Only upload kubeadm certs if key is rotated

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>

bootstrapper/internal/kubernetes/k8sapi/util.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi/resources"
 	"go.uber.org/zap"
-	kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
 )
 
 const (
@@ -23,10 +22,7 @@ const (
 	kubeletStartTimeout = 10 * time.Minute
 )
 
-var (
-	kubernetesKeyRegexp = regexp.MustCompile("[a-f0-9]{64}")
-	providerIDRegex     = regexp.MustCompile(`^azure:///subscriptions/([^/]+)/resourceGroups/([^/]+)/providers/Microsoft.Compute/virtualMachineScaleSets/([^/]+)/virtualMachines/([^/]+)$`)
-)
+var providerIDRegex = regexp.MustCompile(`^azure:///subscriptions/([^/]+)/resourceGroups/([^/]+)/providers/Microsoft.Compute/virtualMachineScaleSets/([^/]+)/virtualMachines/([^/]+)$`)
 
 // Client provides the functionality of `kubectl apply`.
 type Client interface {
@@ -35,28 +31,12 @@ type Client interface {
 	// TODO: add tolerations
 }
 
-type ClusterUtil interface {
-	InstallComponents(ctx context.Context, version string) error
-	InitCluster(initConfig []byte) error
-	JoinCluster(joinConfig []byte) error
-	SetupPodNetwork(kubectl Client, podNetworkConfiguration resources.Marshaler) error
-	SetupAccessManager(kubectl Client, accessManagerConfiguration resources.Marshaler) error
-	SetupAutoscaling(kubectl Client, clusterAutoscalerConfiguration resources.Marshaler, secrets resources.Marshaler) error
-	SetupCloudControllerManager(kubectl Client, cloudControllerManagerConfiguration resources.Marshaler, configMaps resources.Marshaler, secrets resources.Marshaler) error
-	SetupCloudNodeManager(kubectl Client, cloudNodeManagerConfiguration resources.Marshaler) error
-	SetupKMS(kubectl Client, kmsConfiguration resources.Marshaler) error
-	StartKubelet() error
-	RestartKubelet() error
-	GetControlPlaneJoinCertificateKey() (string, error)
-	CreateJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscovery, error)
-}
-
 // KubernetesUtil provides low level management of the kubernetes cluster.
 type KubernetesUtil struct {
 	inst installer
 }
 
-// NewKubernetesUtils creates a new KubernetesUtil.
+// NewKubernetesUtil creates a new KubernetesUtil.
 func NewKubernetesUtil() *KubernetesUtil {
 	return &KubernetesUtil{
 		inst: newOSInstaller(),
@@ -91,7 +71,6 @@ func (k *KubernetesUtil) InitCluster(ctx context.Context, initConfig []byte, log
 	if err != nil {
 		return fmt.Errorf("creating init config file %v: %w", initConfigFile.Name(), err)
 	}
-	// defer os.Remove(initConfigFile.Name())
 
 	if _, err := initConfigFile.Write(initConfig); err != nil {
 		return fmt.Errorf("writing kubeadm init yaml config %v: %w", initConfigFile.Name(), err)
@@ -296,7 +275,6 @@ func (k *KubernetesUtil) JoinCluster(ctx context.Context, joinConfig []byte, log
 	if err != nil {
 		return fmt.Errorf("creating join config file %v: %w", joinConfigFile.Name(), err)
 	}
-	// defer os.Remove(joinConfigFile.Name())
 
 	if _, err := joinConfigFile.Write(joinConfig); err != nil {
 		return fmt.Errorf("writing kubeadm init yaml config %v: %w", joinConfigFile.Name(), err)
@@ -333,40 +311,3 @@ func (k *KubernetesUtil) RestartKubelet() error {
 	defer cancel()
 	return restartSystemdUnit(ctx, "kubelet.service")
 }
-
-// GetControlPlaneJoinCertificateKey return the key which can be used in combination with the joinArgs
-// to join the Cluster as control-plane.
-func (k *KubernetesUtil) GetControlPlaneJoinCertificateKey(ctx context.Context) (string, error) {
-	// Key will be valid for 1h (no option to reduce the duration).
-	// https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-upload-certs
-	output, err := exec.CommandContext(ctx, kubeadmPath, "init", "phase", "upload-certs", "--upload-certs").Output()
-	if err != nil {
-		var exitErr *exec.ExitError
-		if errors.As(err, &exitErr) {
-			return "", fmt.Errorf("kubeadm upload-certs failed (code %v) with: %s (full err: %s)", exitErr.ExitCode(), exitErr.Stderr, err)
-		}
-		return "", fmt.Errorf("kubeadm upload-certs: %w", err)
-	}
-	// Example output:
-	/*
-		[upload-certs] Storing the certificates in ConfigMap "kubeadm-certs" in the "kube-system" Namespace
-		[upload-certs] Using certificate key:
-		9555b74008f24687eb964bd90a164ecb5760a89481d9c55a77c129b7db438168
-	*/
-	key := kubernetesKeyRegexp.FindString(string(output))
-	if key == "" {
-		return "", fmt.Errorf("failed to parse kubeadm output: %s", string(output))
-	}
-	return key, nil
-}
-
-// CreateJoinToken creates a new bootstrap (join) token.
-func (k *KubernetesUtil) CreateJoinToken(ctx context.Context, ttl time.Duration) (*kubeadm.BootstrapTokenDiscovery, error) {
-	output, err := exec.CommandContext(ctx, kubeadmPath, "token", "create", "--ttl", ttl.String(), "--print-join-command").Output()
-	if err != nil {
-		return nil, fmt.Errorf("kubeadm token create: %w", err)
-	}
-	// `kubeadm token create [...] --print-join-command` outputs the following format:
-	// kubeadm join [API_SERVER_ENDPOINT] --token [TOKEN] --discovery-token-ca-cert-hash [DISCOVERY_TOKEN_CA_CERT_HASH]
-	return ParseJoinCommand(string(output))
-}