apiserver: Use private key for service-account-key-file

For the apiserver flag `--service-account-key-file` we use to provide
public service-account key. Now this commit provides the private
service-account key, the same as the one provided to
`--service-account-signing-key-file`.

Since there is no need of the public key this commit also removes the
whole pipeline that embedded the public key into the kube-apiserver
secret.

Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>

Author: surajssd

assets/charts/control-plane/kube-apiserver/templates/_helpers.tpl

@@ -39,7 +39,7 @@
         - --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
         - --secure-port=6443
-        - --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
+        - --service-account-key-file=/etc/kubernetes/secrets/service-account.key
         - --service-account-signing-key-file=/etc/kubernetes/secrets/service-account.key
         - --service-account-issuer=https://kubernetes.default.svc
         - --service-cluster-ip-range={{ .Values.apiserver.serviceCIDR }}

assets/charts/control-plane/kube-apiserver/templates/kube-apiserver-secret.yaml

@@ -1,7 +1,6 @@
 {{- define "secrets" }}
   apiserver.key: "{{ .Values.apiserver.apiserverKey }}"
   apiserver.crt: "{{ .Values.apiserver.apiserverCert }}"
-  service-account.pub: "{{ .Values.apiserver.serviceAccountPub }}"
   service-account.key: "{{ .Values.apiserver.serviceAccountPrivate }}"
   ca.crt: "{{ .Values.apiserver.caCert }}"
   etcd-client-ca.crt: "{{ .Values.apiserver.etcdClientCaCert }}"

assets/charts/control-plane/kube-apiserver/values.yaml

@@ -1,7 +1,6 @@
 apiserver:
   apiserverKey:
   apiserverCert:
-  serviceAccountPub:
   serviceAccountPrivate:
   caCert:
   etcdClientCaCert:

assets/terraform-modules/bootkube/assets.tf

@@ -39,7 +39,6 @@ resource "local_file" "kube-apiserver" {
     ca_cert                 = base64encode(tls_self_signed_cert.kube-ca.cert_pem)
     apiserver_key           = base64encode(tls_private_key.apiserver.private_key_pem)
     apiserver_cert          = base64encode(tls_locally_signed_cert.apiserver.cert_pem)
-    serviceaccount_pub      = base64encode(tls_private_key.service-account.public_key_pem)
     serviceaccount_private  = base64encode(tls_private_key.service-account.private_key_pem)
     etcd_ca_cert            = base64encode(tls_self_signed_cert.etcd-ca.cert_pem)
     etcd_client_cert        = base64encode(tls_locally_signed_cert.client.cert_pem)

assets/terraform-modules/bootkube/resources/bootstrap-manifests/bootstrap-apiserver.yaml

@@ -38,7 +38,7 @@ spec:
     - --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
     - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
     - --secure-port=6443
-    - --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
+    - --service-account-key-file=/etc/kubernetes/secrets/service-account.key
     - --service-account-signing-key-file=/etc/kubernetes/secrets/service-account.key
     - --service-account-issuer=https://kubernetes.default.svc
     - --service-cluster-ip-range=${service_cidr}

assets/terraform-modules/bootkube/resources/charts/kube-apiserver.yaml

@@ -1,7 +1,6 @@
 apiserver:
   apiserverKey: ${apiserver_key}
   apiserverCert: ${apiserver_cert}
-  serviceAccountPub: ${serviceaccount_pub}
   serviceAccountPrivate: ${serviceaccount_private}
   caCert: ${ca_cert}
   etcdClientCaCert: ${etcd_ca_cert}