Use kops-controller to issue kube-router cert

2020-08-16 22:36:51 -07:00 · 2020-08-16 22:36:51 -07:00 · b6947ccaee
parent 8e43c1d637
commit b6947ccaee
6 changed files with 21 additions and 7 deletions
--- a/cmd/kops-controller/pkg/server/server.go
+++ b/cmd/kops-controller/pkg/server/server.go
@ -168,6 +168,10 @@ func (s *Server) issueCert(name string, pubKey string, id *fi.VerifyResult, vali
 		issueReq.Subject = pkix.Name{
 			CommonName: rbac.KubeProxy,
 		}
+	case "kube-router":
+		issueReq.Subject = pkix.Name{
+			CommonName: rbac.KubeRouter,
+		}
 	default:
 		return "", fmt.Errorf("unexpected key name")
 	}
--- a/nodeup/pkg/model/networking/BUILD.bazel
+++ b/nodeup/pkg/model/networking/BUILD.bazel
@ -14,6 +14,7 @@ go_library(
    deps = [
        "//nodeup/pkg/model:go_default_library",
        "//pkg/apis/kops:go_default_library",
+        "//pkg/rbac:go_default_library",
        "//upup/pkg/fi:go_default_library",
        "//upup/pkg/fi/nodeup/nodetasks:go_default_library",
        "//vendor/github.com/aws/aws-sdk-go/aws:go_default_library",
--- a/nodeup/pkg/model/networking/kube_router.go
+++ b/nodeup/pkg/model/networking/kube_router.go
@ -18,6 +18,7 @@ package networking

 import (
 	"k8s.io/kops/nodeup/pkg/model"
+	"k8s.io/kops/pkg/rbac"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 )
@ -37,14 +38,21 @@ func (b *KuberouterBuilder) Build(c *fi.ModelBuilderContext) error {
 		return nil
 	}

-	kubeconfig, err := b.BuildPKIKubeconfig("kube-router")
-	if err != nil {
-		return err
+	var kubeconfig fi.Resource
+	var err error
+
+	if b.IsMaster {
+		kubeconfig = b.BuildIssuedKubeconfig("kube-router", nodetasks.PKIXName{CommonName: rbac.KubeRouter}, c)
+	} else {
+		kubeconfig, err = b.BuildBootstrapKubeconfig("kube-router", c)
+		if err != nil {
+			return err
+		}
 	}

 	c.AddTask(&nodetasks.File{
 		Path:     "/var/lib/kube-router/kubeconfig",
-		Contents: fi.NewStringResource(kubeconfig),
+		Contents: kubeconfig,
 		Type:     nodetasks.FileType_File,
 		Mode:     fi.String("0400"),
 	})
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@ -474,7 +474,7 @@ func ReadableStatePaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]s

 		if networkingSpec != nil {
 			// @check if kuberoute is enabled and permit access to the private key
-			if networkingSpec.Kuberouter != nil {
+			if networkingSpec.Kuberouter != nil && !model.UseKopsControllerForNodeBootstrap(cluster) {
 				paths = append(paths, "/pki/private/kube-router/*")
 			}

--- a/pkg/model/pki.go
+++ b/pkg/model/pki.go
@ -140,10 +140,10 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 	}

-	if b.KopsModelContext.Cluster.Spec.Networking.Kuberouter != nil {
+	if b.KopsModelContext.Cluster.Spec.Networking.Kuberouter != nil && !b.UseKopsControllerForNodeBootstrap() {
 		t := &fitasks.Keypair{
 			Name:    fi.String("kube-router"),
-			Subject: "cn=" + "system:kube-router",
+			Subject: "cn=" + rbac.KubeRouter,
 			Type:    "client",
 			Signer:  defaultCA,
 		}
--- a/pkg/rbac/wellknown.go
+++ b/pkg/rbac/wellknown.go
@ -29,6 +29,7 @@ const (

 	// core kubernetes process identities
 	KubeProxy             = "system:kube-proxy"
+	KubeRouter            = "system:kube-router"
 	KubeControllerManager = "system:kube-controller-manager"
 	KubeScheduler         = "system:kube-scheduler"
 )