Merge pull request #198 from vincepri/remove-kubeconfig-generation

⚠️ Remove kubeconfig generation

Author: k8s-ci-robot

certs/certs.go

@@ -200,25 +200,3 @@ func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
 	}
 	return pem.EncodeToMemory(&block), nil
 }
-
-// DecodeCertPEM attempts to return a decoded certificate or nil
-// if the encoded input does not contain a certificate.
-func DecodeCertPEM(encoded []byte) (*x509.Certificate, error) {
-	block, _ := pem.Decode(encoded)
-	if block == nil {
-		return nil, nil
-	}
-
-	return x509.ParseCertificate(block.Bytes)
-}
-
-// DecodePrivateKeyPEM attempts to return a decoded key or nil
-// if the encoded input does not contain a private key.
-func DecodePrivateKeyPEM(encoded []byte) (*rsa.PrivateKey, error) {
-	block, _ := pem.Decode(encoded)
-	if block == nil {
-		return nil, nil
-	}
-
-	return x509.ParsePKCS1PrivateKey(block.Bytes)
-}

certs/utils.go

@@ -23,14 +23,12 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/hex"
-	"fmt"
 	"math"
 	"math/big"
 	"strings"
 	"time"
 
 	"github.com/pkg/errors"
-	"k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/client-go/util/cert"
 )
 
@@ -96,50 +94,6 @@ func (c *Certificates) ToMap() map[string][]byte {
 	}
 }
 
-// NewKubeconfig creates a new Kubeconfig where endpoint is the ELB endpoint.
-func NewKubeconfig(clusterName, endpoint string, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*api.Config, error) {
-	cfg := &Config{
-		CommonName:   "kubernetes-admin",
-		Organization: []string{"system:masters"},
-		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
-	}
-
-	clientKey, err := NewPrivateKey()
-	if err != nil {
-		return nil, errors.Wrap(err, "unable to create private key")
-	}
-
-	clientCert, err := cfg.NewSignedCert(clientKey, caCert, caKey)
-	if err != nil {
-		return nil, errors.Wrap(err, "unable to sign certificate")
-	}
-
-	userName := "kubernetes-admin"
-	contextName := fmt.Sprintf("%s@%s", userName, clusterName)
-
-	return &api.Config{
-		Clusters: map[string]*api.Cluster{
-			clusterName: {
-				Server:                   endpoint,
-				CertificateAuthorityData: EncodeCertPEM(caCert),
-			},
-		},
-		Contexts: map[string]*api.Context{
-			contextName: {
-				Cluster:  clusterName,
-				AuthInfo: userName,
-			},
-		},
-		AuthInfos: map[string]*api.AuthInfo{
-			userName: {
-				ClientKeyData:         EncodePrivateKeyPEM(clientKey),
-				ClientCertificateData: EncodeCertPEM(clientCert),
-			},
-		},
-		CurrentContext: contextName,
-	}, nil
-}
-
 // NewSignedCert creates a signed certificate using the given CA certificate and key
 func (cfg *Config) NewSignedCert(key *rsa.PrivateKey, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, error) {
 	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))

controllers/kubeadmconfig_controller.go

@@ -29,7 +29,6 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	"k8s.io/client-go/tools/clientcmd"
 	bootstrapv1 "sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/api/v1alpha2"
 	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/certs"
 	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/cloudinit"
@@ -234,12 +233,6 @@ func (r *KubeadmConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, re
 			}
 		}
 
-		err = r.createKubeconfigSecret(ctx, config.Spec.ClusterConfiguration.ClusterName, config.Spec.ClusterConfiguration.ControlPlaneEndpoint, req.Namespace, certificates)
-		if err != nil {
-			log.Error(err, "unable to create and write kubeconfig as a Secret")
-			return ctrl.Result{}, err
-		}
-
 		cloudInitData, err := cloudinit.NewInitControlPlane(&cloudinit.ControlPlaneInput{
 			BaseUserData: cloudinit.BaseUserData{
 				AdditionalFiles:     config.Spec.Files,
@@ -547,39 +540,3 @@ func (r *KubeadmConfigReconciler) createClusterCertificates(ctx context.Context,
 
 	return certificates, nil
 }
-
-func (r *KubeadmConfigReconciler) createKubeconfigSecret(ctx context.Context, clusterName, endpoint, namespace string, certificates *certs.Certificates) error {
-	cert, err := certs.DecodeCertPEM(certificates.ClusterCA.Cert)
-	if err != nil {
-		return errors.Wrap(err, "failed to decode CA Cert")
-	} else if cert == nil {
-		return errors.New("certificate not found in config")
-	}
-
-	key, err := certs.DecodePrivateKeyPEM(certificates.ClusterCA.Key)
-	if err != nil {
-		return errors.Wrap(err, "failed to decode private key")
-	} else if key == nil {
-		return errors.New("CA private key not found")
-	}
-
-	server := fmt.Sprintf("https://%s", endpoint)
-	cfg, err := certs.NewKubeconfig(clusterName, server, cert, key)
-	if err != nil {
-		return errors.Wrap(err, "failed to generate a kubeconfig")
-	}
-
-	yaml, err := clientcmd.Write(*cfg)
-	if err != nil {
-		return errors.Wrap(err, "failed to serialize config to yaml")
-	}
-
-	secret := &corev1.Secret{}
-	secretName := fmt.Sprintf("%s-kubeconfig", clusterName)
-
-	secret.ObjectMeta.Name = secretName
-	secret.ObjectMeta.Namespace = namespace
-	secret.StringData = map[string]string{"value": string(yaml)}
-
-	return r.Create(ctx, secret)
-}