Node Secrets

As present a number of secrets are downloaded to the /src/kubernetes directory regardless of role (master, node). This limits the the node role to only donwload the ca.crt. The rest are for master nodes only - removes basic_auth.csv, ca.key, known_tokens.csv, server.cert and server.key leaving only the ca.crt
kubernetes · Jul 26, 2017 · d9da2f5 · d9da2f5
1 parent c9e651b
commit d9da2f5
Showing 1 changed file with 13 additions and 22 deletions.
diff --git a/nodeup/pkg/model/secrets.go b/nodeup/pkg/model/secrets.go
@@ -18,10 +18,11 @@ package model
 
 import (
 	"fmt"
-	"k8s.io/kops/upup/pkg/fi"
-	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 	"path/filepath"
 	"strings"
+
+	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 )
 
 // SecretBuilder writes secrets
@@ -31,11 +32,13 @@ type SecretBuilder struct {
 
 var _ fi.ModelBuilder = &SecretBuilder{}
 
+// Build is responisble for pulling down the secrets
 func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 	if b.KeyStore == nil {
 		return fmt.Errorf("KeyStore not set")
 	}
 
+	// retrieve the platform ca
 	{
 		ca, err := b.KeyStore.CertificatePool(fi.CertificateId_CA)
 		if err != nil {
@@ -55,7 +58,13 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(t)
 	}
 
-	{
+	// if we are not a master we can stop here
+	if !b.IsMaster {
+		return nil
+	}
+
+	// grab the server.{key,cert} from keystore
+	for _, filename := range []string{"server.cert", "server.key"} {
 		cert, err := b.KeyStore.Cert("master")
 		if err != nil {
 			return err
@@ -67,25 +76,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 
 		t := &nodetasks.File{
-			Path:     filepath.Join(b.PathSrvKubernetes(), "server.cert"),
-			Contents: fi.NewStringResource(serialized),
-			Type:     nodetasks.FileType_File,
-		}
-		c.AddTask(t)
-	}
-	{
-		k, err := b.KeyStore.PrivateKey("master")
-		if err != nil {
-			return err
-		}
-
-		serialized, err := k.AsString()
-		if err != nil {
-			return err
-		}
-
-		t := &nodetasks.File{
-			Path:     filepath.Join(b.PathSrvKubernetes(), "server.key"),
+			Path:     filepath.Join(b.PathSrvKubernetes(), filename),
 			Contents: fi.NewStringResource(serialized),
 			Type:     nodetasks.FileType_File,
 		}