Refactor keysets for etcd-manager

cmd/kops/create_keypair.go

@@ -23,10 +23,10 @@ import (
 	"io"
 	"io/ioutil"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 	kopsapi "k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/client/simple"
@@ -78,15 +78,8 @@ type CreateKeypairOptions struct {
 	Primary        bool
 }
 
-var rotatableKeysets = sets.NewString(
-	"apiserver-aggregator-ca",
-	"etcd-clients-ca-cilium",
-	"kubernetes-ca",
-	"service-account",
-)
-
 func rotatableKeysetFilter(name string, _ *fi.Keyset) bool {
-	return rotatableKeysets.Has(name)
+	return name == "service-account" || strings.Contains(name, "-ca")
 }
 
 // NewCmdCreateKeypair returns a create keypair command.
@@ -134,7 +127,7 @@ func NewCmdCreateKeypair(f *util.Factory, out io.Writer) *cobra.Command {
 
 // RunCreateKeypair adds a custom CA certificate and private key.
 func RunCreateKeypair(ctx context.Context, f *util.Factory, out io.Writer, options *CreateKeypairOptions) error {
-	if !rotatableKeysets.Has(options.Keyset) {
+	if !rotatableKeysetFilter(options.Keyset, nil) {
 		return fmt.Errorf("adding keypair to %q is not supported", options.Keyset)
 	}
 

cmd/kops/promote_keypair.go

@@ -100,7 +100,7 @@ func NewCmdPromoteKeypair(f *util.Factory, out io.Writer) *cobra.Command {
 
 // RunPromoteKeypair promotes a keypair.
 func RunPromoteKeypair(ctx context.Context, f *util.Factory, out io.Writer, options *PromoteKeypairOptions) error {
-	if !rotatableKeysets.Has(options.Keyset) {
+	if !rotatableKeysetFilter(options.Keyset, nil) {
 		return fmt.Errorf("promoting keypairs for %q is not supported", options.Keyset)
 	}
 

nodeup/pkg/model/context.go

@@ -408,6 +408,15 @@ func (c *NodeupModelContext) KubectlPath() string {
 
 // BuildCertificatePairTask creates the tasks to create the certificate and private key files.
 func (c *NodeupModelContext) BuildCertificatePairTask(ctx *fi.ModelBuilderContext, name, path, filename string, owner *string, beforeServices []string) error {
+	return c.buildCertificatePairTask(ctx, name, path, filename, owner, beforeServices, true)
+}
+
+// BuildPrivateKeyTask creates the tasks to create the certificate and private key files.
+func (c *NodeupModelContext) BuildPrivateKeyTask(ctx *fi.ModelBuilderContext, name, path, filename string, owner *string, beforeServices []string) error {
+	return c.buildCertificatePairTask(ctx, name, path, filename, owner, beforeServices, false)
+}
+
+func (c *NodeupModelContext) buildCertificatePairTask(ctx *fi.ModelBuilderContext, name, path, filename string, owner *string, beforeServices []string, includeCert bool) error {
 	p := filepath.Join(path, filename)
 	if !filepath.IsAbs(p) {
 		p = filepath.Join(c.PathSrvKubernetes(), p)
@@ -432,24 +441,26 @@ func (c *NodeupModelContext) BuildCertificatePairTask(ctx *fi.ModelBuilderContex
 		return fmt.Errorf("did not find keypair %s for %s", keypairID, name)
 	}
 
-	certificate := item.Certificate
-	if certificate == nil {
-		return fmt.Errorf("certificate %q not found", name)
-	}
+	if includeCert {
+		certificate := item.Certificate
+		if certificate == nil {
+			return fmt.Errorf("certificate %q not found", name)
+		}
 
-	cert, err := certificate.AsString()
-	if err != nil {
-		return err
-	}
+		cert, err := certificate.AsString()
+		if err != nil {
+			return err
+		}
 
-	ctx.AddTask(&nodetasks.File{
-		Path:           p + ".crt",
-		Contents:       fi.NewStringResource(cert),
-		Type:           nodetasks.FileType_File,
-		Mode:           s("0600"),
-		Owner:          owner,
-		BeforeServices: beforeServices,
-	})
+		ctx.AddTask(&nodetasks.File{
+			Path:           p + ".crt",
+			Contents:       fi.NewStringResource(cert),
+			Type:           nodetasks.FileType_File,
+			Mode:           s("0600"),
+			Owner:          owner,
+			BeforeServices: beforeServices,
+		})
+	}
 
 	privateKey := item.PrivateKey
 	if privateKey == nil {
@@ -503,8 +514,8 @@ func (c *NodeupModelContext) BuildCertificateTask(ctx *fi.ModelBuilderContext, n
 	return nil
 }
 
-// BuildPrivateKeyTask builds a task to create a private key file.
-func (c *NodeupModelContext) BuildPrivateKeyTask(ctx *fi.ModelBuilderContext, name, filename string, owner *string) error {
+// BuildLegacyPrivateKeyTask builds a task to create a private key file.
+func (c *NodeupModelContext) BuildLegacyPrivateKeyTask(ctx *fi.ModelBuilderContext, name, filename string, owner *string) error {
 	cert, err := c.KeyStore.FindPrivateKey(name)
 	if err != nil {
 		return err

nodeup/pkg/model/etcd_manager_tls.go

@@ -18,8 +18,10 @@ package model
 
 import (
 	"fmt"
+	"path/filepath"
 
 	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 )
 
 // EtcdManagerTLSBuilder configures TLS support for etcd-manager
@@ -31,29 +33,25 @@ var _ fi.ModelBuilder = &EtcdManagerTLSBuilder{}
 
 // Build is responsible for TLS configuration for etcd-manager
 func (b *EtcdManagerTLSBuilder) Build(ctx *fi.ModelBuilderContext) error {
-	if !b.HasAPIServer || !b.UseEtcdManager() {
+	if !b.IsMaster || !b.UseEtcdManager() {
 		return nil
 	}
 
 	for _, etcdCluster := range b.Cluster.Spec.EtcdClusters {
 		k := etcdCluster.Name
 
-		// The certs for cilium etcd are managed by CiliumBuilder
-		if k == "cilium" {
-			continue
-		}
-
 		d := "/etc/kubernetes/pki/etcd-manager-" + k
 
 		keys := make(map[string]string)
 
-		// Only nodes running etcd need the peers CA
-		if b.IsMaster {
-			keys["etcd-manager-ca"] = "etcd-manager-ca-" + k
-			keys["etcd-peers-ca"] = "etcd-peers-ca-" + k
-		}
+		keys["etcd-manager-ca"] = "etcd-manager-ca-" + k
+		keys["etcd-peers-ca"] = "etcd-peers-ca-" + k
+		keys["etcd-clients-ca"] = "etcd-clients-ca-" + k
+
 		// Because API server can only have a single client certificate for etcd, we need to share a client CA
-		keys["etcd-clients-ca"] = "etcd-clients-ca"
+		if k == "main" || k == "events" {
+			keys["etcd-clients-ca"] = "etcd-clients-ca"
+		}
 
 		for fileName, keystoreName := range keys {
 			cert, err := b.KeyStore.FindCert(keystoreName)
@@ -64,10 +62,14 @@ func (b *EtcdManagerTLSBuilder) Build(ctx *fi.ModelBuilderContext) error {
 				return fmt.Errorf("keypair %q not found", keystoreName)
 			}
 
-			if err := b.BuildCertificateTask(ctx, keystoreName, d+"/"+fileName+".crt", nil); err != nil {
-				return err
-			}
-			if err := b.BuildPrivateKeyTask(ctx, keystoreName, d+"/"+fileName+".key", nil); err != nil {
+			ctx.AddTask(&nodetasks.File{
+				Path:     filepath.Join(d, fileName+".crt"),
+				Contents: fi.NewStringResource(b.NodeupConfig.CAs[keystoreName]),
+				Type:     nodetasks.FileType_File,
+				Mode:     fi.String("0600"),
+			})
+
+			if err := b.BuildPrivateKeyTask(ctx, keystoreName, d, fileName, nil, nil); err != nil {
 				return err
 			}
 		}

nodeup/pkg/model/kube_controller_manager.go

@@ -58,7 +58,7 @@ func (b *KubeControllerManagerBuilder) Build(c *fi.ModelBuilderContext) error {
 		return err
 	}
 
-	if err := b.BuildPrivateKeyTask(c, "service-account", filepath.Join(pathSrvKCM, "service-account.key"), nil); err != nil {
+	if err := b.BuildLegacyPrivateKeyTask(c, "service-account", filepath.Join(pathSrvKCM, "service-account.key"), nil); err != nil {
 		return err
 	}
 

nodeup/pkg/model/networking/cilium.go

@@ -100,30 +100,6 @@ WantedBy=multi-user.target
 }
 
 func (b *CiliumBuilder) buildCiliumEtcdSecrets(c *fi.ModelBuilderContext) error {
-
-	if b.IsMaster {
-		d := "/etc/kubernetes/pki/etcd-manager-cilium"
-
-		keys := make(map[string]string)
-		keys["etcd-manager-ca"] = "etcd-manager-ca-cilium"
-		keys["etcd-peers-ca"] = "etcd-peers-ca-cilium"
-		keys["etcd-clients-ca"] = "etcd-clients-ca-cilium"
-
-		for fileName, keystoreName := range keys {
-			_, err := b.KeyStore.FindCert(keystoreName)
-			if err != nil {
-				return err
-			}
-
-			if err := b.BuildCertificateTask(c, keystoreName, d+"/"+fileName+".crt", nil); err != nil {
-				return err
-			}
-			if err := b.BuildPrivateKeyTask(c, keystoreName, d+"/"+fileName+".key", nil); err != nil {
-				return err
-			}
-		}
-	}
-
 	name := "etcd-client-cilium"
 	dir := "/etc/kubernetes/pki/cilium"
 	signer := "etcd-clients-ca-cilium"

nodeup/pkg/model/protokube.go

@@ -107,7 +107,7 @@ func (t *ProtokubeBuilder) Build(c *fi.ModelBuilderContext) error {
 				}
 			}
 			for _, x := range []string{"etcd", "etcd-peer", "etcd-client"} {
-				if err := t.BuildPrivateKeyTask(c, x, fmt.Sprintf("%s-key.pem", x), nil); err != nil {
+				if err := t.BuildLegacyPrivateKeyTask(c, x, fmt.Sprintf("%s-key.pem", x), nil); err != nil {
 					return err
 				}
 			}

nodeup/pkg/model/secrets.go

@@ -134,7 +134,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 	}
 
-	if err := b.BuildPrivateKeyTask(c, "service-account", "service-account.key", nil); err != nil {
+	if err := b.BuildLegacyPrivateKeyTask(c, "service-account", "service-account.key", nil); err != nil {
 		return err
 	}