Revert "Add per node kubelet server certificate"

This reverts commit b860e634db.

pki/util.go

@@ -136,34 +136,6 @@ func GenerateCACertAndKey(commonName string, privateKey *rsa.PrivateKey) (*x509.
 	return kubeCACert, rootKey, nil
 }
 
-func GetIPHostAltnamesForHost(host *hosts.Host) *cert.AltNames {
-	ips := []net.IP{}
-	dnsNames := []string{}
-	// Check if node address is a valid IP
-	if nodeIP := net.ParseIP(host.Address); nodeIP != nil {
-		ips = append(ips, nodeIP)
-	} else {
-		dnsNames = append(dnsNames, host.Address)
-	}
-
-	// Check if node internal address is a valid IP
-	if len(host.InternalAddress) != 0 && host.InternalAddress != host.Address {
-		if internalIP := net.ParseIP(host.InternalAddress); internalIP != nil {
-			ips = append(ips, internalIP)
-		} else {
-			dnsNames = append(dnsNames, host.InternalAddress)
-		}
-	}
-	// Add hostname to the ALT dns names
-	if len(host.HostnameOverride) != 0 && host.HostnameOverride != host.Address {
-		dnsNames = append(dnsNames, host.HostnameOverride)
-	}
-	return &cert.AltNames{
-		IPs:      ips,
-		DNSNames: dnsNames,
-	}
-}
-
 func GetAltNames(cpHosts []*hosts.Host, clusterDomain string, KubernetesServiceIP net.IP, SANs []string) *cert.AltNames {
 	ips := []net.IP{}
 	dnsNames := []string{}
@@ -253,9 +225,9 @@ func getConfigEnvFromEnv(env string) string {
 	return fmt.Sprintf("KUBECFG_%s", env)
 }
 
-func GetCrtNameForAddress(address string, prefix string) string {
+func GetEtcdCrtName(address string) string {
 	newAddress := strings.Replace(address, ".", "-", -1)
-	return fmt.Sprintf("%s-%s", prefix, newAddress)
+	return fmt.Sprintf("%s-%s", EtcdCertName, newAddress)
 }
 
 func GetCertPath(name string) string {
@@ -308,7 +280,7 @@ func ToCertObject(componentName, commonName, ouName string, certificate *x509.Ce
 		})
 	}
 
-	if componentName != CACertName && componentName != KubeAPICertName && !strings.Contains(componentName, EtcdCertName) && !strings.Contains(componentName, KubeletCertName) && componentName != ServiceAccountTokenKeyName {
+	if componentName != CACertName && componentName != KubeAPICertName && !strings.Contains(componentName, EtcdCertName) && componentName != ServiceAccountTokenKeyName {
 		config = getKubeConfigX509("https://127.0.0.1:6443", "local", componentName, caCertPath, path, keyPath)
 		configPath = GetConfigPath(componentName)
 		configEnvName = getConfigEnvFromEnv(envName)
@@ -338,39 +310,42 @@ func getDefaultCN(name string) string {
 	return fmt.Sprintf("system:%s", name)
 }
 
-func getCertKeys(rkeNodes []v3.RKEConfigNode, nodeRole string) []string {
-	// static certificates each node needs
-	certList := []string{CACertName, KubeProxyCertName, KubeNodeCertName}
-	allHosts := hosts.NodesToHosts(rkeNodes, "")
-	for _, host := range allHosts {
-		// Add per node kubelet certificates (used for kube-api -> kubelet connection)
-		certList = append(certList, GetCrtNameForAddress(host.InternalAddress, KubeletCertName))
+func getControlCertKeys() []string {
+	return []string{
+		CACertName,
+		KubeAPICertName,
+		ServiceAccountTokenKeyName,
+		KubeControllerCertName,
+		KubeSchedulerCertName,
+		KubeProxyCertName,
+		KubeNodeCertName,
+		EtcdClientCertName,
+		EtcdClientCACertName,
+		RequestHeaderCACertName,
+		APIProxyClientCertName,
 	}
-	// etcd
-	if nodeRole == etcdRole {
-		etcdHosts := hosts.NodesToHosts(rkeNodes, nodeRole)
-		for _, host := range etcdHosts {
-			certList = append(certList, GetCrtNameForAddress(host.InternalAddress, EtcdCertName))
-		}
-		return certList
+}
+
+func getWorkerCertKeys() []string {
+	return []string{
+		CACertName,
+		KubeProxyCertName,
+		KubeNodeCertName,
 	}
-	// control
-	if nodeRole == controlRole {
-		controlCertList := []string{
-			KubeAPICertName,
-			ServiceAccountTokenKeyName,
-			KubeControllerCertName,
-			KubeSchedulerCertName,
-			EtcdClientCertName,
-			EtcdClientCACertName,
-			RequestHeaderCACertName,
-			APIProxyClientCertName,
-		}
-		certList = append(certList, controlCertList...)
-		return certList
+}
+
+func getEtcdCertKeys(rkeNodes []v3.RKEConfigNode, etcdRole string) []string {
+	certList := []string{
+		CACertName,
+		KubeProxyCertName,
+		KubeNodeCertName,
+	}
+	etcdHosts := hosts.NodesToHosts(rkeNodes, etcdRole)
+	for _, host := range etcdHosts {
+		certList = append(certList, GetEtcdCrtName(host.InternalAddress))
 	}
-	// worker
 	return certList
+
 }
 
 func GetKubernetesServiceIP(serviceClusterRange string) (net.IP, error) {
@@ -432,7 +407,7 @@ func populateCertMap(tmpCerts map[string]CertificatePKI, localConfigPath string,
 	certs[KubeAdminCertName] = kubeAdminCertObj
 	// etcd
 	for _, host := range extraHosts {
-		etcdName := GetCrtNameForAddress(host.InternalAddress, EtcdCertName)
+		etcdName := GetEtcdCrtName(host.InternalAddress)
 		etcdCrt, etcdKey := tmpCerts[etcdName].Certificate, tmpCerts[etcdName].Key
 		certs[etcdName] = ToCertObject(etcdName, "", "", etcdCrt, etcdKey, nil)
 	}
@@ -735,7 +710,7 @@ func ValidateBundleContent(rkeConfig *v3.RancherKubernetesEngineConfig, certBund
 	}
 	etcdHosts := hosts.NodesToHosts(rkeConfig.Nodes, etcdRole)
 	for _, host := range etcdHosts {
-		etcdName := GetCrtNameForAddress(host.InternalAddress, EtcdCertName)
+		etcdName := GetEtcdCrtName(host.InternalAddress)
 		if certBundle[etcdName].Certificate == nil || certBundle[etcdName].Key == nil {
 			return fmt.Errorf("Failed to find etcd [%s] Certificate or Key", etcdName)
 		}
@@ -772,7 +747,7 @@ func validateCAIssuer(rkeConfig *v3.RancherKubernetesEngineConfig, certBundle ma
 	}
 	etcdHosts := hosts.NodesToHosts(rkeConfig.Nodes, etcdRole)
 	for _, host := range etcdHosts {
-		etcdName := GetCrtNameForAddress(host.InternalAddress, EtcdCertName)
+		etcdName := GetEtcdCrtName(host.InternalAddress)
 		ComponentsCerts = append(ComponentsCerts, etcdName)
 	}
 	for _, componentCert := range ComponentsCerts {