Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 9251121fa91a518bc7f60d7589975f917ccc2cc2^! / . / cluster / machines / modules / kube-controlplane.nix
commit9251121fa91a518bc7f60d7589975f917ccc2cc2[log] [tgz]
authorSerge Bazanski <q3k@hackerspace.pl>Sat Apr 01 13:50:02 2023 +0000
committerq3k <q3k@hackerspace.pl>Sat Apr 01 13:55:18 2023 +0000
tree8588fe58905ac96bb550b70b429e200e51129809
parentbdf2fa326f6406095fc166d8b0bdb9a0cc423608 [diff] [blame]
cluster/certs: remove old kube CA

This completes the migration away from the old CA/cert infrastructure.

The tool which was used to generate all these certs will come next. It's
effectively a reimplementation of clustercfg in Go.

We also removed the unused kube-serviceaccounts cert, which was
generated by the old tooling for no good reason (we only need a key for
service accounts, not an actual cert...).

Change-Id: Ied9e5d8fc90c64a6b4b9fdd20c33981410c884b4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1501
Reviewed-by: q3k <q3k@hackerspace.pl>

diff --git a/cluster/machines/modules/kube-controlplane.nix b/cluster/machines/modules/kube-controlplane.nix
index d38b91f..f503924 100644
--- a/cluster/machines/modules/kube-controlplane.nix
+++ b/cluster/machines/modules/kube-controlplane.nix

@@ -82,8 +82,7 @@
       # k8s components manually.
       roles = [];
       addons.dns.enable = false;
-      # TODO(q3k): undo after CA migration done
-      #caFile = pki.kube.apiserver.ca;
+      caFile = pki.kube.apiserver.ca;
       clusterCidr = "10.10.16.0/20";
 
       apiserver = rec {
@@ -103,15 +102,11 @@
 
         tlsCertFile = pki.kube.apiserver.cert;
         tlsKeyFile = pki.kube.apiserver.key;
-        # TODO(q3k): undo after CA migration done
-        #clientCaFile = pki.kube.apiserver.ca;
-        clientCaFile = ../../certs/ca-kube-new-and-old.crt;
+        clientCaFile = pki.kube.apiserver.ca;
 
         kubeletHttps = true;
         # Same CA as main APIServer CA.
-        # TODO(q3k): undo after CA migration done
-        #kubeletClientCaFile = pki.kube.apiserver.ca;
-        kubeletClientCaFile = ../../certs/ca-kube-new-and-old.crt;
+        kubeletClientCaFile = pki.kube.apiserver.ca;
         kubeletClientCertFile = pki.kube.apiserver.cert;
         kubeletClientKeyFile = pki.kube.apiserver.key;
 
@@ -150,24 +145,19 @@
         leaderElect = true;
         serviceAccountKeyFile = pki.kube.serviceaccounts.key;
         rootCaFile = pki.kube.ca;
-        # TODO(q3k): undo after CA migration done 
         extraOpts = ''
           --service-cluster-ip-range=10.10.12.0/24 \
           --use-service-account-credentials=true \
           --secure-port=${toString cfg.portControllerManagerSecure}\
           --authentication-kubeconfig=${kubeconfig}\
           --authorization-kubeconfig=${kubeconfig}\
-          --root-ca-file=${../../certs/ca-kube-new-and-old.crt}\
         '';
         kubeconfig = pki.kube.controllermanager.config;
       };
 
       scheduler = let
         top = config.services.kubernetes;
-        # TODO(q3k): undo after CA migration done 
-        kubeconfig = top.lib.mkKubeConfig "scheduler" (pki.kube.scheduler.config //  {
-          ca = ../../certs/ca-kube-new-and-old.crt;
-        });
+        kubeconfig = top.lib.mkKubeConfig "scheduler" pki.kube.scheduler.config;
       in {
         enable = true;
         address = "0.0.0.0";