivateKey.AsString()
 		if err != nil {
 			t.Fatalf("error serializing private key: %v", err)
 		}
@ -339,16 +339,16 @@ spec:
 			t.Fatalf("unexpected private/ca/keyset.yaml: %q", string(privateKeysetYaml))
 		}

-		key, err := s.FindPrivateKey("kubernetes-ca")
+		keyset, err := s.FindKeyset("kubernetes-ca")
 		if err != nil {
 			t.Fatalf("error reading certificate pool: %v", err)
 		}

-		if key == nil {
-			t.Fatalf("private key was nil")
+		if keyset == nil {
+			t.Fatalf("private keyset was nil")
 		}

-		roundTrip, err := key.AsString()
+		roundTrip, err := keyset.Primary.PrivateKey.AsString()
 		if err != nil {
 			t.Fatalf("error serializing private key: %v", err)
 		}