Fix node join post-1.13 (kubernetes-sigs#446)

.gitignore

@@ -23,6 +23,7 @@
 envfile
 
 # kubeconfigs
+kind.kubeconfig
 minikube.kubeconfig
 kubeconfig
 

pkg/cloud/aws/services/certificates/certificates.go

@@ -16,13 +16,16 @@ package certificates
 import (
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/hex"
 	"encoding/pem"
 	"fmt"
 	"math"
 	"math/big"
 	"net"
+	"strings"
 	"time"
 
 	"github.com/pkg/errors"
@@ -222,3 +225,14 @@ func DecodePrivateKeyPEM(encoded []byte) (*rsa.PrivateKey, error) {
 
 	return x509.ParsePKCS1PrivateKey(block.Bytes)
 }
+
+// GenerateCertificateHash returns the encoded sha256 hash for the certificate provided
+func GenerateCertificateHash(encoded []byte) (string, error) {
+	cert, err := DecodeCertPEM(encoded)
+	if err != nil || cert == nil {
+		return "", errors.Errorf("failed to parse PEM block containing the public key")
+	}
+
+	certHash := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
+	return "sha256:" + strings.ToLower(hex.EncodeToString(certHash[:])), nil
+}

pkg/cloud/aws/services/ec2/BUILD

@@ -26,6 +26,7 @@ go_library(
         "//pkg/cloud/aws/converters:go_default_library",
         "//pkg/cloud/aws/filter:go_default_library",
         "//pkg/cloud/aws/services/awserrors:go_default_library",
+        "//pkg/cloud/aws/services/certificates:go_default_library",
         "//pkg/cloud/aws/services/userdata:go_default_library",
         "//pkg/cloud/aws/services/wait:go_default_library",
         "//pkg/cloud/aws/tags:go_default_library",

pkg/cloud/aws/services/ec2/instances.go

@@ -16,21 +16,19 @@ package ec2
 import (
 	"encoding/base64"
 
-	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/actuators"
-	"sigs.k8s.io/cluster-api-provider-aws/pkg/record"
-
-	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/filter"
-	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/tags"
-
-	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/converters"
-
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/pkg/errors"
 	"k8s.io/klog"
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/apis/awsprovider/v1alpha1"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/actuators"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/converters"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/filter"
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/services/awserrors"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/services/certificates"
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/services/userdata"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/tags"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/record"
 )
 
 // InstanceByTags returns the existing instance or nothing if it doesn't exist.
@@ -90,7 +88,7 @@ func (s *Service) InstanceIfExists(id string) (*v1alpha1.Instance, error) {
 }
 
 // createInstance runs an ec2 instance.
-func (s *Service) createInstance(machine *actuators.MachineScope, token string) (*v1alpha1.Instance, error) {
+func (s *Service) createInstance(machine *actuators.MachineScope, bootstrapToken string) (*v1alpha1.Instance, error) {
 	klog.V(2).Infof("Creating a new instance for machine %q", machine.Name())
 
 	input := &v1alpha1.Instance{
@@ -174,9 +172,14 @@ func (s *Service) createInstance(machine *actuators.MachineScope, token string)
 	if machine.Role() == "node" {
 		input.SecurityGroupIDs = append(input.SecurityGroupIDs, s.scope.SecurityGroups()[v1alpha1.SecurityGroupNode].ID)
 
+		caCertHash, err := certificates.GenerateCertificateHash(s.scope.ClusterConfig.CACertificate)
+		if err != nil {
+			return input, err
+		}
+
 		userData, err := userdata.NewNode(&userdata.NodeInput{
-			CACert:         string(s.scope.ClusterConfig.CACertificate),
-			BootstrapToken: token,
+			CACertHash:     caCertHash,
+			BootstrapToken: bootstrapToken,
 			ELBAddress:     s.scope.Network().APIServerELB.DNSName,
 		})
 
@@ -242,7 +245,7 @@ func (s *Service) TerminateInstanceAndWait(instanceID string) error {
 }
 
 // CreateOrGetMachine will either return an existing instance or create and return an instance.
-func (s *Service) CreateOrGetMachine(machine *actuators.MachineScope, token string) (*v1alpha1.Instance, error) {
+func (s *Service) CreateOrGetMachine(machine *actuators.MachineScope, bootstrapToken string) (*v1alpha1.Instance, error) {
 	klog.V(2).Infof("Attempting to create or get machine %q", machine.Name())
 
 	// instance id exists, try to get it
@@ -265,7 +268,7 @@ func (s *Service) CreateOrGetMachine(machine *actuators.MachineScope, token stri
 		return instance, nil
 	}
 
-	return s.createInstance(machine, token)
+	return s.createInstance(machine, bootstrapToken)
 }
 
 func (s *Service) runInstance(role string, i *v1alpha1.Instance) (*v1alpha1.Instance, error) {

pkg/cloud/aws/services/userdata/node.go

@@ -16,22 +16,6 @@ package userdata
 const (
 	nodeBashScript = `{{.Header}}
 
-certificate=$(echo '{{.CACert}}' | base64 -w0)
-
-cat >/tmp/cluster-info.yaml <<EOF
-apiVersion: v1
-clusters:
-- cluster:
-    certificate-authority-data: ${certificate}
-    server: https://{{.ELBAddress}}:6443
-  name: ""
-contexts: []
-current-context: ""
-kind: Config
-preferences: {}
-users: []
-EOF
-
 HOSTNAME="$(curl http://169.254.169.254/latest/meta-data/local-hostname)"
 
 cat >/tmp/kubeadm-node.yaml <<EOF
@@ -42,8 +26,8 @@ discovery:
   bootstrapToken:
     token: "{{.BootstrapToken}}"
     apiServerEndpoint: "{{.ELBAddress}}:6443"
-  file:
-    kubeConfigPath: /tmp/cluster-info.yaml
+    caCertHashes:
+      - "{{.CACertHash}}"
 nodeRegistration:
   name: "${HOSTNAME}"
   criSocket: /var/run/containerd/containerd.sock
@@ -59,7 +43,7 @@ kubeadm join --config /tmp/kubeadm-node.yaml
 type NodeInput struct {
 	baseUserData
 
-	CACert         string
+	CACertHash     string
 	BootstrapToken string
 	ELBAddress     string
 }