fix: ca certs support

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Makefile

@@ -19,13 +19,15 @@ clean:
 
 .PHONY: install-goimports
 install-goimports:
+ifeq (, $(shell which goimports))
 	go install golang.org/x/tools/cmd/goimports@latest
+endif
 
 .PHONY: gen-tf-code
 gen-tf-code: clean install-goimports
 	@go run ./hack/gen-tf-code/...
 	@go fmt ./pkg/schemas/...
-	@~/go/bin/goimports -w ./pkg/schemas
+	@goimports -w ./pkg/schemas
 
 .PHONY: gen
 gen: gen-tf-code

docs/data-sources/cluster.md

@@ -1769,6 +1769,8 @@ ClusterSecrets defines cluster secrets.
 The following arguments are supported:
 
 - `docker_config` - (Sensitive) - (Computed) - String - DockerConfig holds a valid docker config.<br />After creating a dockerconfig secret, a /root/.docker/config.json file will be added to newly created nodes.<br />This file will be used by Kubernetes to authenticate to container registries and will also work when using containerd as container runtime.
+- `cluster_ca_cert` - (Sensitive) - (Computed) - String
+- `cluster_ca_key` - (Sensitive) - (Computed) - String
 
 
 

docs/resources/cluster.md

@@ -1852,6 +1852,8 @@ ClusterSecrets defines cluster secrets.
 The following arguments are supported:
 
 - `docker_config` - (Optional) - (Sensitive) - String - DockerConfig holds a valid docker config.<br />After creating a dockerconfig secret, a /root/.docker/config.json file will be added to newly created nodes.<br />This file will be used by Kubernetes to authenticate to container registries and will also work when using containerd as container runtime.
+- `cluster_ca_cert` - (Optional) - (Sensitive) - (Computed) - String
+- `cluster_ca_key` - (Optional) - (Sensitive) - (Computed) - String
 
 
 ## Import

hack/gen-tf-code/main.go

@@ -124,8 +124,8 @@ func main() {
 			noSchema(),
 		),
 		generate(resources.ClusterSecrets{},
-			sensitive("DockerConfig" /*, "ClusterCaCert", "ClusterCaKey"*/),
-			// computed("ClusterCaCert", "ClusterCaKey"),
+			sensitive("DockerConfig" , "ClusterCaCert", "ClusterCaKey"),
+			computed("ClusterCaCert", "ClusterCaKey"),
 		),
 		generate(resources.ValidateOptions{}),
 		generate(utils.ValidateOptions{},
@@ -358,7 +358,7 @@ func main() {
 			doc(dataInstanceGroupHeader, ""),
 		),
 		generate(resources.ClusterSecrets{},
-			sensitive("DockerConfig" /*, "ClusterCaCert", "ClusterCaKey"*/),
+			sensitive("DockerConfig", "ClusterCaCert", "ClusterCaKey"),
 		),
 		generate(kube.Config{},
 			noSchema(),

pkg/api/resources/ClusterSecrets.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 
+	"k8s.io/kops/pkg/pki"
 	"k8s.io/kops/upup/pkg/fi"
 )
 
@@ -12,9 +13,9 @@ type ClusterSecrets struct {
 	// DockerConfig holds a valid docker config.
 	// After creating a dockerconfig secret, a /root/.docker/config.json file will be added to newly created nodes.
 	// This file will be used by Kubernetes to authenticate to container registries and will also work when using containerd as container runtime.
-	DockerConfig string
-	// ClusterCaCert string
-	// ClusterCaKey  string
+	DockerConfig  string
+	ClusterCaCert string
+	ClusterCaKey  string
 }
 
 func GetClusterSecrets(secretStore fi.SecretStore, keyStore fi.CAStore) (*ClusterSecrets, error) {
@@ -26,32 +27,31 @@ func GetClusterSecrets(secretStore fi.SecretStore, keyStore fi.CAStore) (*Cluste
 	if d != nil {
 		dockerConfig = string(d.Data)
 	}
-	// TODO
-	// clusterCaCert := ""
-	// clusterCaKey := ""
-	// c, k, err := keyStore.FindPrimaryKeypair(fi.CertificateIDCA)
-	// if err != nil {
-	// 	return nil, err
-	// }
-	// if c != nil {
-	// 	clusterCaCert, err = c.AsString()
-	// 	if err != nil {
-	// 		return nil, err
-	// 	}
-	// }
-	// if k != nil {
-	// 	clusterCaKey, err = k.AsString()
-	// 	if err != nil {
-	// 		return nil, err
-	// 	}
-	// }
-	if dockerConfig == "" /*&& clusterCaCert == "" && clusterCaKey == ""*/ {
+	clusterCaCert := ""
+	clusterCaKey := ""
+	c, k, err := keyStore.FindPrimaryKeypair(fi.CertificateIDCA)
+	if err != nil {
+		return nil, err
+	}
+	if c != nil {
+		clusterCaCert, err = c.AsString()
+		if err != nil {
+			return nil, err
+		}
+	}
+	if k != nil {
+		clusterCaKey, err = k.AsString()
+		if err != nil {
+			return nil, err
+		}
+	}
+	if dockerConfig == "" && clusterCaCert == "" && clusterCaKey == "" {
 		return nil, nil
 	}
 	return &ClusterSecrets{
-		DockerConfig: dockerConfig,
-		// ClusterCaCert: clusterCaCert,
-		// ClusterCaKey:  clusterCaKey,
+		DockerConfig:  dockerConfig,
+		ClusterCaCert: clusterCaCert,
+		ClusterCaKey:  clusterCaKey,
 	}, nil
 }
 
@@ -83,45 +83,48 @@ func createOrUpdateClusterSecret(secretStore fi.SecretStore, name string, s stri
 	return nil
 }
 
-// TODO
-// func createOrUpdateClusterKeypair(keyStore fi.CAStore, c string, k string) error {
-// 	if c == "" && k == "" {
-// 		// TODO: how can we delete the certificate ?
-// 		return nil
-// 	}
-// 	privateKey, err := pki.ParsePEMPrivateKey([]byte(k))
-// 	if err != nil {
-// 		return fmt.Errorf("error loading private key: %v", err)
-// 	}
-// 	cert, err := pki.ParsePEMCertificate([]byte(c))
-// 	if err != nil {
-// 		return fmt.Errorf("error loading certificate: %v", err)
-// 	}
-// 	err = keyStore.StoreKeypair(fi.CertificateIDCA, cert, privateKey)
-// 	if err != nil {
-// 		return fmt.Errorf("error storing user provided keys: %v", err)
-// 	}
-// 	return nil
-// }
+func createOrUpdateClusterKeypair(keyStore fi.CAStore, c string, k string) error {
+	if c == "" && k == "" {
+		// TODO: how can we delete the certificate ?
+		return nil
+	}
+	privateKey, err := pki.ParsePEMPrivateKey([]byte(k))
+	if err != nil {
+		return fmt.Errorf("error loading private key: %v", err)
+	}
+	cert, err := pki.ParsePEMCertificate([]byte(c))
+	if err != nil {
+		return fmt.Errorf("error loading certificate: %v", err)
+	}
+	ks, err := fi.NewKeyset(cert, privateKey)
+	if err != nil {
+		return fmt.Errorf("error creating keyset: %v", err)
+	}
+	err = keyStore.StoreKeyset(fi.CertificateIDCA, ks)
+	if err != nil {
+		return fmt.Errorf("error storing keyset: %v", err)
+	}
+	return nil
+}
 
 func CreateOrUpdateClusterSecrets(secretStore fi.SecretStore, keyStore fi.CAStore, secrets *ClusterSecrets) (*ClusterSecrets, error) {
 	dockerConfig := ""
-	// clusterCaCert := ""
-	// clusterCaKey := ""
+	clusterCaCert := ""
+	clusterCaKey := ""
 	if secrets != nil {
 		dockerConfig = secrets.DockerConfig
-		// clusterCaCert = secrets.ClusterCaCert
-		// clusterCaKey = secrets.ClusterCaKey
+		clusterCaCert = secrets.ClusterCaCert
+		clusterCaKey = secrets.ClusterCaKey
 	}
 	if err := createOrUpdateClusterSecret(secretStore, "dockerconfig", dockerConfig); err != nil {
 		return nil, err
 	}
-	// if err := createOrUpdateClusterKeypair(keyStore, clusterCaCert, clusterCaKey); err != nil {
-	// 	return nil, err
-	// }
+	if err := createOrUpdateClusterKeypair(keyStore, clusterCaCert, clusterCaKey); err != nil {
+		return nil, err
+	}
 	return &ClusterSecrets{
-		DockerConfig: dockerConfig,
-		// ClusterCaCert: clusterCaCert,
-		// ClusterCaKey:  clusterCaKey,
+		DockerConfig:  dockerConfig,
+		ClusterCaCert: clusterCaCert,
+		ClusterCaKey:  clusterCaKey,
 	}, nil
 }

pkg/schemas/resources/DataSource_ClusterSecrets.generated.go

@@ -11,7 +11,9 @@ var _ = Schema
 func DataSourceClusterSecrets() *schema.Resource {
 	res := &schema.Resource{
 		Schema: map[string]*schema.Schema{
-			"docker_config": Sensitive(ComputedString()),
+			"docker_config":   Sensitive(ComputedString()),
+			"cluster_ca_cert": Sensitive(ComputedString()),
+			"cluster_ca_key":  Sensitive(ComputedString()),
 		},
 	}
 
@@ -26,13 +28,25 @@ func ExpandDataSourceClusterSecrets(in map[string]interface{}) resources.Cluster
 		DockerConfig: func(in interface{}) string {
 			return string(ExpandString(in))
 		}(in["docker_config"]),
+		ClusterCaCert: func(in interface{}) string {
+			return string(ExpandString(in))
+		}(in["cluster_ca_cert"]),
+		ClusterCaKey: func(in interface{}) string {
+			return string(ExpandString(in))
+		}(in["cluster_ca_key"]),
 	}
 }
 
 func FlattenDataSourceClusterSecretsInto(in resources.ClusterSecrets, out map[string]interface{}) {
 	out["docker_config"] = func(in string) interface{} {
 		return FlattenString(string(in))
 	}(in.DockerConfig)
+	out["cluster_ca_cert"] = func(in string) interface{} {
+		return FlattenString(string(in))
+	}(in.ClusterCaCert)
+	out["cluster_ca_key"] = func(in string) interface{} {
+		return FlattenString(string(in))
+	}(in.ClusterCaKey)
 }
 
 func FlattenDataSourceClusterSecrets(in resources.ClusterSecrets) map[string]interface{} {

pkg/schemas/resources/DataSource_ClusterSecrets.generated_test.go

@@ -21,7 +21,9 @@ func TestExpandDataSourceClusterSecrets(t *testing.T) {
 			name: "default",
 			args: args{
 				in: map[string]interface{}{
-					"docker_config": "",
+					"docker_config":   "",
+					"cluster_ca_cert": "",
+					"cluster_ca_key":  "",
 				},
 			},
 			want: _default,
@@ -39,7 +41,9 @@ func TestExpandDataSourceClusterSecrets(t *testing.T) {
 
 func TestFlattenDataSourceClusterSecretsInto(t *testing.T) {
 	_default := map[string]interface{}{
-		"docker_config": "",
+		"docker_config":   "",
+		"cluster_ca_cert": "",
+		"cluster_ca_key":  "",
 	}
 	type args struct {
 		in resources.ClusterSecrets
@@ -67,6 +71,28 @@ func TestFlattenDataSourceClusterSecretsInto(t *testing.T) {
 			},
 			want: _default,
 		},
+		{
+			name: "ClusterCaCert - default",
+			args: args{
+				in: func() resources.ClusterSecrets {
+					subject := resources.ClusterSecrets{}
+					subject.ClusterCaCert = ""
+					return subject
+				}(),
+			},
+			want: _default,
+		},
+		{
+			name: "ClusterCaKey - default",
+			args: args{
+				in: func() resources.ClusterSecrets {
+					subject := resources.ClusterSecrets{}
+					subject.ClusterCaKey = ""
+					return subject
+				}(),
+			},
+			want: _default,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -81,7 +107,9 @@ func TestFlattenDataSourceClusterSecretsInto(t *testing.T) {
 
 func TestFlattenDataSourceClusterSecrets(t *testing.T) {
 	_default := map[string]interface{}{
-		"docker_config": "",
+		"docker_config":   "",
+		"cluster_ca_cert": "",
+		"cluster_ca_key":  "",
 	}
 	type args struct {
 		in resources.ClusterSecrets
@@ -109,6 +137,28 @@ func TestFlattenDataSourceClusterSecrets(t *testing.T) {
 			},
 			want: _default,
 		},
+		{
+			name: "ClusterCaCert - default",
+			args: args{
+				in: func() resources.ClusterSecrets {
+					subject := resources.ClusterSecrets{}
+					subject.ClusterCaCert = ""
+					return subject
+				}(),
+			},
+			want: _default,
+		},
+		{
+			name: "ClusterCaKey - default",
+			args: args{
+				in: func() resources.ClusterSecrets {
+					subject := resources.ClusterSecrets{}
+					subject.ClusterCaKey = ""
+					return subject
+				}(),
+			},
+			want: _default,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/schemas/resources/Resource_ClusterSecrets.generated.go

@@ -11,7 +11,9 @@ var _ = Schema
 func ResourceClusterSecrets() *schema.Resource {
 	res := &schema.Resource{
 		Schema: map[string]*schema.Schema{
-			"docker_config": Sensitive(OptionalString()),
+			"docker_config":   Sensitive(OptionalString()),
+			"cluster_ca_cert": Sensitive(OptionalComputedString()),
+			"cluster_ca_key":  Sensitive(OptionalComputedString()),
 		},
 	}
 
@@ -26,13 +28,25 @@ func ExpandResourceClusterSecrets(in map[string]interface{}) resources.ClusterSe
 		DockerConfig: func(in interface{}) string {
 			return string(ExpandString(in))
 		}(in["docker_config"]),
+		ClusterCaCert: func(in interface{}) string {
+			return string(ExpandString(in))
+		}(in["cluster_ca_cert"]),
+		ClusterCaKey: func(in interface{}) string {
+			return string(ExpandString(in))
+		}(in["cluster_ca_key"]),
 	}
 }
 
 func FlattenResourceClusterSecretsInto(in resources.ClusterSecrets, out map[string]interface{}) {
 	out["docker_config"] = func(in string) interface{} {
 		return FlattenString(string(in))
 	}(in.DockerConfig)
+	out["cluster_ca_cert"] = func(in string) interface{} {
+		return FlattenString(string(in))
+	}(in.ClusterCaCert)
+	out["cluster_ca_key"] = func(in string) interface{} {
+		return FlattenString(string(in))
+	}(in.ClusterCaKey)
 }
 
 func FlattenResourceClusterSecrets(in resources.ClusterSecrets) map[string]interface{} {