cluster/prodaccess: use the correct cluster CA cert

Adds //cluster/k1/certs go package, and changes prodaccess to look up the correct one based on the -cluster flag. This should complete the transition of prodaccess to multicluster. Change-Id: If65fab8f898a48ec16e6de7eeb02fd0aacee30b4 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2117 Reviewed-by: q3k <q3k@hackerspace.pl>
2025-02-10 23:56:45 +00:00 · 2025-01-12 14:32:17 +01:00 · 2025-01-12 14:32:17 +01:00 · 31a32a816c
commit 31a32a816c
parent bed52d89db
5 changed files with 49 additions and 4 deletions
--- a/cluster/k1/certs/BUILD.bazel
+++ b/cluster/k1/certs/BUILD.bazel
@ -0,0 +1,11 @@
+load("@rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "certs",
+    srcs = [
+        "certs.go",  # keep
+    ],
+    embedsrcs = glob(["*.crt"]),
+    importpath = "code.hackerspace.pl/hscloud/cluster/k1/certs",  # keep
+    visibility = ["//visibility:public"],
+)
--- a/cluster/k1/certs/certs.go
+++ b/cluster/k1/certs/certs.go
@ -0,0 +1,10 @@
+package certs
+
+import _ "embed"
+
+//go:embed ca-kube.crt
+var caKubeCrt []byte
+
+var Data = map[string][]byte{
+	"ca-kube.crt": caKubeCrt,
+}
--- a/cluster/prodaccess/BUILD.bazel
+++ b/cluster/prodaccess/BUILD.bazel
@ -6,13 +6,15 @@ go_library(
        "hspki.go",
        "kubernetes.go",
        "prodaccess.go",
+        "certs.go",
    ],
    importpath = "code.hackerspace.pl/hscloud/cluster/prodaccess",
    visibility = ["//visibility:private"],
    deps = [
        "//cluster/certs",
-        "//cluster/prodvider/proto",
        "//cluster/clustercfg/clusters",
+        "//cluster/k1/certs",
+        "//cluster/prodvider/proto",
        "//go/pki",
        "//go/workspace",
        "@com_github_golang_glog//:glog",
--- a/cluster/prodaccess/certs.go
+++ b/cluster/prodaccess/certs.go
@ -0,0 +1,24 @@
+package main
+
+import (
+	"log"
+
+	"code.hackerspace.pl/hscloud/cluster/clustercfg/clusters"
+
+	k0Certs "code.hackerspace.pl/hscloud/cluster/certs"
+	k1Certs "code.hackerspace.pl/hscloud/cluster/k1/certs"
+)
+
+var clusterCerts = map[string][]byte{
+	"k0": k0Certs.Data["ca-kube.crt"],
+	"k1": k1Certs.Data["ca-kube.crt"],
+}
+
+func getCert(cluster clusters.Cluster) []byte {
+	cert, ok := clusterCerts[cluster.Name]
+	if !ok {
+		log.Fatalf("Missing certificate for cluster: %q", cluster.Name)
+	}
+
+	return cert
+}
--- a/cluster/prodaccess/prodaccess.go
+++ b/cluster/prodaccess/prodaccess.go
@ -16,7 +16,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"

-	"code.hackerspace.pl/hscloud/cluster/certs"
 	"code.hackerspace.pl/hscloud/cluster/clustercfg/clusters"
 	pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto"
 )
@ -59,8 +58,7 @@ func main() {
 	}

 	cp := x509.NewCertPool()
-	// TODO(radex): vary certs based on cluster
-	if ok := cp.AppendCertsFromPEM(certs.Data["ca-kube.crt"]); !ok {
+	if ok := cp.AppendCertsFromPEM(getCert(cluster)); !ok {
 		glog.Exitf("Could not load k8s CA")
 	}