Use kops-controller to issue kube-router cert

cmd/kops-controller/pkg/server/server.go

@@ -168,6 +168,10 @@ func (s *Server) issueCert(name string, pubKey string, id *fi.VerifyResult, vali
 		issueReq.Subject = pkix.Name{
 			CommonName: rbac.KubeProxy,
 		}
+	case "kube-router":
+		issueReq.Subject = pkix.Name{
+			CommonName: rbac.KubeRouter,
+		}
 	default:
 		return "", fmt.Errorf("unexpected key name")
 	}

nodeup/pkg/model/networking/BUILD.bazel

@@ -14,6 +14,7 @@ go_library(
     deps = [
         "//nodeup/pkg/model:go_default_library",
         "//pkg/apis/kops:go_default_library",
+        "//pkg/rbac:go_default_library",
         "//upup/pkg/fi:go_default_library",
         "//upup/pkg/fi/nodeup/nodetasks:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws:go_default_library",

nodeup/pkg/model/networking/kube_router.go

@@ -18,6 +18,7 @@ package networking
 
 import (
 	"k8s.io/kops/nodeup/pkg/model"
+	"k8s.io/kops/pkg/rbac"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 )
@@ -37,14 +38,21 @@ func (b *KuberouterBuilder) Build(c *fi.ModelBuilderContext) error {
 		return nil
 	}
 
-	kubeconfig, err := b.BuildPKIKubeconfig("kube-router")
+	var kubeconfig fi.Resource
-	if err != nil {
+	var err error
-		return err
+
+	if b.IsMaster {
+		kubeconfig = b.BuildIssuedKubeconfig("kube-router", nodetasks.PKIXName{CommonName: rbac.KubeRouter}, c)
+	} else {
+		kubeconfig, err = b.BuildBootstrapKubeconfig("kube-router", c)
+		if err != nil {
+			return err
+		}
 	}
 
 	c.AddTask(&nodetasks.File{
 		Path:     "/var/lib/kube-router/kubeconfig",
-		Contents: fi.NewStringResource(kubeconfig),
+		Contents: kubeconfig,
 		Type:     nodetasks.FileType_File,
 		Mode:     fi.String("0400"),
 	})

pkg/model/iam/iam_builder.go

@@ -474,7 +474,7 @@ func ReadableStatePaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]s
 
 		if networkingSpec != nil {
 			// @check if kuberoute is enabled and permit access to the private key
-			if networkingSpec.Kuberouter != nil {
+			if networkingSpec.Kuberouter != nil && !model.UseKopsControllerForNodeBootstrap(cluster) {
 				paths = append(paths, "/pki/private/kube-router/*")
 			}
 

pkg/model/pki.go

@@ -140,10 +140,10 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 	}
 
-	if b.KopsModelContext.Cluster.Spec.Networking.Kuberouter != nil {
+	if b.KopsModelContext.Cluster.Spec.Networking.Kuberouter != nil && !b.UseKopsControllerForNodeBootstrap() {
 		t := &fitasks.Keypair{
 			Name:    fi.String("kube-router"),
-			Subject: "cn=" + "system:kube-router",
+			Subject: "cn=" + rbac.KubeRouter,
 			Type:    "client",
 			Signer:  defaultCA,
 		}

pkg/rbac/wellknown.go

@@ -29,6 +29,7 @@ const (
 
 	// core kubernetes process identities
 	KubeProxy             = "system:kube-proxy"
+	KubeRouter            = "system:kube-router"
 	KubeControllerManager = "system:kube-controller-manager"
 	KubeScheduler         = "system:kube-scheduler"
 )