Merge pull request #11376 from johngmyers/sa-key

Fix upgrade of service-account key
2021-05-03 21:51:11 -07:00 · 2021-05-03 21:51:11 -07:00 · 174eef9f5d
parent 67cfafce66 30bc1c7b15
commit 174eef9f5d
2 changed files with 2 additions and 2 deletions
--- a/upup/pkg/fi/fitasks/keypair.go
+++ b/upup/pkg/fi/fitasks/keypair.go
@ -165,7 +165,7 @@ func (_ *Keypair) Render(c *fi.Context, a, e, changes *Keypair) error {
 		} else if changes.Type != "" {
 			createCertificate = true
 			klog.Infof("creating certificate %q as Type has changed (actual=%v, expected=%v)", name, a.Type, e.Type)
-		} else if changes.LegacyFormat {
+		} else if a.LegacyFormat {
 			changeStoredFormat = true
 		} else {
 			klog.Warningf("Ignoring changes in key: %v", fi.DebugAsJsonString(changes))
--- a/upup/pkg/fi/vfs_castore.go
+++ b/upup/pkg/fi/vfs_castore.go
@ -257,7 +257,7 @@ func (c *VFSCAStore) loadOneCertificate(p vfs.Path) (*pki.Certificate, error) {
 func (c *VFSCAStore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, bool, error) {
 	cert, legacyFormat, err := c.findCert(id)

-	if os.IsNotExist(err) && id == "service-account" {
+	if (cert == nil || os.IsNotExist(err)) && id == "service-account" {
 		// The strange name is because Kops prior to 1.19 used the api-server TLS key for this.
 		id = "master"
 		cert, _, err = c.findCert(id)