cluster/certs: remove old kube CA
This completes the migration away from the old CA/cert infrastructure.
The tool which was used to generate all these certs will come next. It's
effectively a reimplementation of clustercfg in Go.
We also removed the unused kube-serviceaccounts cert, which was
generated by the old tooling for no good reason (we only need a key for
service accounts, not an actual cert...).
Change-Id: Ied9e5d8fc90c64a6b4b9fdd20c33981410c884b4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1501
Reviewed-by: q3k <q3k@hackerspace.pl>
diff --git a/cluster/machines/modules/kube-controlplane.nix b/cluster/machines/modules/kube-controlplane.nix
index d38b91f..f503924 100644
--- a/cluster/machines/modules/kube-controlplane.nix
+++ b/cluster/machines/modules/kube-controlplane.nix
@@ -82,8 +82,7 @@
# k8s components manually.
roles = [];
addons.dns.enable = false;
- # TODO(q3k): undo after CA migration done
- #caFile = pki.kube.apiserver.ca;
+ caFile = pki.kube.apiserver.ca;
clusterCidr = "10.10.16.0/20";
apiserver = rec {
@@ -103,15 +102,11 @@
tlsCertFile = pki.kube.apiserver.cert;
tlsKeyFile = pki.kube.apiserver.key;
- # TODO(q3k): undo after CA migration done
- #clientCaFile = pki.kube.apiserver.ca;
- clientCaFile = ../../certs/ca-kube-new-and-old.crt;
+ clientCaFile = pki.kube.apiserver.ca;
kubeletHttps = true;
# Same CA as main APIServer CA.
- # TODO(q3k): undo after CA migration done
- #kubeletClientCaFile = pki.kube.apiserver.ca;
- kubeletClientCaFile = ../../certs/ca-kube-new-and-old.crt;
+ kubeletClientCaFile = pki.kube.apiserver.ca;
kubeletClientCertFile = pki.kube.apiserver.cert;
kubeletClientKeyFile = pki.kube.apiserver.key;
@@ -150,24 +145,19 @@
leaderElect = true;
serviceAccountKeyFile = pki.kube.serviceaccounts.key;
rootCaFile = pki.kube.ca;
- # TODO(q3k): undo after CA migration done
extraOpts = ''
--service-cluster-ip-range=10.10.12.0/24 \
--use-service-account-credentials=true \
--secure-port=${toString cfg.portControllerManagerSecure}\
--authentication-kubeconfig=${kubeconfig}\
--authorization-kubeconfig=${kubeconfig}\
- --root-ca-file=${../../certs/ca-kube-new-and-old.crt}\
'';
kubeconfig = pki.kube.controllermanager.config;
};
scheduler = let
top = config.services.kubernetes;
- # TODO(q3k): undo after CA migration done
- kubeconfig = top.lib.mkKubeConfig "scheduler" (pki.kube.scheduler.config // {
- ca = ../../certs/ca-kube-new-and-old.crt;
- });
+ kubeconfig = top.lib.mkKubeConfig "scheduler" pki.kube.scheduler.config;
in {
enable = true;
address = "0.0.0.0";