diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go index 426259b050..b295ab2412 100644 --- a/nodeup/pkg/model/context.go +++ b/nodeup/pkg/model/context.go @@ -485,16 +485,16 @@ func (c *NodeupModelContext) buildCertificatePairTask(ctx *fi.ModelBuilderContex // BuildCertificateTask builds a task to create a certificate file. func (c *NodeupModelContext) BuildCertificateTask(ctx *fi.ModelBuilderContext, name, filename string, owner *string) error { - cert, err := c.KeyStore.FindCert(name) + keyset, err := c.KeyStore.FindKeyset(name) if err != nil { return err } - if cert == nil { - return fmt.Errorf("certificate %q not found", name) + if keyset == nil { + return fmt.Errorf("keyset %q not found", name) } - serialized, err := cert.AsString() + serialized, err := keyset.Primary.Certificate.AsString() if err != nil { return err } @@ -516,16 +516,16 @@ func (c *NodeupModelContext) BuildCertificateTask(ctx *fi.ModelBuilderContext, n // BuildLegacyPrivateKeyTask builds a task to create a private key file. func (c *NodeupModelContext) BuildLegacyPrivateKeyTask(ctx *fi.ModelBuilderContext, name, filename string, owner *string) error { - cert, err := c.KeyStore.FindPrivateKey(name) + keyset, err := c.KeyStore.FindKeyset(name) if err != nil { return err } - if cert == nil { - return fmt.Errorf("private key %q not found", name) + if keyset == nil { + return fmt.Errorf("keyset %q not found", name) } - serialized, err := cert.AsString() + serialized, err := keyset.Primary.PrivateKey.AsString() if err != nil { return err } diff --git a/nodeup/pkg/model/etcd_manager_tls.go b/nodeup/pkg/model/etcd_manager_tls.go index 11f858cad0..ca705b9f39 100644 --- a/nodeup/pkg/model/etcd_manager_tls.go +++ b/nodeup/pkg/model/etcd_manager_tls.go @@ -17,11 +17,7 @@ limitations under the License. package model import ( - "fmt" - "path/filepath" - "k8s.io/kops/upup/pkg/fi" - "k8s.io/kops/upup/pkg/fi/nodeup/nodetasks" ) // EtcdManagerTLSBuilder configures TLS support for etcd-manager @@ -54,22 +50,7 @@ func (b *EtcdManagerTLSBuilder) Build(ctx *fi.ModelBuilderContext) error { } for fileName, keystoreName := range keys { - cert, err := b.KeyStore.FindCert(keystoreName) - if err != nil { - return err - } - if cert == nil { - return fmt.Errorf("keypair %q not found", keystoreName) - } - - ctx.AddTask(&nodetasks.File{ - Path: filepath.Join(d, fileName+".crt"), - Contents: fi.NewStringResource(b.NodeupConfig.CAs[keystoreName]), - Type: nodetasks.FileType_File, - Mode: fi.String("0600"), - }) - - if err := b.BuildPrivateKeyTask(ctx, keystoreName, d, fileName, nil, nil); err != nil { + if err := b.buildCertificatePairTask(ctx, keystoreName, d, fileName, nil, nil, true); err != nil { return err } } diff --git a/nodeup/pkg/model/fakes_test.go b/nodeup/pkg/model/fakes_test.go index 402e532a92..74762b21c0 100644 --- a/nodeup/pkg/model/fakes_test.go +++ b/nodeup/pkg/model/fakes_test.go @@ -31,7 +31,6 @@ import ( type fakeCAStore struct { T *testing.T privateKeysets map[string]*kops.Keyset - certs map[string]*pki.Certificate } var _ fi.CAStore = &fakeCAStore{} @@ -95,20 +94,6 @@ func (k fakeCAStore) MirrorTo(basedir vfs.Path) error { panic("fakeCAStore does not implement MirrorTo") } -func (k fakeCAStore) FindPrivateKey(name string) (*pki.PrivateKey, error) { - primaryId := k.privateKeysets[name].Spec.PrimaryId - for _, item := range k.privateKeysets[name].Spec.Keys { - if item.Id == primaryId { - return pki.ParsePEMPrivateKey(item.PrivateMaterial) - } - } - return nil, nil -} - -func (k fakeCAStore) FindCert(name string) (*pki.Certificate, error) { - return k.certs[name], nil -} - func (k fakeCAStore) ListKeysets() (map[string]*fi.Keyset, error) { panic("fakeCAStore does not implement ListKeysets") } diff --git a/nodeup/pkg/model/kubelet_test.go b/nodeup/pkg/model/kubelet_test.go index a20785a483..c9e7a23db6 100644 --- a/nodeup/pkg/model/kubelet_test.go +++ b/nodeup/pkg/model/kubelet_test.go @@ -387,13 +387,6 @@ func RunGoldenTest(t *testing.T, basedir string, key string, builder func(*Nodeu "kube-scheduler": simplePrivateKeyset(dummyCertificate, dummyKey), "service-account": saKeyset, } - keystore.certs = map[string]*pki.Certificate{ - "kubernetes-ca": mustParseCertificate(dummyCertificate), - "apiserver-aggregator-ca": mustParseCertificate(dummyCertificate), - "kube-controller-manager": mustParseCertificate(dummyCertificate), - "kube-proxy": mustParseCertificate(dummyCertificate), - "kube-scheduler": mustParseCertificate(dummyCertificate), - } nodeupModelContext, err := BuildNodeupModelContext(model) if err != nil { diff --git a/pkg/configserver/keystore.go b/pkg/configserver/keystore.go index a1ff611eb9..1eb5e8e62c 100644 --- a/pkg/configserver/keystore.go +++ b/pkg/configserver/keystore.go @@ -26,14 +26,10 @@ import ( ) //configserverKeyStore is a KeyStore backed by the config server. -type configserverKeyStore struct { - caCertificates string -} +type configserverKeyStore struct{} -func NewKeyStore(caCertificates string) fi.CAStore { - return &configserverKeyStore{ - caCertificates: caCertificates, - } +func NewKeyStore() fi.CAStore { + return &configserverKeyStore{} } // FindPrimaryKeypair implements pki.Keystore @@ -61,25 +57,6 @@ func (s *configserverKeyStore) MirrorTo(basedir vfs.Path) error { return fmt.Errorf("MirrorTo not supported by configserverKeyStore") } -// FindPrivateKey implements fi.CAStore -func (s *configserverKeyStore) FindPrivateKey(name string) (*pki.PrivateKey, error) { - return nil, fmt.Errorf("FindPrivateKey not supported by configserverKeyStore") -} - -// FindCert implements fi.CAStore -func (s *configserverKeyStore) FindCert(name string) (*pki.Certificate, error) { - if name == fi.CertificateIDCA { - // Special case for the CA certificate - c, err := pki.ParsePEMCertificate([]byte(s.caCertificates)) - if err != nil { - return nil, fmt.Errorf("error parsing certificate %q: %w", name, err) - } - return c, nil - } - - return nil, fmt.Errorf("FindCert(%q) not supported by configserverKeyStore", name) -} - // ListKeysets implements fi.CAStore func (s *configserverKeyStore) ListKeysets() (map[string]*fi.Keyset, error) { return nil, fmt.Errorf("ListKeysets not supported by configserverKeyStore") diff --git a/upup/pkg/fi/ca.go b/upup/pkg/fi/ca.go index cad493a8f4..958ee27c09 100644 --- a/upup/pkg/fi/ca.go +++ b/upup/pkg/fi/ca.go @@ -92,12 +92,6 @@ type HasVFSPath interface { type CAStore interface { Keystore - // FindPrivateKey returns the named private key, or (nil,nil) if not found - FindPrivateKey(name string) (*pki.PrivateKey, error) - - // FindCert returns the specified certificate, if it exists, or nil if not found - FindCert(name string) (*pki.Certificate, error) - // ListKeysets will return all the KeySets. ListKeysets() (map[string]*Keyset, error) } diff --git a/upup/pkg/fi/clientset_castore.go b/upup/pkg/fi/clientset_castore.go index 73712ddef5..5d64bdbf28 100644 --- a/upup/pkg/fi/clientset_castore.go +++ b/upup/pkg/fi/clientset_castore.go @@ -163,21 +163,6 @@ func (c *ClientsetCAStore) FindKeyset(name string) (*Keyset, error) { return c.loadKeyset(ctx, name) } -// FindCert implements CAStore::FindCert -func (c *ClientsetCAStore) FindCert(name string) (*pki.Certificate, error) { - ctx := context.TODO() - keyset, err := c.loadKeyset(ctx, name) - if err != nil { - return nil, err - } - - if keyset != nil && keyset.Primary != nil { - return keyset.Primary.Certificate, nil - } - - return nil, nil -} - // ListKeysets implements CAStore::ListKeysets func (c *ClientsetCAStore) ListKeysets() (map[string]*Keyset, error) { ctx := context.TODO() @@ -237,20 +222,6 @@ func (c *ClientsetCAStore) StoreKeyset(name string, keyset *Keyset) error { return c.storeKeyset(ctx, name, keyset) } -// FindPrivateKey implements CAStore::FindPrivateKey -func (c *ClientsetCAStore) FindPrivateKey(name string) (*pki.PrivateKey, error) { - ctx := context.TODO() - keyset, err := c.loadKeyset(ctx, name) - if err != nil { - return nil, err - } - - if keyset != nil && keyset.Primary != nil { - return keyset.Primary.PrivateKey, nil - } - return nil, nil -} - // storeKeyset saves the specified keyset to the registry. func (c *ClientsetCAStore) storeKeyset(ctx context.Context, name string, keyset *Keyset) error { create := false diff --git a/upup/pkg/fi/nodeup/command.go b/upup/pkg/fi/nodeup/command.go index 7c1474010f..b10acf03e0 100644 --- a/upup/pkg/fi/nodeup/command.go +++ b/upup/pkg/fi/nodeup/command.go @@ -240,7 +240,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error { } if nodeConfig != nil { - modelContext.KeyStore = configserver.NewKeyStore(nodeupConfig.CAs[fi.CertificateIDCA]) + modelContext.KeyStore = configserver.NewKeyStore() } else if c.cluster.Spec.KeyStore != "" { klog.Infof("Building KeyStore at %q", c.cluster.Spec.KeyStore) p, err := vfs.Context.BuildVfsPath(c.cluster.Spec.KeyStore) diff --git a/upup/pkg/fi/vfs_castore.go b/upup/pkg/fi/vfs_castore.go index f1031eb11f..fcd6d57e83 100644 --- a/upup/pkg/fi/vfs_castore.go +++ b/upup/pkg/fi/vfs_castore.go @@ -265,25 +265,6 @@ func (c *VFSCAStore) FindKeyset(id string) (*Keyset, error) { return keys, nil } -func (c *VFSCAStore) findCert(name string) (*pki.Certificate, bool, error) { - p := c.buildCertificatePoolPath(name) - certs, err := c.loadKeyset(p) - if err != nil { - return nil, false, fmt.Errorf("error in 'FindCert' attempting to load cert %q: %v", name, err) - } - - if certs != nil && certs.Primary != nil { - return certs.Primary.Certificate, certs.LegacyFormat, nil - } - - return nil, false, nil -} - -func (c *VFSCAStore) FindCert(name string) (*pki.Certificate, error) { - cert, _, err := c.findCert(name) - return cert, err -} - // ListKeysets implements CAStore::ListKeysets func (c *VFSCAStore) ListKeysets() (map[string]*Keyset, error) { baseDir := c.basedir.Join("private") @@ -490,19 +471,6 @@ func (c *VFSCAStore) findPrivateKeyset(id string) (*Keyset, error) { return keys, nil } -func (c *VFSCAStore) FindPrivateKey(id string) (*pki.PrivateKey, error) { - keys, err := c.findPrivateKeyset(id) - if err != nil { - return nil, err - } - - var key *pki.PrivateKey - if keys != nil && keys.Primary != nil { - key = keys.Primary.PrivateKey - } - return key, nil -} - // AddSSHPublicKey stores an SSH public key func (c *VFSCAStore) AddSSHPublicKey(name string, pubkey []byte) error { id, err := sshcredentials.Fingerprint(string(pubkey)) diff --git a/upup/pkg/fi/vfs_castore_test.go b/upup/pkg/fi/vfs_castore_test.go index 9510a3f032..f3dcd0f2bf 100644 --- a/upup/pkg/fi/vfs_castore_test.go +++ b/upup/pkg/fi/vfs_castore_test.go @@ -180,16 +180,16 @@ spec: t.Fatalf("unexpected private/ca/keyset.yaml: %q", string(privateKeysetYaml)) } - key, err := s.FindPrivateKey("kubernetes-ca") + keyset, err := s.FindKeyset("kubernetes-ca") if err != nil { t.Fatalf("error reading certificate pool: %v", err) } - if key == nil { - t.Fatalf("private key was nil") + if keyset == nil { + t.Fatalf("private keyset was nil") } - roundTrip, err := key.AsString() + roundTrip, err := keyset.Primary.PrivateKey.AsString() if err != nil { t.Fatalf("error serializing private key: %v", err) } @@ -339,16 +339,16 @@ spec: t.Fatalf("unexpected private/ca/keyset.yaml: %q", string(privateKeysetYaml)) } - key, err := s.FindPrivateKey("kubernetes-ca") + keyset, err := s.FindKeyset("kubernetes-ca") if err != nil { t.Fatalf("error reading certificate pool: %v", err) } - if key == nil { - t.Fatalf("private key was nil") + if keyset == nil { + t.Fatalf("private keyset was nil") } - roundTrip, err := key.AsString() + roundTrip, err := keyset.Primary.PrivateKey.AsString() if err != nil { t.Fatalf("error serializing private key: %v", err) }