Refactor bootstrap verifier/authenticator into its own package

No code changes, but this avoids a circular package dependency that we would otherwise introduce in the GCE logic.
2021-09-26 09:43:53 -04:00 · 2021-09-26 09:43:53 -04:00 · fad6db8beb
parent c742621468
commit fad6db8beb
17 changed files with 37 additions and 21 deletions
--- a/cmd/kops-controller/BUILD.bazel
+++ b/cmd/kops-controller/BUILD.bazel
@ -9,13 +9,13 @@ go_library(
        "//cmd/kops-controller/controllers:go_default_library",
        "//cmd/kops-controller/pkg/config:go_default_library",
        "//cmd/kops-controller/pkg/server:go_default_library",
+        "//pkg/bootstrap:go_default_library",
        "//pkg/nodeidentity:go_default_library",
        "//pkg/nodeidentity/aws:go_default_library",
        "//pkg/nodeidentity/azure:go_default_library",
        "//pkg/nodeidentity/do:go_default_library",
        "//pkg/nodeidentity/gce:go_default_library",
        "//pkg/nodeidentity/openstack:go_default_library",
-        "//upup/pkg/fi:go_default_library",
        "//upup/pkg/fi/cloudup/awsup:go_default_library",
        "//vendor/k8s.io/api/core/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
--- a/cmd/kops-controller/main.go
+++ b/cmd/kops-controller/main.go
@ -30,13 +30,13 @@ import (
 	"k8s.io/kops/cmd/kops-controller/controllers"
 	"k8s.io/kops/cmd/kops-controller/pkg/config"
 	"k8s.io/kops/cmd/kops-controller/pkg/server"
+	"k8s.io/kops/pkg/bootstrap"
 	"k8s.io/kops/pkg/nodeidentity"
 	nodeidentityaws "k8s.io/kops/pkg/nodeidentity/aws"
 	nodeidentityazure "k8s.io/kops/pkg/nodeidentity/azure"
 	nodeidentitydo "k8s.io/kops/pkg/nodeidentity/do"
 	nodeidentitygce "k8s.io/kops/pkg/nodeidentity/gce"
 	nodeidentityos "k8s.io/kops/pkg/nodeidentity/openstack"
-	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@ -86,7 +86,7 @@ func main() {

 	ctrl.SetLogger(klogr.New())
 	if opt.Server != nil {
-		var verifier fi.Verifier
+		var verifier bootstrap.Verifier
 		var err error
 		if opt.Server.Provider.AWS != nil {
 			verifier, err = awsup.NewAWSVerifier(opt.Server.Provider.AWS)
--- a/cmd/kops-controller/pkg/server/BUILD.bazel
+++ b/cmd/kops-controller/pkg/server/BUILD.bazel
@ -13,6 +13,7 @@ go_library(
        "//cmd/kops-controller/pkg/config:go_default_library",
        "//pkg/apis/kops/registry:go_default_library",
        "//pkg/apis/nodeup:go_default_library",
+        "//pkg/bootstrap:go_default_library",
        "//pkg/pki:go_default_library",
        "//pkg/rbac:go_default_library",
        "//upup/pkg/fi:go_default_library",
--- a/cmd/kops-controller/pkg/server/node_config.go
+++ b/cmd/kops-controller/pkg/server/node_config.go
@ -23,10 +23,10 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops/registry"
 	"k8s.io/kops/pkg/apis/nodeup"
-	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/pkg/bootstrap"
 )

-func (s *Server) getNodeConfig(ctx context.Context, req *nodeup.BootstrapRequest, identity *fi.VerifyResult) (*nodeup.NodeConfig, error) {
+func (s *Server) getNodeConfig(ctx context.Context, req *nodeup.BootstrapRequest, identity *bootstrap.VerifyResult) (*nodeup.NodeConfig, error) {
 	klog.Infof("getting node config for %+v", req)

 	instanceGroupName := identity.InstanceGroupName
--- a/cmd/kops-controller/pkg/server/server.go
+++ b/cmd/kops-controller/pkg/server/server.go
@ -33,6 +33,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kops/cmd/kops-controller/pkg/config"
 	"k8s.io/kops/pkg/apis/nodeup"
+	"k8s.io/kops/pkg/bootstrap"
 	"k8s.io/kops/pkg/pki"
 	"k8s.io/kops/pkg/rbac"
 	"k8s.io/kops/upup/pkg/fi"
@ -44,14 +45,14 @@ type Server struct {
 	certNames  sets.String
 	keypairIDs map[string]string
 	server     *http.Server
-	verifier   fi.Verifier
+	verifier   bootstrap.Verifier
 	keystore   pki.Keystore

 	// configBase is the base of the configuration storage.
 	configBase vfs.Path
 }

-func NewServer(opt *config.Options, verifier fi.Verifier) (*Server, error) {
+func NewServer(opt *config.Options, verifier bootstrap.Verifier) (*Server, error) {
 	server := &http.Server{
 		Addr: opt.Server.Listen,
 		TLSConfig: &tls.Config{
@ -168,7 +169,7 @@ func (s *Server) bootstrap(w http.ResponseWriter, r *http.Request) {
 	klog.Infof("bootstrap %s %s success", r.RemoteAddr, id.NodeName)
 }

-func (s *Server) issueCert(name string, pubKey string, id *fi.VerifyResult, validHours uint32, keypairIDs map[string]string) (string, error) {
+func (s *Server) issueCert(name string, pubKey string, id *bootstrap.VerifyResult, validHours uint32, keypairIDs map[string]string) (string, error) {
 	block, _ := pem.Decode([]byte(pubKey))
 	if block.Type != "RSA PUBLIC KEY" {
 		return "", fmt.Errorf("unexpected key type %q", block.Type)
--- a/nodeup/pkg/model/BUILD.bazel
+++ b/nodeup/pkg/model/BUILD.bazel
@ -45,6 +45,7 @@ go_library(
        "//pkg/apis/kops/model:go_default_library",
        "//pkg/apis/kops/util:go_default_library",
        "//pkg/apis/nodeup:go_default_library",
+        "//pkg/bootstrap:go_default_library",
        "//pkg/configbuilder:go_default_library",
        "//pkg/dns:go_default_library",
        "//pkg/flagbuilder:go_default_library",
--- a/nodeup/pkg/model/bootstrap_client.go
+++ b/nodeup/pkg/model/bootstrap_client.go
@ -23,6 +23,7 @@ import (
 	"strconv"

 	"k8s.io/kops/pkg/apis/kops"
+	"k8s.io/kops/pkg/bootstrap"
 	"k8s.io/kops/pkg/wellknownports"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
@ -39,7 +40,7 @@ func (b BootstrapClientBuilder) Build(c *fi.ModelBuilderContext) error {
 		return nil
 	}

-	var authenticator fi.Authenticator
+	var authenticator bootstrap.Authenticator
 	var err error
 	switch kops.CloudProviderID(b.Cluster.Spec.CloudProvider) {
 	case kops.CloudProviderAWS:
--- a/pkg/bootstrap/BUILD.bazel
+++ b/pkg/bootstrap/BUILD.bazel
@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["authenticate.go"],
+    importpath = "k8s.io/kops/pkg/bootstrap",
+    visibility = ["//visibility:public"],
+)
--- a/pkg/bootstrap/authenticate.go
+++ b/pkg/bootstrap/authenticate.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package fi
+package bootstrap

 // Authenticator generates authentication credentials for requests.
 type Authenticator interface {
--- a/upup/pkg/fi/BUILD.bazel
+++ b/upup/pkg/fi/BUILD.bazel
@ -4,7 +4,6 @@ go_library(
    name = "go_default_library",
    srcs = [
        "assetstore.go",
-        "authenticate.go",
        "ca.go",
        "changes.go",
        "clientset_castore.go",
--- a/upup/pkg/fi/cloudup/awsup/BUILD.bazel
+++ b/upup/pkg/fi/cloudup/awsup/BUILD.bazel
@ -22,6 +22,7 @@ go_library(
        "//dnsprovider/pkg/dnsprovider/providers/aws/route53:go_default_library",
        "//pkg/apis/kops:go_default_library",
        "//pkg/apis/kops/model:go_default_library",
+        "//pkg/bootstrap:go_default_library",
        "//pkg/cloudinstances:go_default_library",
        "//pkg/featureflag:go_default_library",
        "//pkg/nodeidentity/aws:go_default_library",
--- a/upup/pkg/fi/cloudup/awsup/aws_authenticator.go
+++ b/upup/pkg/fi/cloudup/awsup/aws_authenticator.go
@ -28,7 +28,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
-	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/pkg/bootstrap"
 )

 const AWSAuthenticationTokenPrefix = "x-aws-sts "
@ -37,7 +37,7 @@ type awsAuthenticator struct {
 	sts *sts.STS
 }

-var _ fi.Authenticator = &awsAuthenticator{}
+var _ bootstrap.Authenticator = &awsAuthenticator{}

 // RegionFromMetadata returns the current region from the aws metdata
 func RegionFromMetadata(ctx context.Context) (string, error) {
@ -57,7 +57,7 @@ func RegionFromMetadata(ctx context.Context) (string, error) {
 	return region, nil
 }

-func NewAWSAuthenticator(region string) (fi.Authenticator, error) {
+func NewAWSAuthenticator(region string) (bootstrap.Authenticator, error) {
 	config := aws.NewConfig().
 		WithCredentialsChainVerboseErrors(true).
 		WithRegion(region).
--- a/upup/pkg/fi/cloudup/awsup/aws_verifier.go
+++ b/upup/pkg/fi/cloudup/awsup/aws_verifier.go
@ -36,8 +36,8 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/sts"
+	"k8s.io/kops/pkg/bootstrap"
 	nodeidentityaws "k8s.io/kops/pkg/nodeidentity/aws"
-	"k8s.io/kops/upup/pkg/fi"
 )

 type AWSVerifierOptions struct {
@ -57,9 +57,9 @@ type awsVerifier struct {
 	client http.Client
 }

-var _ fi.Verifier = &awsVerifier{}
+var _ bootstrap.Verifier = &awsVerifier{}

-func NewAWSVerifier(opt *AWSVerifierOptions) (fi.Verifier, error) {
+func NewAWSVerifier(opt *AWSVerifierOptions) (bootstrap.Verifier, error) {
 	config := aws.NewConfig().
 		WithCredentialsChainVerboseErrors(true).
 		WithRegion(opt.Region).
@ -120,7 +120,7 @@ type ResponseMetadata struct {
 	RequestId string `xml:"RequestId"`
 }

-func (a awsVerifier) VerifyToken(token string, body []byte) (*fi.VerifyResult, error) {
+func (a awsVerifier) VerifyToken(token string, body []byte) (*bootstrap.VerifyResult, error) {
 	if !strings.HasPrefix(token, AWSAuthenticationTokenPrefix) {
 		return nil, fmt.Errorf("incorrect authorization type")
 	}
@ -237,7 +237,7 @@ func (a awsVerifier) VerifyToken(token string, body []byte) (*fi.VerifyResult, e
 		return nil, err
 	}

-	result := &fi.VerifyResult{
+	result := &bootstrap.VerifyResult{
 		NodeName:         addrs[0],
 		CertificateNames: addrs,
 	}
--- a/upup/pkg/fi/nodeup/BUILD.bazel
+++ b/upup/pkg/fi/nodeup/BUILD.bazel
@ -15,6 +15,7 @@ go_library(
        "//pkg/apis/kops/registry:go_default_library",
        "//pkg/apis/nodeup:go_default_library",
        "//pkg/assets:go_default_library",
+        "//pkg/bootstrap:go_default_library",
        "//pkg/configserver:go_default_library",
        "//pkg/kopscodecs:go_default_library",
        "//upup/pkg/fi:go_default_library",
--- a/upup/pkg/fi/nodeup/command.go
+++ b/upup/pkg/fi/nodeup/command.go
@ -39,6 +39,7 @@ import (
 	"k8s.io/kops/pkg/apis/kops/registry"
 	"k8s.io/kops/pkg/apis/nodeup"
 	"k8s.io/kops/pkg/assets"
+	"k8s.io/kops/pkg/bootstrap"
 	"k8s.io/kops/pkg/configserver"
 	"k8s.io/kops/pkg/kopscodecs"
 	"k8s.io/kops/upup/pkg/fi"
@ -757,7 +758,7 @@ func seedRNG(ctx context.Context, bootConfig *nodeup.BootConfig, region string)

 // getNodeConfigFromServer queries kops-controller for our node's configuration.
 func getNodeConfigFromServer(ctx context.Context, bootConfig *nodeup.BootConfig, region string) (*nodeup.BootstrapResponse, error) {
-	var authenticator fi.Authenticator
+	var authenticator bootstrap.Authenticator

 	switch api.CloudProviderID(bootConfig.CloudProvider) {
 	case api.CloudProviderAWS:
--- a/upup/pkg/fi/nodeup/nodetasks/BUILD.bazel
+++ b/upup/pkg/fi/nodeup/nodetasks/BUILD.bazel
@ -27,6 +27,7 @@ go_library(
        "//pkg/apis/kops:go_default_library",
        "//pkg/apis/nodeup:go_default_library",
        "//pkg/backoff:go_default_library",
+        "//pkg/bootstrap:go_default_library",
        "//pkg/kubeconfig:go_default_library",
        "//pkg/pki:go_default_library",
        "//upup/pkg/fi:go_default_library",
--- a/upup/pkg/fi/nodeup/nodetasks/bootstrap_client.go
+++ b/upup/pkg/fi/nodeup/nodetasks/bootstrap_client.go
@ -33,6 +33,7 @@ import (
 	"time"

 	"k8s.io/kops/pkg/apis/nodeup"
+	"k8s.io/kops/pkg/bootstrap"
 	"k8s.io/kops/pkg/pki"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup"
@ -135,7 +136,7 @@ func (b *BootstrapClientTask) Run(c *fi.Context) error {

 type KopsBootstrapClient struct {
 	// Authenticator generates authentication credentials for requests.
-	Authenticator fi.Authenticator
+	Authenticator bootstrap.Authenticator
 	// CAs are the CA certificates for kops-controller.
 	CAs []byte