From fc94505a76f780afa242777cfa201634a392e031 Mon Sep 17 00:00:00 2001
From: John Gardiner Myers <jgmyers@proofpoint.com>
Date: Sun, 20 Jun 2021 17:15:50 -0700
Subject: [PATCH] Include multiple certs in aws-iam-authenticator trust bundle

---
 nodeup/pkg/model/kube_apiserver.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
index 1b61d471b6..284b6b3878 100644
--- a/nodeup/pkg/model/kube_apiserver.go
+++ b/nodeup/pkg/model/kube_apiserver.go
@@ -201,7 +201,7 @@ func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.ModelBuilderConte
 		b.Cluster.Spec.KubeAPIServer.AuthenticationTokenWebhookConfigFile = fi.String(PathAuthnConfig)
 
 		{
-			caCertificate, err := b.NodeupModelContext.KeyStore.FindCert(fi.CertificateIDCA)
+			caCertificate, _, err := b.NodeupModelContext.KeyStore.FindPrimaryKeypair(fi.CertificateIDCA)
 			if err != nil {
 				return fmt.Errorf("error fetching AWS IAM Authentication CA certificate from keystore: %v", err)
 			}
@@ -217,6 +217,7 @@ func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.ModelBuilderConte
 				User:    "kube-apiserver",
 			}
 
+			// Since we're talking to localhost, we don't need the entire certificate bundle.
 			cluster.CertificateAuthorityData, err = caCertificate.AsBytes()
 			if err != nil {
 				return fmt.Errorf("error encoding AWS IAM Authentication CA certificate: %v", err)