openshift · openshift-merge-robot · May 7, 2019 · May 7, 2019
diff --git a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
@@ -96,7 +96,7 @@ then
 		--volume "$PWD:/assets:z" \
 		"${KUBE_APISERVER_OPERATOR_IMAGE}" \
 		/usr/bin/cluster-kube-apiserver-operator render \
-		--manifest-etcd-serving-ca=etcd-client-ca.crt \
+		--manifest-etcd-serving-ca=etcd-ca-bundle.crt \
 		--manifest-etcd-server-urls={{.EtcdCluster}} \
 		--manifest-image=${OPENSHIFT_HYPERSHIFT_IMAGE} \
 		--asset-input-dir=/assets/tls \
@@ -173,7 +173,7 @@ then
 		--volume "$PWD:/assets:z" \
 		"${MACHINE_CONFIG_OPERATOR_IMAGE}" \
 		bootstrap \
-			--etcd-ca=/assets/tls/etcd-client-ca.crt \
+			--etcd-ca=/assets/tls/etcd-ca-bundle.crt \
 			--etcd-metric-ca=/assets/tls/etcd-metric-ca-bundle.crt \
 			--root-ca=/assets/tls/root-ca.crt \
 			--kube-ca=/assets/tls/kube-apiserver-complete-client-ca-bundle.crt \
@@ -228,8 +228,8 @@ podman run \
 	--network host \
 	"${KUBE_ETCD_SIGNER_SERVER_IMAGE}" \
 	serve \
-	--cacrt=/opt/openshift/tls/etcd-client-ca.crt \
-	--cakey=/opt/openshift/tls/etcd-client-ca.key \
+	--cacrt=/opt/openshift/tls/etcd-signer.crt \
+	--cakey=/opt/openshift/tls/etcd-signer.key \
 	--metric-cacrt=/opt/openshift/tls/etcd-metric-signer.crt \
 	--metric-cakey=/opt/openshift/tls/etcd-metric-signer.key \
 	--servcrt=/opt/openshift/tls/kube-apiserver-lb-server.crt \
@@ -256,7 +256,7 @@ until podman run \
 		--entrypoint etcdctl \
 		"${MACHINE_CONFIG_ETCD_IMAGE}" \
 		--dial-timeout=10m \
-		--cacert=/opt/openshift/tls/etcd-client-ca.crt \
+		--cacert=/opt/openshift/tls/etcd-ca-bundle.crt \
 		--cert=/opt/openshift/tls/etcd-client.crt \
 		--key=/opt/openshift/tls/etcd-client.key \
 		--endpoints={{.EtcdCluster}} \

diff --git a/data/data/manifests/bootkube/etcd-client-secret.yaml.template b/data/data/manifests/bootkube/etcd-client-secret.yaml.template
@@ -5,5 +5,5 @@ metadata:
   namespace: openshift-config
 type: SecretTypeTLS
 data:
-  tls.crt: {{ .EtcdClientCert }}
-  tls.key: {{ .EtcdClientKey }}
+  tls.crt: {{ .EtcdSignerClientCert }}
+  tls.key: {{ .EtcdSignerClientKey }}
diff --git a/data/data/manifests/bootkube/etcd-serving-ca-configmap.yaml.template b/data/data/manifests/bootkube/etcd-serving-ca-configmap.yaml.template
@@ -5,4 +5,4 @@ metadata:
   namespace: openshift-config
 data:
   ca-bundle.crt: |
-    {{.EtcdCaCert | indent 4}}
+    {{.EtcdCaBundle | indent 4}}
diff --git a/data/data/manifests/bootkube/etcd-signer-client-secret.yaml.template b/data/data/manifests/bootkube/etcd-signer-client-secret.yaml.template
diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go
@@ -66,9 +66,7 @@ func (a *Bootstrap) Dependencies() []asset.Asset {
 		&tls.AggregatorClientCertKey{},
 		&tls.AggregatorSignerCertKey{},
 		&tls.APIServerProxyCertKey{},
-		&tls.EtcdCA{},
 		&tls.EtcdCABundle{},
-		&tls.EtcdClientCertKey{},
 		&tls.EtcdMetricCABundle{},
 		&tls.EtcdMetricSignerCertKey{},
 		&tls.EtcdMetricSignerClientCertKey{},
@@ -384,9 +382,7 @@ func (a *Bootstrap) addParentFiles(dependencies asset.Parents) {
 		&tls.AggregatorClientCertKey{},
 		&tls.AggregatorSignerCertKey{},
 		&tls.APIServerProxyCertKey{},
-		&tls.EtcdCA{},
 		&tls.EtcdCABundle{},
-		&tls.EtcdClientCertKey{},
 		&tls.EtcdMetricCABundle{},
 		&tls.EtcdMetricSignerCertKey{},
 		&tls.EtcdMetricSignerClientCertKey{},

diff --git a/pkg/asset/manifests/operators.go b/pkg/asset/manifests/operators.go
@@ -60,11 +60,9 @@ func (m *Manifests) Dependencies() []asset.Asset {
 		&Infrastructure{},
 		&Networking{},
 		&tls.RootCA{},
-		&tls.EtcdCA{},
 		&tls.EtcdSignerCertKey{},
 		&tls.EtcdCABundle{},
 		&tls.EtcdSignerClientCertKey{},
-		&tls.EtcdClientCertKey{},
 		&tls.EtcdMetricCABundle{},
 		&tls.EtcdMetricSignerCertKey{},
 		&tls.EtcdMetricSignerClientCertKey{},
@@ -80,7 +78,6 @@ func (m *Manifests) Dependencies() []asset.Asset {
 		&bootkube.EtcdMetricSignerSecret{},
 		&bootkube.EtcdNamespace{},
 		&bootkube.EtcdService{},
-		&bootkube.EtcdSignerClientSecret{},
 		&bootkube.EtcdSignerSecret{},
 		&bootkube.KubeCloudConfig{},
 		&bootkube.EtcdServingCAConfigMap{},
@@ -139,9 +136,7 @@ func (m *Manifests) Files() []*asset.File {
 func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*asset.File {
 	clusterID := &installconfig.ClusterID{}
 	installConfig := &installconfig.InstallConfig{}
-	etcdCA := &tls.EtcdCA{}
 	mcsCertKey := &tls.MCSCertKey{}
-	etcdClientCertKey := &tls.EtcdClientCertKey{}
 	etcdMetricCABundle := &tls.EtcdMetricCABundle{}
 	etcdMetricSignerClientCertKey := &tls.EtcdMetricSignerClientCertKey{}
 	etcdMetricSignerCertKey := &tls.EtcdMetricSignerCertKey{}
@@ -152,11 +147,9 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 	dependencies.Get(
 		clusterID,
 		installConfig,
-		etcdCA,
 		etcdSignerCertKey,
 		etcdCABundle,
 		etcdSignerClientCertKey,
-		etcdClientCertKey,
 		etcdMetricCABundle,
 		etcdMetricSignerClientCertKey,
 		etcdMetricSignerCertKey,
@@ -171,12 +164,7 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 
 	templateData := &bootkubeTemplateData{
 		CVOClusterID:               clusterID.UUID,
-		EtcdCaBundle:               base64.StdEncoding.EncodeToString(etcdCABundle.Cert()),
-		EtcdCaCert:                 string(etcdCA.Cert()),
-		EtcdClientCaCert:           base64.StdEncoding.EncodeToString(etcdCA.Cert()),
-		EtcdClientCaKey:            base64.StdEncoding.EncodeToString(etcdCA.Key()),
-		EtcdClientCert:             base64.StdEncoding.EncodeToString(etcdClientCertKey.Cert()),
-		EtcdClientKey:              base64.StdEncoding.EncodeToString(etcdClientCertKey.Key()),
+		EtcdCaBundle:               string(etcdCABundle.Cert()),
 		EtcdEndpointDNSSuffix:      installConfig.Config.ClusterDomain(),
 		EtcdEndpointHostnames:      etcdEndpointHostnames,
 		EtcdMetricCaCert:           string(etcdMetricCABundle.Cert()),
@@ -208,7 +196,6 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 		&bootkube.EtcdService{},
 		&bootkube.EtcdServingCAConfigMap{},
 		&bootkube.EtcdSignerSecret{},
-		&bootkube.EtcdSignerClientSecret{},
 		&bootkube.KubeCloudConfig{},
 		&bootkube.KubeSystemConfigmapRootCA{},
 		&bootkube.MachineConfigServerTLSSecret{},

diff --git a/pkg/asset/manifests/template.go b/pkg/asset/manifests/template.go
@@ -39,11 +39,6 @@ type cloudCredsSecretData struct {
 type bootkubeTemplateData struct {
 	CVOClusterID               string
 	EtcdCaBundle               string
-	EtcdCaCert                 string
-	EtcdClientCaCert           string
-	EtcdClientCaKey            string
-	EtcdClientCert             string
-	EtcdClientKey              string
 	EtcdEndpointDNSSuffix      string
 	EtcdEndpointHostnames      []string
 	EtcdMetricCaCert           string

diff --git a/pkg/asset/templates/content/bootkube/etcd-client-secret.go b/pkg/asset/templates/content/bootkube/etcd-client-secret.go
@@ -12,11 +12,9 @@ const (
 	etcdClientSecretFileName = "etcd-client-secret.yaml.template"
 )
 
-var etcdClientCertFiles = []string{etcdClientSecretFileName}
-
 var _ asset.WritableAsset = (*EtcdClientSecret)(nil)
 
-// EtcdClientSecret is an asset for the etcd client secret
+// EtcdClientSecret is an asset for the etcd client signer
 type EtcdClientSecret struct {
 	FileList []*asset.File
 }
@@ -33,18 +31,17 @@ func (t *EtcdClientSecret) Name() string {
 
 // Generate generates the actual files by this asset
 func (t *EtcdClientSecret) Generate(parents asset.Parents) error {
-	t.FileList = []*asset.File{}
-	for _, fileName := range etcdClientCertFiles {
-		data, err := content.GetBootkubeTemplate(fileName)
-		if err != nil {
-			return err
-		}
-		t.FileList = append(t.FileList, &asset.File{
+	fileName := etcdClientSecretFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
 			Filename: filepath.Join(content.TemplateDir, fileName),
 			Data:     []byte(data),
-		})
+		},
 	}
-
 	return nil
 }
 
@@ -55,17 +52,13 @@ func (t *EtcdClientSecret) Files() []*asset.File {
 
 // Load returns the asset from disk.
 func (t *EtcdClientSecret) Load(f asset.FileFetcher) (bool, error) {
-	t.FileList = []*asset.File{}
-	for _, fileName := range etcdClientCertFiles {
-		file, err := f.FetchByName(filepath.Join(content.TemplateDir, fileName))
-		if err != nil {
-			if os.IsNotExist(err) {
-				return false, nil
-			}
-			return false, err
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, etcdClientSecretFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
 		}
-		t.FileList = append(t.FileList, file)
+		return false, err
 	}
-
+	t.FileList = []*asset.File{file}
 	return true, nil
 }
diff --git a/pkg/asset/templates/content/bootkube/etcd-signer-client-secret.go b/pkg/asset/templates/content/bootkube/etcd-signer-client-secret.go
diff --git a/pkg/asset/tls/etcd.go b/pkg/asset/tls/etcd.go
@@ -7,75 +7,6 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 )
 
-// EtcdCA is the asset that generates the etcd-ca key/cert pair.
-// [DEPRECATED]
-type EtcdCA struct {
-	SelfSignedCertKey
-}
-
-var _ asset.Asset = (*EtcdCA)(nil)
-
-// Dependencies returns the dependency of the the cert/key pair, which includes
-// the parent CA, and install config if it depends on the install config for
-// DNS names, etc.
-func (a *EtcdCA) Dependencies() []asset.Asset {
-	return []asset.Asset{}
-}
-
-// Generate generates the cert/key pair based on its dependencies.
-func (a *EtcdCA) Generate(dependencies asset.Parents) error {
-	cfg := &CertCfg{
-		Subject:   pkix.Name{CommonName: "etcd", OrganizationalUnit: []string{"etcd"}},
-		KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		Validity:  ValidityTenYears,
-		IsCA:      true,
-	}
-
-	return a.SelfSignedCertKey.Generate(cfg, "etcd-client-ca")
-}
-
-// Name returns the human-friendly name of the asset.
-func (a *EtcdCA) Name() string {
-	return "Certificate (etcd)"
-}
-
-// EtcdClientCertKey is the asset that generates the etcd client key/cert pair.
-// [DEPRECATED]
-type EtcdClientCertKey struct {
-	SignedCertKey
-}
-
-var _ asset.Asset = (*EtcdClientCertKey)(nil)
-
-// Dependencies returns the dependency of the the cert/key pair, which includes
-// the parent CA, and install config if it depends on the install config for
-// DNS names, etc.
-func (a *EtcdClientCertKey) Dependencies() []asset.Asset {
-	return []asset.Asset{
-		&EtcdCA{},
-	}
-}
-
-// Generate generates the cert/key pair based on its dependencies.
-func (a *EtcdClientCertKey) Generate(dependencies asset.Parents) error {
-	etcdCA := &EtcdCA{}
-	dependencies.Get(etcdCA)
-
-	cfg := &CertCfg{
-		Subject:      pkix.Name{CommonName: "etcd", OrganizationalUnit: []string{"etcd"}},
-		KeyUsages:    x509.KeyUsageKeyEncipherment,
-		ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
-		Validity:     ValidityTenYears,
-	}
-
-	return a.SignedCertKey.Generate(cfg, etcdCA, "etcd-client", DoNotAppendParent)
-}
-
-// Name returns the human-friendly name of the asset.
-func (a *EtcdClientCertKey) Name() string {
-	return "Certificate (etcd)"
-}
-
 // EtcdSignerCertKey is a key/cert pair that signs the etcd client and peer certs.
 type EtcdSignerCertKey struct {
 	SelfSignedCertKey
@@ -163,10 +94,10 @@ func (a *EtcdSignerClientCertKey) Generate(dependencies asset.Parents) error {
 		Validity:     ValidityTenYears,
 	}
 
-	return a.SignedCertKey.Generate(cfg, ca, "etcd-signer-client", DoNotAppendParent)
+	return a.SignedCertKey.Generate(cfg, ca, "etcd-client", DoNotAppendParent)
 }
 
 // Name returns the human-friendly name of the asset.
 func (a *EtcdSignerClientCertKey) Name() string {
-	return "Certificate (etcd-signer-client)"
+	return "Certificate (etcd-client)"
 }