diff --git a/hack/.packages b/hack/.packages index 4cde3381f0..f957bc1418 100644 --- a/hack/.packages +++ b/hack/.packages @@ -182,7 +182,6 @@ k8s.io/kops/upup/pkg/fi/cloudup/terraform k8s.io/kops/upup/pkg/fi/cloudup/vsphere k8s.io/kops/upup/pkg/fi/cloudup/vspheretasks k8s.io/kops/upup/pkg/fi/fitasks -k8s.io/kops/upup/pkg/fi/k8sapi k8s.io/kops/upup/pkg/fi/loader k8s.io/kops/upup/pkg/fi/nodeup k8s.io/kops/upup/pkg/fi/nodeup/cloudinit diff --git a/upup/pkg/fi/k8sapi/BUILD.bazel b/upup/pkg/fi/k8sapi/BUILD.bazel deleted file mode 100644 index 29511efbbb..0000000000 --- a/upup/pkg/fi/k8sapi/BUILD.bazel +++ /dev/null @@ -1,21 +0,0 @@ -load("@io_bazel_rules_go//go:def.bzl", "go_library") - -go_library( - name = "go_default_library", - srcs = [ - "cert_secret.go", - "k8s_keystore.go", - ], - importpath = "k8s.io/kops/upup/pkg/fi/k8sapi", - visibility = ["//visibility:public"], - deps = [ - "//pkg/pki:go_default_library", - "//upup/pkg/fi:go_default_library", - "//util/pkg/vfs:go_default_library", - "//vendor/k8s.io/api/core/v1:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", - "//vendor/k8s.io/client-go/kubernetes:go_default_library", - "//vendor/k8s.io/klog:go_default_library", - ], -) diff --git a/upup/pkg/fi/k8sapi/cert_secret.go b/upup/pkg/fi/k8sapi/cert_secret.go deleted file mode 100644 index ad616e7b86..0000000000 --- a/upup/pkg/fi/k8sapi/cert_secret.go +++ /dev/null @@ -1,87 +0,0 @@ -/* -Copyright 2019 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package k8sapi - -import ( - "fmt" - - v1 "k8s.io/api/core/v1" - "k8s.io/kops/pkg/pki" -) - -// KeypairSecret is a wrapper around a k8s Secret object that holds a TLS keypair -type KeypairSecret struct { - Namespace string - Name string - - Certificate *pki.Certificate - PrivateKey *pki.PrivateKey -} - -// ParseKeypairSecret parses the secret object, decoding the certificate & private-key, if present -func ParseKeypairSecret(secret *v1.Secret) (*KeypairSecret, error) { - k := &KeypairSecret{} - k.Namespace = secret.Namespace - k.Name = secret.Name - - certData := secret.Data[v1.TLSCertKey] - if certData != nil { - cert, err := pki.ParsePEMCertificate(certData) - if err != nil { - return nil, fmt.Errorf("error parsing certificate in %s/%s: %q", k.Namespace, k.Name, err) - } - k.Certificate = cert - } - keyData := secret.Data[v1.TLSPrivateKeyKey] - if keyData != nil { - key, err := pki.ParsePEMPrivateKey(keyData) - if err != nil { - return nil, fmt.Errorf("error parsing key in %s/%s: %q", k.Namespace, k.Name, err) - } - k.PrivateKey = key - } - - return k, nil -} - -// Encode maps a KeypairSecret into a k8s Secret -func (k *KeypairSecret) Encode() (*v1.Secret, error) { - secret := &v1.Secret{} - secret.Namespace = k.Namespace - secret.Name = k.Name - secret.Type = v1.SecretTypeTLS - - secret.Data = make(map[string][]byte) - - if k.Certificate != nil { - data, err := k.Certificate.AsBytes() - if err != nil { - return nil, err - } - secret.Data[v1.TLSCertKey] = data - } - - if k.PrivateKey != nil { - data, err := k.PrivateKey.AsBytes() - if err != nil { - return nil, err - } - secret.Data[v1.TLSPrivateKeyKey] = data - } - - return secret, nil -} diff --git a/upup/pkg/fi/k8sapi/k8s_keystore.go b/upup/pkg/fi/k8sapi/k8s_keystore.go deleted file mode 100644 index f42cdf8dba..0000000000 --- a/upup/pkg/fi/k8sapi/k8s_keystore.go +++ /dev/null @@ -1,158 +0,0 @@ -/* -Copyright 2019 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package k8sapi - -import ( - "context" - "crypto/x509" - "fmt" - "math/big" - "time" - - v1 "k8s.io/api/core/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes" - "k8s.io/klog" - "k8s.io/kops/pkg/pki" - "k8s.io/kops/upup/pkg/fi" - "k8s.io/kops/util/pkg/vfs" -) - -type KubernetesKeystore struct { - client kubernetes.Interface - namespace string - - //mutex sync.Mutex - //cacheCaCertificates *certificates - //cacheCaPrivateKeys *privateKeys -} - -var _ fi.Keystore = &KubernetesKeystore{} - -func NewKubernetesKeystore(client kubernetes.Interface, namespace string) fi.Keystore { - c := &KubernetesKeystore{ - client: client, - namespace: namespace, - } - - return c -} - -func (c *KubernetesKeystore) issueCert(signer string, id string, serial *big.Int, privateKey *pki.PrivateKey, template *x509.Certificate) (*pki.Certificate, error) { - klog.Infof("Issuing new certificate: %q", id) - - template.SerialNumber = serial - - caCert, caKey, _, err := c.FindKeypair(signer) - if err != nil { - return nil, err - } - - if caCert == nil || caCert.Certificate == nil || caKey == nil || caKey.Key == nil { - return nil, fmt.Errorf("CA keypair was not found; cannot issue certificates") - } - - cert, err := pki.SignNewCertificate(privateKey, template, caCert.Certificate, caKey) - if err != nil { - return nil, err - } - - err = c.StoreKeypair(id, cert, privateKey) - if err != nil { - return nil, err - } - - return cert, nil -} - -func (c *KubernetesKeystore) findSecret(ctx context.Context, id string) (*v1.Secret, error) { - secret, err := c.client.CoreV1().Secrets(c.namespace).Get(ctx, id, metav1.GetOptions{}) - if err != nil { - if apierrors.IsNotFound(err) { - return nil, nil - } - return nil, fmt.Errorf("error reading secret %s/%s from kubernetes: %v", c.namespace, id, err) - } - return secret, nil -} - -func (c *KubernetesKeystore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, fi.KeysetFormat, error) { - ctx := context.TODO() - - secret, err := c.findSecret(ctx, id) - if err != nil { - return nil, nil, "", err - } - - if secret == nil { - return nil, nil, "", nil - } - - keypair, err := ParseKeypairSecret(secret) - if err != nil { - return nil, nil, "", fmt.Errorf("error parsing secret %s/%s from kubernetes: %v", c.namespace, id, err) - } - - return keypair.Certificate, keypair.PrivateKey, fi.KeysetFormatV1Alpha2, nil -} - -func (c *KubernetesKeystore) CreateKeypair(signer string, id string, template *x509.Certificate, privateKey *pki.PrivateKey) (*pki.Certificate, error) { - t := time.Now().UnixNano() - serial := pki.BuildPKISerial(t) - - cert, err := c.issueCert(signer, id, serial, privateKey, template) - if err != nil { - return nil, err - } - - return cert, nil -} - -func (c *KubernetesKeystore) StoreKeypair(id string, cert *pki.Certificate, privateKey *pki.PrivateKey) error { - ctx := context.TODO() - - keypair := &KeypairSecret{ - Namespace: c.namespace, - Name: id, - Certificate: cert, - PrivateKey: privateKey, - } - - secret, err := keypair.Encode() - if err != nil { - return fmt.Errorf("error encoding keypair: %+v err: %s", keypair, err) - } - createdSecret, err := c.client.CoreV1().Secrets(c.namespace).Create(ctx, secret, metav1.CreateOptions{}) - if err != nil { - return fmt.Errorf("error creating secret %s/%s: %v", secret.Namespace, secret.Name, err) - } - - created, err := ParseKeypairSecret(createdSecret) - if err != nil { - return fmt.Errorf("created secret did not round-trip (%s/%s): %v", c.namespace, id, err) - } - if created == nil || created.Certificate == nil || created.PrivateKey == nil { - return fmt.Errorf("created secret did not round-trip (%s/%s): could not read back", c.namespace, id) - } - - return err -} - -func (c *KubernetesKeystore) MirrorTo(dest vfs.Path) error { - return fmt.Errorf("KubernetesKeystore does not implement MirrorTo") -}