Pull pki.Keystore out of fi.KeystoreReader

2022-12-21 22:10:52 -08:00 · 2022-12-21 22:10:52 -08:00 · c051198f85
parent 991ab04201
commit c051198f85
7 changed files with 24 additions and 36 deletions
--- a/pkg/commands/helpers/kubectl_auth.go
+++ b/pkg/commands/helpers/kubectl_auth.go
@ -255,7 +255,7 @@ func buildCredentials(ctx context.Context, f *util.Factory, options *HelperKubec
 		},
 		Validity: options.Lifetime,
 	}
-	cert, privateKey, _, err := pki.IssueCert(ctx, &req, keyStore)
+	cert, privateKey, _, err := pki.IssueCert(ctx, &req, fi.NewPKIKeystoreAdapter(keyStore))
 	if err != nil {
 		return nil, fmt.Errorf("unable to issue certificate: %v", err)
 	}
--- a/pkg/kubeconfig/create_kubecfg.go
+++ b/pkg/kubeconfig/create_kubecfg.go
@ -33,7 +33,7 @@ import (

 const DefaultKubecfgAdminLifetime = 18 * time.Hour

-func BuildKubecfg(ctx context.Context, cluster *kops.Cluster, keyStore fi.Keystore, secretStore fi.SecretStore, cloud fi.Cloud, admin time.Duration, configUser string, internal bool, kopsStateStore string, useKopsAuthenticationPlugin bool) (*KubeconfigBuilder, error) {
+func BuildKubecfg(ctx context.Context, cluster *kops.Cluster, keyStore fi.KeystoreReader, secretStore fi.SecretStore, cloud fi.Cloud, admin time.Duration, configUser string, internal bool, kopsStateStore string, useKopsAuthenticationPlugin bool) (*KubeconfigBuilder, error) {
 	clusterName := cluster.ObjectMeta.Name

 	var server string
@ -121,7 +121,7 @@ func BuildKubecfg(ctx context.Context, cluster *kops.Cluster, keyStore fi.Keysto
 			},
 			Validity: admin,
 		}
-		cert, privateKey, _, err := pki.IssueCert(ctx, &req, keyStore)
+		cert, privateKey, _, err := pki.IssueCert(ctx, &req, fi.NewPKIKeystoreAdapter(keyStore))
 		if err != nil {
 			return nil, err
 		}
--- a/pkg/kubeconfig/create_kubecfg_test.go
+++ b/pkg/kubeconfig/create_kubecfg_test.go
@ -101,13 +101,6 @@ type fakeKeyStore struct {
 	MirrorToFn func(basedir vfs.Path) error
 }

-var _ fi.Keystore = &fakeKeyStore{}
-
-// FindPrimaryKeypair implements pki.Keystore
-func (f fakeKeyStore) FindPrimaryKeypair(ctx context.Context, name string) (*pki.Certificate, *pki.PrivateKey, error) {
-	return fi.FindPrimaryKeypair(ctx, f, name)
-}
-
 // FindKeyset implements KeystoreReader.
 func (f fakeKeyStore) FindKeyset(ctx context.Context, name string) (*fi.Keyset, error) {
 	return f.FindKeysetFn(name)
--- a/upup/pkg/fi/ca.go
+++ b/upup/pkg/fi/ca.go
@ -69,9 +69,7 @@ type KeysetItem struct {

 // KeystoreReader contains just the functions we need to consume keypairs, not to update them.
 type KeystoreReader interface {
-	pki.Keystore
-
-	// FindKeyset finds a Keyset.  If the keyset is not found, it returns (nil, nil)
+	// FindKeyset finds a Keyset.  If the keyset is not found, it returns (nil, nil).
 	FindKeyset(ctx context.Context, name string) (*Keyset, error)
 }

@ -111,18 +109,6 @@ type SSHCredentialStore interface {
 	FindSSHPublicKeys() ([]*kops.SSHCredential, error)
 }

-// FindPrimaryKeypair is a common implementation of pki.FindPrimaryKeypair.
-func FindPrimaryKeypair(ctx context.Context, c KeystoreReader, name string) (*pki.Certificate, *pki.PrivateKey, error) {
-	keyset, err := c.FindKeyset(ctx, name)
-	if err != nil {
-		return nil, nil, err
-	}
-	if keyset == nil || keyset.Primary == nil {
-		return nil, nil, nil
-	}
-	return keyset.Primary.Certificate, keyset.Primary.PrivateKey, nil
-}
-
 // KeysetItemIdOlder returns whether the KeysetItem Id a is older than b.
 func KeysetItemIdOlder(a, b string) bool {
 	aVersion, aOk := big.NewInt(0).SetString(a, 10)
@ -254,3 +240,22 @@ func (k *Keyset) AddItem(cert *pki.Certificate, privateKey *pki.PrivateKey, prim

 	return ki, nil
 }
+
+type pkiKeystoreAdapter struct {
+	reader KeystoreReader
+}
+
+func (p pkiKeystoreAdapter) FindPrimaryKeypair(ctx context.Context, name string) (*pki.Certificate, *pki.PrivateKey, error) {
+	keyset, err := p.reader.FindKeyset(ctx, name)
+	if err != nil {
+		return nil, nil, err
+	}
+	if keyset == nil || keyset.Primary == nil {
+		return nil, nil, nil
+	}
+	return keyset.Primary.Certificate, keyset.Primary.PrivateKey, nil
+}
+
+func NewPKIKeystoreAdapter(reader KeystoreReader) pki.Keystore {
+	return &pkiKeystoreAdapter{reader: reader}
+}
--- a/upup/pkg/fi/clientset_castore.go
+++ b/upup/pkg/fi/clientset_castore.go
@ -155,11 +155,6 @@ func FindPrimary(keyset *kops.Keyset) *kops.KeysetItem {
 	return primary
 }

-// FindPrimaryKeypair implements pki.Keystore
-func (c *ClientsetCAStore) FindPrimaryKeypair(ctx context.Context, name string) (*pki.Certificate, *pki.PrivateKey, error) {
-	return FindPrimaryKeypair(ctx, c, name)
-}
-
 // FindKeyset implements KeystoreReader.
 func (c *ClientsetCAStore) FindKeyset(ctx context.Context, name string) (*Keyset, error) {
 	return c.loadKeyset(ctx, name)
--- a/upup/pkg/fi/fitasks/keypair.go
+++ b/upup/pkg/fi/fitasks/keypair.go
@ -244,7 +244,7 @@ func (_ *Keypair) Render(c *fi.CloudupContext, a, e, changes *Keypair) error {
 			PrivateKey:     privateKey,
 			Serial:         serial,
 		}
-		cert, privateKey, _, err := pki.IssueCert(ctx, &req, c.T.Keystore)
+		cert, privateKey, _, err := pki.IssueCert(ctx, &req, fi.NewPKIKeystoreAdapter(c.T.Keystore))
 		if err != nil {
 			return err
 		}
--- a/upup/pkg/fi/vfs_keystorereader.go
+++ b/upup/pkg/fi/vfs_keystorereader.go
@ -26,7 +26,6 @@ import (
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/v1alpha2"
 	"k8s.io/kops/pkg/kopscodecs"
-	"k8s.io/kops/pkg/pki"
 	"k8s.io/kops/util/pkg/vfs"
 )

@ -102,10 +101,6 @@ func (c *VFSKeystoreReader) loadKeyset(ctx context.Context, p vfs.Path) (*Keyset
 	return keyset, nil
 }

-func (c *VFSKeystoreReader) FindPrimaryKeypair(ctx context.Context, name string) (*pki.Certificate, *pki.PrivateKey, error) {
-	return FindPrimaryKeypair(ctx, c, name)
-}
-
 var legacyKeysetMappings = map[string]string{
 	// The strange name is because kOps prior to 1.19 used the api-server TLS key for this.
 	"service-account": "master",