tls: switch to self-signed admin.kubeconfig

The KAS now trusts the admin.kubeconfig client cert.
We can remove the old kube-ca signed admin.kubeconfig to more
appropriately scope trust.

Author: deads2k

pkg/asset/ignition/bootstrap/bootstrap.go

@@ -62,7 +62,6 @@ var _ asset.WritableAsset = (*Bootstrap)(nil)
 func (a *Bootstrap) Dependencies() []asset.Asset {
 	return []asset.Asset{
 		&installconfig.InstallConfig{},
-		&kubeconfig.Admin{},
 		&kubeconfig.AdminClient{},
 		&kubeconfig.Kubelet{},
 		&kubeconfig.KubeletClient{},
@@ -373,7 +372,6 @@ func (a *Bootstrap) addParentFiles(dependencies asset.Parents) {
 	}
 
 	for _, asset := range []asset.WritableAsset{
-		&kubeconfig.Admin{},
 		&kubeconfig.AdminClient{},
 		&kubeconfig.Kubelet{},
 		&kubeconfig.KubeletClient{},

pkg/asset/kubeconfig/admin.go

@@ -9,53 +9,9 @@ import (
 )
 
 var (
-	kubeconfigAdminPath       = filepath.Join("auth", "kubeconfig")
-	kubeconfigAdminClientPath = filepath.Join("auth", "kubeconfig-admin")
+	kubeconfigAdminPath = filepath.Join("auth", "kubeconfig")
 )
 
-// Admin is the asset for the admin kubeconfig.
-// [DEPRECATED]
-type Admin struct {
-	kubeconfig
-}
-
-var _ asset.WritableAsset = (*Admin)(nil)
-
-// Dependencies returns the dependency of the kubeconfig.
-func (k *Admin) Dependencies() []asset.Asset {
-	return []asset.Asset{
-		&tls.KubeCA{},
-		&tls.AdminCertKey{},
-		&installconfig.InstallConfig{},
-	}
-}
-
-// Generate generates the kubeconfig.
-func (k *Admin) Generate(parents asset.Parents) error {
-	kubeCA := &tls.KubeCA{}
-	adminCertKey := &tls.AdminCertKey{}
-	installConfig := &installconfig.InstallConfig{}
-	parents.Get(kubeCA, adminCertKey, installConfig)
-
-	return k.kubeconfig.generate(
-		kubeCA,
-		adminCertKey,
-		installConfig.Config,
-		"admin",
-		kubeconfigAdminPath,
-	)
-}
-
-// Name returns the human-friendly name of the asset.
-func (k *Admin) Name() string {
-	return "Kubeconfig Admin"
-}
-
-// Load returns the kubeconfig from disk.
-func (k *Admin) Load(f asset.FileFetcher) (found bool, err error) {
-	return k.load(f, kubeconfigAdminPath)
-}
-
 // AdminClient is the asset for the admin kubeconfig.
 type AdminClient struct {
 	kubeconfig
@@ -84,7 +40,7 @@ func (k *AdminClient) Generate(parents asset.Parents) error {
 		clientCertKey,
 		installConfig.Config,
 		"admin",
-		kubeconfigAdminClientPath,
+		kubeconfigAdminPath,
 	)
 }
 
@@ -95,5 +51,5 @@ func (k *AdminClient) Name() string {
 
 // Load returns the kubeconfig from disk.
 func (k *AdminClient) Load(f asset.FileFetcher) (found bool, err error) {
-	return k.load(f, kubeconfigAdminClientPath)
+	return k.load(f, kubeconfigAdminPath)
 }

pkg/asset/targets/targets.go

@@ -48,7 +48,7 @@ var (
 
 	// IgnitionConfigs are the ignition-configs targeted assets.
 	IgnitionConfigs = []asset.WritableAsset{
-		&kubeconfig.Admin{},
+		&kubeconfig.AdminClient{},
 		&machine.Master{},
 		&machine.Worker{},
 		&bootstrap.Bootstrap{},
@@ -58,7 +58,7 @@ var (
 	// Cluster are the cluster targeted assets.
 	Cluster = []asset.WritableAsset{
 		&cluster.TerraformVariables{},
-		&kubeconfig.Admin{},
+		&kubeconfig.AdminClient{},
 		&tls.JournalCertKey{},
 		&cluster.Metadata{},
 		&cluster.Cluster{},

pkg/asset/tls/adminkubeconfig.go

@@ -7,43 +7,6 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 )
 
-//AdminCertKey is the asset that generates the admin key/cert pair.
-// [DEPRECATED]
-type AdminCertKey struct {
-	SignedCertKey
-}
-
-var _ asset.WritableAsset = (*AdminCertKey)(nil)
-
-// Dependencies returns the dependency of the the cert/key pair, which includes
-// the parent CA, and install config if it depends on the install config for
-// DNS names, etc.
-func (a *AdminCertKey) Dependencies() []asset.Asset {
-	return []asset.Asset{
-		&KubeCA{},
-	}
-}
-
-// Generate generates the cert/key pair based on its dependencies.
-func (a *AdminCertKey) Generate(dependencies asset.Parents) error {
-	kubeCA := &KubeCA{}
-	dependencies.Get(kubeCA)
-
-	cfg := &CertCfg{
-		Subject:      pkix.Name{CommonName: "system:admin", Organization: []string{"system:masters"}},
-		KeyUsages:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		Validity:     ValidityTenYears,
-	}
-
-	return a.SignedCertKey.Generate(cfg, kubeCA, "admin", DoNotAppendParent)
-}
-
-// Name returns the human-friendly name of the asset.
-func (a *AdminCertKey) Name() string {
-	return "Certificate (system:admin)"
-}
-
 // AdminKubeConfigSignerCertKey is a key/cert pair that signs the admin kubeconfig client certs.
 type AdminKubeConfigSignerCertKey struct {
 	SelfSignedCertKey