commit 9251121fa91a518bc7f60d7589975f917ccc2cc2
author Serge Bazanski <q3k@hackerspace.pl> Sat Apr 01 13:50:02 2023 +0000
committer q3k <q3k@hackerspace.pl> Sat Apr 01 13:55:18 2023 +0000
tree 8588fe58905ac96bb550b70b429e200e51129809
parent bdf2fa326f6406095fc166d8b0bdb9a0cc423608

cluster/certs: remove old kube CA

This completes the migration away from the old CA/cert infrastructure.

The tool which was used to generate all these certs will come next. It's
effectively a reimplementation of clustercfg in Go.

We also removed the unused kube-serviceaccounts cert, which was
generated by the old tooling for no good reason (we only need a key for
service accounts, not an actual cert...).

Change-Id: Ied9e5d8fc90c64a6b4b9fdd20c33981410c884b4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1501
Reviewed-by: q3k <q3k@hackerspace.pl>

cluster/machines/modules/kube-dataplane.nix

diff --git a/cluster/machines/modules/kube-dataplane.nix b/cluster/machines/modules/kube-dataplane.nix
index fd87dbc..45efcd2 100644
--- a/cluster/machines/modules/kube-dataplane.nix
+++ b/cluster/machines/modules/kube-dataplane.nix
@@ -72,9 +72,7 @@
         hostname = fqdn;
         tlsCertFile = pki.kube.kubelet.cert;
         tlsKeyFile = pki.kube.kubelet.key;
-        # TODO(q3k): undo after CA migration done
-        #clientCaFile = pki.kube.kubelet.ca;
-        clientCaFile = ../../certs/ca-kube-new-and-old.crt;
+        clientCaFile = pki.kube.kubelet.ca;
         nodeIp = config.hscloud.base.ipAddr;
         networkPlugin = "cni";
         clusterDns = "10.10.12.254";