From 8310ed5d3f4afeaa3fd9c2706d0f92f43183952b Mon Sep 17 00:00:00 2001
From: Pablo Acevedo Montserrat <pacevedo@redhat.com>
Date: Fri, 3 Mar 2023 18:43:50 +0100
Subject: [PATCH 1/2] OCPBUGS-8301: Use correct CAs in kubeconfig files

---
 pkg/cmd/init.go | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go
index 01db0bd4f9..04c268d9c8 100644
--- a/pkg/cmd/init.go
+++ b/pkg/cmd/init.go
@@ -341,7 +341,6 @@ func certSetup(cfg *config.MicroshiftConfig) (*certchains.CertificateChains, err
 		[]string{"kubelet-signer", "kube-csr-signer"},
 	).WithCABundle(
 		cryptomaterial.ServiceAccountTokenCABundlePath(certsDir),
-		[]string{"kube-apiserver-external-signer"},
 		[]string{"kube-apiserver-localhost-signer"},
 		[]string{"kube-apiserver-service-network-signer"},
 	).Complete()
@@ -370,9 +369,13 @@ func initKubeconfigs(
 	cfg *config.MicroshiftConfig,
 	certChains *certchains.CertificateChains,
 ) error {
-	inClusterTrustBundlePEM, err := os.ReadFile(cryptomaterial.ServiceAccountTokenCABundlePath(cryptomaterial.CertsDirectory(microshiftDataDir)))
+	externalTrustPEM, err := os.ReadFile(cryptomaterial.CACertPath(cryptomaterial.KubeAPIServerExternalSigner(cryptomaterial.CertsDirectory(microshiftDataDir))))
 	if err != nil {
-		return fmt.Errorf("failed to load the in-cluster trust bundle: %v", err)
+		return fmt.Errorf("failed to load the external trust signer: %v", err)
+	}
+	internalTrustPEM, err := os.ReadFile(cryptomaterial.CACertPath(cryptomaterial.KubeAPIServerLocalhostSigner(cryptomaterial.CertsDirectory(microshiftDataDir))))
+	if err != nil {
+		return fmt.Errorf("failed to load the internal trust signer: %v", err)
 	}
 
 	adminKubeconfigCertPEM, adminKubeconfigKeyPEM, err := certChains.GetCertKey("admin-kubeconfig-signer", "admin-kubeconfig-client")
@@ -390,12 +393,12 @@ func initKubeconfigs(
 	}
 
 	// Generate one kubeconfigs per name
-	for _, name := range append(cfg.SubjectAltNames, cfg.NodeName, "localhost") {
+	for _, name := range append(cfg.SubjectAltNames, cfg.NodeName) {
 		u.Host = fmt.Sprintf("%s:%d", name, apiServerPort)
 		if err := util.KubeConfigWithClientCerts(
 			cfg.KubeConfigAdminPath(name),
 			u.String(),
-			inClusterTrustBundlePEM,
+			externalTrustPEM,
 			adminKubeconfigCertPEM,
 			adminKubeconfigKeyPEM,
 		); err != nil {
@@ -406,7 +409,7 @@ func initKubeconfigs(
 	if err := util.KubeConfigWithClientCerts(
 		cfg.KubeConfigPath(config.KubeAdmin),
 		cfg.Cluster.URL,
-		inClusterTrustBundlePEM,
+		internalTrustPEM,
 		adminKubeconfigCertPEM,
 		adminKubeconfigKeyPEM,
 	); err != nil {
@@ -420,7 +423,7 @@ func initKubeconfigs(
 	if err := util.KubeConfigWithClientCerts(
 		cfg.KubeConfigPath(config.KubeControllerManager),
 		cfg.Cluster.URL,
-		inClusterTrustBundlePEM,
+		internalTrustPEM,
 		kcmCertPEM,
 		kcmKeyPEM,
 	); err != nil {
@@ -434,7 +437,7 @@ func initKubeconfigs(
 	if err := util.KubeConfigWithClientCerts(
 		cfg.KubeConfigPath(config.KubeScheduler),
 		cfg.Cluster.URL,
-		inClusterTrustBundlePEM,
+		internalTrustPEM,
 		schedulerCertPEM, schedulerKeyPEM,
 	); err != nil {
 		return err
@@ -447,7 +450,7 @@ func initKubeconfigs(
 	if err := util.KubeConfigWithClientCerts(
 		cfg.KubeConfigPath(config.Kubelet),
 		cfg.Cluster.URL,
-		inClusterTrustBundlePEM,
+		internalTrustPEM,
 		kubeletCertPEM, kubeletKeyPEM,
 	); err != nil {
 		return err
@@ -459,7 +462,7 @@ func initKubeconfigs(
 	if err := util.KubeConfigWithClientCerts(
 		cfg.KubeConfigPath(config.ClusterPolicyController),
 		cfg.Cluster.URL,
-		inClusterTrustBundlePEM,
+		internalTrustPEM,
 		clusterPolicyControllerCertPEM, clusterPolicyControllerKeyPEM,
 	); err != nil {
 		return err
@@ -472,7 +475,7 @@ func initKubeconfigs(
 	if err := util.KubeConfigWithClientCerts(
 		cfg.KubeConfigPath(config.RouteControllerManager),
 		cfg.Cluster.URL,
-		inClusterTrustBundlePEM,
+		internalTrustPEM,
 		routeControllerManagerCertPEM, routeControllerManagerKeyPEM,
 	); err != nil {
 		return err

From ce993efd6cb650aa9a3cc0e365b48b45026114e7 Mon Sep 17 00:00:00 2001
From: Pablo Acevedo Montserrat <pacevedo@redhat.com>
Date: Mon, 6 Mar 2023 10:59:01 +0100
Subject: [PATCH 2/2] OCPBUGS-8301: Update docs

---
 docs/openshift_ci.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/docs/openshift_ci.md b/docs/openshift_ci.md
index 89db4b72ab..c348a73c95 100644
--- a/docs/openshift_ci.md
+++ b/docs/openshift_ci.md
@@ -31,8 +31,6 @@ MicroShift generates a set of kubeconfig files in default configuration:
 # tree /var/lib/microshift/resources/kubeadmin/
 /var/lib/microshift/resources/kubeadmin/
 ├── kubeconfig
-├── localhost
-│   └── kubeconfig
 ├── microshift-dev
 │   └── kubeconfig
 └── microshift-dev.localdomain
@@ -40,7 +38,7 @@ MicroShift generates a set of kubeconfig files in default configuration:
 
 3 directories, 4 files
 ```
-Using default configuration there is a kubeconfig for each of the subject alternative names, localhost, and the one at the root directory which is using the cluster URL. If cluster URL is not using localhost then all these files are not generated.
+Using default configuration there is a kubeconfig for each of the subject alternative names and the one at the root directory which is using the cluster URL, which defaults to localhost.
 
 Having a DNS (or simply changing `/etc/hosts`) we have to select which of the kubeconfig files we need to use according to it. In this case we may copy the `microshift-dev` kubeconfig to our local environment and we will be able to use `oc`:
 ```