Address Code Review and Update Endpoint Structs

go.mod

@@ -3,7 +3,7 @@ module github.com/canonical/cluster-api-k8s
 go 1.22.6
 
 require (
-	github.com/canonical/k8s-snap-api v1.0.8
+	github.com/canonical/k8s-snap-api v1.0.10
 	github.com/go-logr/logr v1.4.1
 	github.com/google/uuid v1.4.0
 	github.com/onsi/ginkgo v1.16.5
@@ -119,7 +119,7 @@ require (
 	golang.org/x/mod v0.19.0
 	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/oauth2 v0.18.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sync v0.8.0
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/term v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect

go.sum

@@ -29,8 +29,8 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/canonical/k8s-snap-api v1.0.8 h1:W360Y4ulkAdCdQqbfQ7zXs3/Ty8SWENO3/Bzz8ZAEPE=
-github.com/canonical/k8s-snap-api v1.0.8/go.mod h1:LDPoIYCeYnfgOFrwVPJ/4edGU264w7BB7g0GsVi36AY=
+github.com/canonical/k8s-snap-api v1.0.10 h1:BoAw4Vr8mR8MWTKeZZxH5LmrF3JYGSZHDv+KEo5ifoU=
+github.com/canonical/k8s-snap-api v1.0.10/go.mod h1:LDPoIYCeYnfgOFrwVPJ/4edGU264w7BB7g0GsVi36AY=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
@@ -359,8 +359,6 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

pkg/ck8s/workload_cluster.go

@@ -228,9 +228,7 @@ func (w *Workload) GetCertificatesExpiryDate(ctx context.Context, machine *clust
 	request := apiv1.CertificatesExpiryRequest{}
 	response := &apiv1.CertificatesExpiryResponse{}
 
-	header := map[string][]string{
-		"node-token": {nodeToken},
-	}
+	header := w.newHeaderWithNodeToken(nodeToken)
 	k8sdProxy, err := w.GetK8sdProxyForMachine(ctx, machine)
 	if err != nil {
 		return "", fmt.Errorf("failed to create k8sd proxy: %w", err)
@@ -243,23 +241,15 @@ func (w *Workload) GetCertificatesExpiryDate(ctx context.Context, machine *clust
 	return response.ExpiryDate, nil
 }
 
-type ApproveWorkerCSRRequest struct {
-	Seed int `json:"seed"`
-}
-
-type ApproveWorkerCSRResponse struct{}
-
-func (w *Workload) ApproveCertificates(ctx context.Context, machine *clusterv1.Machine, capiToken string, seed int) error {
-	request := ApproveWorkerCSRRequest{}
-	response := &ApproveWorkerCSRResponse{}
+func (w *Workload) ApproveCertificates(ctx context.Context, machine *clusterv1.Machine, seed int) error {
+	request := apiv1.ClusterAPIApproveWorkerCSRRequest{}
+	response := &apiv1.ClusterAPIApproveWorkerCSRResponse{}
 	k8sdProxy, err := w.GetK8sdProxyForControlPlane(ctx, k8sdProxyOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to create k8sd proxy: %w", err)
 	}
 
-	header := map[string][]string{
-		"capi-auth-token": {w.authToken},
-	}
+	header := w.newHeaderWithCAPIAuthToken()
 
 	if err := w.doK8sdRequest(ctx, k8sdProxy, http.MethodPost, "1.0/x/capi/refresh-certs/approve", header, request, response); err != nil {
 		return fmt.Errorf("failed to approve certificates: %w", err)
@@ -272,9 +262,7 @@ func (w *Workload) refreshCertificatesPlan(ctx context.Context, machine *cluster
 	planRequest := apiv1.ClusterAPICertificatesPlanRequest{}
 	planResponse := &apiv1.ClusterAPICertificatesPlanResponse{}
 
-	header := map[string][]string{
-		"node-token": {nodeToken},
-	}
+	header := w.newHeaderWithNodeToken(nodeToken)
 
 	k8sdProxy, err := w.GetK8sdProxyForMachine(ctx, machine)
 	if err != nil {
@@ -290,9 +278,7 @@ func (w *Workload) refreshCertificatesPlan(ctx context.Context, machine *cluster
 
 func (w *Workload) refreshCertificatesRun(ctx context.Context, machine *clusterv1.Machine, nodeToken string, request *apiv1.ClusterAPICertificatesRunRequest) (int, error) {
 	runResponse := &apiv1.ClusterAPICertificatesRunResponse{}
-	header := map[string][]string{
-		"node-token": {nodeToken},
-	}
+	header := w.newHeaderWithNodeToken(nodeToken)
 
 	k8sdProxy, err := w.GetK8sdProxyForMachine(ctx, machine)
 	if err != nil {
@@ -306,6 +292,18 @@ func (w *Workload) refreshCertificatesRun(ctx context.Context, machine *clusterv
 	return runResponse.ExpirationSeconds, nil
 }
 
+// RefreshWorkerCertificates approves the worker node CSR and refreshes the certificates.
+// The certificate approval process follows these steps:
+// 1. The CAPI provider calls the /x/capi/refresh-certs/plan endpoint from the
+// worker node, which generates the CSRs and creates the CertificateSigningRequest
+// objects in the cluster.
+// 2. The CAPI provider then calls the /x/capi/refresh-certs/plan endpoint with
+// the seed. This endpoint waits until the CSR is approved and the certificate
+// is signed. Note that this is a blocking call.
+// 3. The CAPI provider calls the /x/capi/refresh-certs/approve endpoint from
+// any control plane node to approve the CSRs.
+// 4. The /x/capi/refresh-certs/plan endpoint completes and returns once the
+// certificate is approved and signed.
 func (w *Workload) RefreshWorkerCertificates(ctx context.Context, machine *clusterv1.Machine, nodeToken string, expirationSeconds int) (int, error) {
 	seed, err := w.refreshCertificatesPlan(ctx, machine, nodeToken)
 	if err != nil {
@@ -329,7 +327,7 @@ func (w *Workload) RefreshWorkerCertificates(ctx context.Context, machine *clust
 	})
 
 	eg.Go(func() error {
-		if err := w.ApproveCertificates(ctx, machine, nodeToken, seed); err != nil {
+		if err := w.ApproveCertificates(ctx, machine, seed); err != nil {
 			return fmt.Errorf("failed to approve certificates: %w", err)
 		}
 		return nil
@@ -382,9 +380,7 @@ func (w *Workload) RefreshMachine(ctx context.Context, machine *clusterv1.Machin
 		return "", fmt.Errorf("failed to create k8sd proxy: %w", err)
 	}
 
-	header := map[string][]string{
-		"node-token": {nodeToken},
-	}
+	header := w.newHeaderWithNodeToken(nodeToken)
 
 	if err := w.doK8sdRequest(ctx, k8sdProxy, http.MethodPost, "1.0/snap/refresh", header, request, response); err != nil {
 		return "", fmt.Errorf("failed to refresh machine %s: %w", machine.Name, err)
@@ -403,9 +399,7 @@ func (w *Workload) GetRefreshStatusForMachine(ctx context.Context, machine *clus
 		return nil, fmt.Errorf("failed to create k8sd proxy: %w", err)
 	}
 
-	header := map[string][]string{
-		"node-token": {nodeToken},
-	}
+	header := w.newHeaderWithNodeToken(nodeToken)
 
 	if err := w.doK8sdRequest(ctx, k8sdProxy, http.MethodPost, "1.0/snap/refresh-status", header, request, response); err != nil {
 		return nil, fmt.Errorf("failed to refresh machine %s: %w", machine.Name, err)
@@ -438,9 +432,7 @@ func (w *Workload) requestJoinToken(ctx context.Context, name string, worker boo
 		return "", fmt.Errorf("failed to create k8sd proxy: %w", err)
 	}
 
-	header := map[string][]string{
-		"capi-auth-token": {w.authToken},
-	}
+	header := w.newHeaderWithCAPIAuthToken()
 
 	if err := w.doK8sdRequest(ctx, k8sdProxy, http.MethodPost, "1.0/x/capi/generate-join-token", header, request, response); err != nil {
 		return "", fmt.Errorf("failed to get join token: %w", err)
@@ -467,9 +459,7 @@ func (w *Workload) RemoveMachineFromCluster(ctx context.Context, machine *cluste
 		return fmt.Errorf("failed to create k8sd proxy: %w", err)
 	}
 
-	header := map[string][]string{
-		"capi-auth-token": {w.authToken},
-	}
+	header := w.newHeaderWithCAPIAuthToken()
 
 	if err := w.doK8sdRequest(ctx, k8sdProxy, http.MethodPost, "1.0/x/capi/remove-node", header, request, nil); err != nil {
 		return fmt.Errorf("failed to remove %s from cluster: %w", machine.Name, err)
@@ -525,6 +515,20 @@ func (w *Workload) doK8sdRequest(ctx context.Context, k8sdProxy *K8sdClient, met
 	return nil
 }
 
+// newHeaderWithCAPIAuthToken returns a map with the CAPI auth token as a header.
+func (w *Workload) newHeaderWithCAPIAuthToken() map[string][]string {
+	return map[string][]string{
+		"capi-auth-token": {w.authToken},
+	}
+}
+
+// newHeaderWithNodeToken returns a map with the node token as a header.
+func (w *Workload) newHeaderWithNodeToken(nodeToken string) map[string][]string {
+	return map[string][]string{
+		"node-token": {nodeToken},
+	}
+}
+
 // UpdateAgentConditions is responsible for updating machine conditions reflecting the status of all the control plane
 // components. This operation is best effort, in the sense that in case
 // of problems in retrieving the pod status, it sets the condition to Unknown state without returning any error.