Fix various pki related issues

pkg/cluster/cluster.go

@@ -27,7 +27,7 @@ func New(settings *ClusterSettings, node *NodeSettings) *Cluster {
 		node:       node,
 		networking: NewClusterNetworking(settings.Name, node.Name),
 		ml:         sml.New[HeptoMeta, HeptoState](node.Name, node.IP, node.Port, node.Anchors, settings.Key),
-		pki:        &pki.ClusterCA{},
+		pki:        pki.EmptyClusterCA(),
 		services:   NewClusterServices(),
 	}
 }

pkg/cluster/services.go

@@ -112,7 +112,7 @@ func (s *ClusterServices) startK8sMaster(net *ClusterNetworking, ca *pki.Cluster
 	}
 	schedulerConfig := KubeConfig{
 		URL:        fmt.Sprintf("https://[%s]:6443", net.NodeAddress.IP.String()),
-		CACert:     ca.API.CertPath(),
+		CACert:     ca.TLS.CertPath(),
 		ClientCert: certs.SchedulerAPI.CertPath(),
 		ClientKey:  certs.SchedulerAPI.KeyPath(),
 	}

pkg/pki/ca.go

@@ -14,6 +14,7 @@ type ClusterCA struct {
 	API *pekahi.Certificate `json:"api"`
 }
 
+// Cluster CA as it is held by the master node
 func NewClusterCA(path string) (*ClusterCA, error) {
 	bundle, err := pekahi.NewFileBundle(path)
 	if err != nil {
@@ -34,7 +35,16 @@ func NewClusterCA(path string) (*ClusterCA, error) {
 	return &ClusterCA{tlsCA, kubeletCA, apiserverCA}, nil
 }
 
-// Merge PKI
+// Empty CA for receiving certificates
+func EmptyClusterCA() *ClusterCA {
+	return &ClusterCA{
+		TLS:     &pekahi.Certificate{},
+		Kubelet: &pekahi.Certificate{},
+		API:     &pekahi.Certificate{},
+	}
+}
+
+// Merge the CA
 func (n *ClusterCA) Merge(remote *ClusterCA) bool {
 	change := mergeCert(n.TLS, remote.TLS)
 	change = change || mergeCert(n.Kubelet, remote.Kubelet)

pkg/pki/utils.go

@@ -14,11 +14,6 @@ func mergeCert(local *pekahi.Certificate, remote *pekahi.Certificate) bool {
 	if remote == nil {
 		return change
 	}
-	// Create local certificate if required
-	if local == nil && remote != nil {
-		*local = pekahi.Certificate{}
-		change = true
-	}
 	// Import CSR to master for signing
 	if local.CSR == nil && remote.CSR != nil {
 		local.CSR = remote.CSR