SecretStore and CAStore implementations backed by API

Not yet wired in
kubernetes · Sep 18, 2017 · 914fe68 · 914fe68
1 parent 0224883
commit 914fe68
Show file tree

Hide file tree

Showing 15 changed files with 845 additions and 52 deletions.
diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go
@@ -98,16 +98,16 @@ func (c *NodeupModelContext) CNIConfDir() string {
 
 // buildPKIKubeconfig generates a kubeconfig
 func (c *NodeupModelContext) buildPKIKubeconfig(id string) (string, error) {
-	caCertificate, err := c.KeyStore.Cert(fi.CertificateId_CA)
+	caCertificate, err := c.KeyStore.Cert(fi.CertificateId_CA, false)
 	if err != nil {
 		return "", fmt.Errorf("error fetching CA certificate from keystore: %v", err)
 	}
 
-	certificate, err := c.KeyStore.Cert(id)
+	certificate, err := c.KeyStore.Cert(id, false)
 	if err != nil {
 		return "", fmt.Errorf("error fetching %q certificate from keystore: %v", id, err)
 	}
-	privateKey, err := c.KeyStore.PrivateKey(id)
+	privateKey, err := c.KeyStore.PrivateKey(id, false)
 	if err != nil {
 		return "", fmt.Errorf("error fetching %q private key from keystore: %v", id, err)
 	}

diff --git a/nodeup/pkg/model/convenience.go b/nodeup/pkg/model/convenience.go
@@ -94,7 +94,7 @@ func getProxyEnvVars(proxies *kops.EgressProxySpec) []v1.EnvVar {
 
 // buildCertificateRequest retrieves the certificate from a keystore
 func buildCertificateRequest(c *fi.ModelBuilderContext, b *NodeupModelContext, name, path string) error {
-	cert, err := b.KeyStore.Cert(name)
+	cert, err := b.KeyStore.Cert(name, false)
 	if err != nil {
 		return err
 	}
@@ -120,7 +120,7 @@ func buildCertificateRequest(c *fi.ModelBuilderContext, b *NodeupModelContext, n
 
 // buildPrivateKeyRequest retrieves a private key from the store
 func buildPrivateKeyRequest(c *fi.ModelBuilderContext, b *NodeupModelContext, name, path string) error {
-	k, err := b.KeyStore.PrivateKey(name)
+	k, err := b.KeyStore.PrivateKey(name, false)
 	if err != nil {
 		return err
 	}

diff --git a/nodeup/pkg/model/kubecontrollermanager.go b/nodeup/pkg/model/kubecontrollermanager.go
@@ -45,7 +45,7 @@ func (b *KubeControllerManagerBuilder) Build(c *fi.ModelBuilderContext) error {
 	// If we're using the CertificateSigner, include the CA Key
 	// TODO: use a per-machine key?  use KMS?
 	if b.useCertificateSigner() {
-		ca, err := b.KeyStore.PrivateKey(fi.CertificateId_CA)
+		ca, err := b.KeyStore.PrivateKey(fi.CertificateId_CA, false)
 		if err != nil {
 			return err
 		}

diff --git a/nodeup/pkg/model/protokube.go b/nodeup/pkg/model/protokube.go
@@ -331,7 +331,7 @@ func (t *ProtokubeBuilder) writeProxyEnvVars(buffer *bytes.Buffer) {
 
 // buildCertificateTask is responsible for build a certificate request task
 func (t *ProtokubeBuilder) buildCeritificateTask(c *fi.ModelBuilderContext, name, filename string) error {
-	cert, err := t.KeyStore.Cert(name)
+	cert, err := t.KeyStore.Cert(name, false)
 	if err != nil {
 		return err
 	}
@@ -353,7 +353,7 @@ func (t *ProtokubeBuilder) buildCeritificateTask(c *fi.ModelBuilderContext, name
 
 // buildPrivateKeyTask is responsible for build a certificate request task
 func (t *ProtokubeBuilder) buildPrivateTask(c *fi.ModelBuilderContext, name, filename string) error {
-	cert, err := t.KeyStore.PrivateKey(name)
+	cert, err := t.KeyStore.PrivateKey(name, false)
 	if err != nil {
 		return err
 	}

diff --git a/nodeup/pkg/model/secrets.go b/nodeup/pkg/model/secrets.go
@@ -40,7 +40,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 
 	// retrieve the platform ca
 	{
-		ca, err := b.KeyStore.CertificatePool(fi.CertificateId_CA)
+		ca, err := b.KeyStore.CertificatePool(fi.CertificateId_CA, false)
 		if err != nil {
 			return err
 		}
@@ -79,7 +79,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	{
-		cert, err := b.KeyStore.Cert("master")
+		cert, err := b.KeyStore.Cert("master", false)
 		if err != nil {
 			return err
 		}
@@ -98,7 +98,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	{
-		k, err := b.KeyStore.PrivateKey("master")
+		k, err := b.KeyStore.PrivateKey("master", false)
 		if err != nil {
 			return err
 		}
@@ -118,7 +118,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 
 	if b.IsKubernetesGTE("1.7") {
 
-		cert, err := b.KeyStore.Cert("apiserver-proxy-client")
+		cert, err := b.KeyStore.Cert("apiserver-proxy-client", false)
 		if err != nil {
 			return fmt.Errorf("apiserver proxy client cert lookup failed: %v", err.Error())
 		}
@@ -135,7 +135,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 		c.AddTask(t)
 
-		key, err := b.KeyStore.PrivateKey("apiserver-proxy-client")
+		key, err := b.KeyStore.PrivateKey("apiserver-proxy-client", false)
 		if err != nil {
 			return fmt.Errorf("apiserver proxy client private key lookup failed: %v", err.Error())
 		}

diff --git a/upup/pkg/fi/ca.go b/upup/pkg/fi/ca.go
@@ -59,10 +59,10 @@ type CAStore interface {
 	Keystore
 
 	// Cert returns the primary specified certificate
-	Cert(name string) (*pki.Certificate, error)
+	Cert(name string, createIfMissing bool) (*pki.Certificate, error)
 	// CertificatePool returns all active certificates with the specified id
-	CertificatePool(name string) (*CertificatePool, error)
-	PrivateKey(name string) (*pki.PrivateKey, error)
+	CertificatePool(name string, createIfMissing bool) (*CertificatePool, error)
+	PrivateKey(name string, createIfMissing bool) (*pki.PrivateKey, error)
 
 	FindCert(name string) (*pki.Certificate, error)
 	FindPrivateKey(name string) (*pki.PrivateKey, error)