kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make parsed Keyset type public

This commit is contained in:
John Gardiner Myers 2021-04-11 10:59:45 -07:00
parent 6b2250a9af
commit 927b321e45
3 changed files with 100 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
upup/pkg/fi/ca.go
View File

@ -43,6 +43,20 @@ type KeystoreItem struct {
Data []byte Data []byte
} }
// Keyset is a parsed api.Keyset.
type Keyset struct {
LegacyFormat bool
Items map[string]*KeysetItem
Primary *KeysetItem
}
// KeysetItem is a certificate/key pair in a Keyset.
type KeysetItem struct {
Id string
Certificate *pki.Certificate
PrivateKey *pki.PrivateKey
}
// Keystore contains just the functions we need to issue keypairs, not to list / manage them // Keystore contains just the functions we need to issue keypairs, not to list / manage them
type Keystore interface { type Keystore interface {
// FindKeypair finds a cert & private key, returning nil where either is not found // FindKeypair finds a cert & private key, returning nil where either is not found

60
upup/pkg/fi/clientset_castore.go
View File

@ -65,30 +65,16 @@ func NewClientsetSSHCredentialStore(cluster *kops.Cluster, clientset kopsinterna
return c return c
} }
// keyset is a parsed Keyset func parseKeyset(o *kops.Keyset) (*Keyset, error) {
type keyset struct {
legacyFormat bool
items map[string]*keysetItem
primary *keysetItem
}
// keysetItem is a parsed KeysetItem
type keysetItem struct {
id string
certificate *pki.Certificate
privateKey *pki.PrivateKey
}
func parseKeyset(o *kops.Keyset) (*keyset, error) {
name := o.Name name := o.Name
keyset := &keyset{ keyset := &Keyset{
items: make(map[string]*keysetItem), Items: make(map[string]*KeysetItem),
} }
for _, key := range o.Spec.Keys { for _, key := range o.Spec.Keys {
ki := &keysetItem{ ki := &KeysetItem{
id: key.Id, Id: key.Id,
} }
if len(key.PublicMaterial) != 0 { if len(key.PublicMaterial) != 0 {
cert, err := pki.ParsePEMCertificate(key.PublicMaterial) cert, err := pki.ParsePEMCertificate(key.PublicMaterial)
@ -96,7 +82,7 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
klog.Warningf("key public material was %s", key.PublicMaterial) klog.Warningf("key public material was %s", key.PublicMaterial)
return nil, fmt.Errorf("error loading certificate %s/%s: %v", name, key.Id, err) return nil, fmt.Errorf("error loading certificate %s/%s: %v", name, key.Id, err)
} }
ki.certificate = cert ki.Certificate = cert
} }
if len(key.PrivateMaterial) != 0 { if len(key.PrivateMaterial) != 0 {
@ -104,19 +90,19 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
if err != nil { if err != nil {
return nil, fmt.Errorf("error loading private key %s/%s: %v", name, key.Id, err) return nil, fmt.Errorf("error loading private key %s/%s: %v", name, key.Id, err)
} }
ki.privateKey = privateKey ki.PrivateKey = privateKey
} }
keyset.items[key.Id] = ki keyset.Items[key.Id] = ki
} }
keyset.primary = keyset.items[FindPrimary(o).Id] keyset.Primary = keyset.Items[FindPrimary(o).Id]
return keyset, nil return keyset, nil
} }
// loadKeyset gets the named keyset and the format of the Keyset. // loadKeyset gets the named Keyset and the format of the Keyset.
func (c *ClientsetCAStore) loadKeyset(ctx context.Context, name string) (*keyset, error) { func (c *ClientsetCAStore) loadKeyset(ctx context.Context, name string) (*Keyset, error) {
o, err := c.clientset.Keysets(c.namespace).Get(ctx, name, metav1.GetOptions{}) o, err := c.clientset.Keysets(c.namespace).Get(ctx, name, metav1.GetOptions{})
if err != nil { if err != nil {
if errors.IsNotFound(err) { if errors.IsNotFound(err) {
@ -167,8 +153,8 @@ func (c *ClientsetCAStore) FindKeypair(name string) (*pki.Certificate, *pki.Priv
return nil, nil, false, err return nil, nil, false, err
} }
if keyset != nil && keyset.primary != nil { if keyset != nil && keyset.Primary != nil {
return keyset.primary.certificate, keyset.primary.privateKey, keyset.legacyFormat, nil return keyset.Primary.Certificate, keyset.Primary.PrivateKey, keyset.LegacyFormat, nil
} }
return nil, nil, false, nil return nil, nil, false, nil
@ -182,8 +168,8 @@ func (c *ClientsetCAStore) FindCert(name string) (*pki.Certificate, error) {
return nil, err return nil, err
} }
if keyset != nil && keyset.primary != nil { if keyset != nil && keyset.Primary != nil {
return keyset.primary.certificate, nil return keyset.Primary.Certificate, nil
} }
return nil, nil return nil, nil
@ -200,15 +186,15 @@ func (c *ClientsetCAStore) FindCertificatePool(name string) (*CertificatePool, e
pool := &CertificatePool{} pool := &CertificatePool{}
if keyset != nil { if keyset != nil {
if keyset.primary != nil { if keyset.Primary != nil {
pool.Primary = keyset.primary.certificate pool.Primary = keyset.Primary.Certificate
} }
for id, item := range keyset.items { for id, item := range keyset.Items {
if id == keyset.primary.id { if id == keyset.Primary.Id {
continue continue
} }
pool.Secondary = append(pool.Secondary, item.certificate) pool.Secondary = append(pool.Secondary, item.Certificate)
} }
} }
return pool, nil return pool, nil
@ -305,8 +291,8 @@ func (c *ClientsetCAStore) FindPrivateKey(name string) (*pki.PrivateKey, error)
return nil, err return nil, err
} }
if keyset != nil && keyset.primary != nil { if keyset != nil && keyset.Primary != nil {
return keyset.primary.privateKey, nil return keyset.Primary.PrivateKey, nil
} }
return nil, nil return nil, nil
} }
@ -355,7 +341,7 @@ func (c *ClientsetCAStore) addKey(ctx context.Context, name string, keysetType k
return nil return nil
} }
// deleteKeysetItem deletes the specified key from the registry; deleting the whole keyset if it was the last one // deleteKeysetItem deletes the specified key from the registry; deleting the whole Keyset if it was the last one.
func deleteKeysetItem(client kopsinternalversion.KeysetInterface, name string, keysetType kops.KeysetType, id string) error { func deleteKeysetItem(client kopsinternalversion.KeysetInterface, name string, keysetType kops.KeysetType, id string) error {
ctx := context.TODO() ctx := context.TODO()

126
upup/pkg/fi/vfs_castore.go
View File

@ -40,7 +40,7 @@ type VFSCAStore struct {
cluster *kops.Cluster cluster *kops.Cluster
mutex sync.Mutex mutex sync.Mutex
cachedCA *keyset cachedCA *Keyset
} }
var _ CAStore = &VFSCAStore{} var _ CAStore = &VFSCAStore{}
@ -106,10 +106,10 @@ func (c *VFSCAStore) parseKeysetYaml(data []byte) (*kops.Keyset, bool, error) {
return keyset, gvk.Version != keysetFormatLatest, nil return keyset, gvk.Version != keysetFormatLatest, nil
} }
// loadKeyset loads a keyset from the path // loadKeyset loads a Keyset from the path.
// Returns (nil, nil) if the file is not found // Returns (nil, nil) if the file is not found
// Bundles avoid the need for a list-files permission, which can be tricky on e.g. GCE // Bundles avoid the need for a list-files permission, which can be tricky on e.g. GCE
func (c *VFSCAStore) loadKeyset(p vfs.Path) (*keyset, error) { func (c *VFSCAStore) loadKeyset(p vfs.Path) (*Keyset, error) {
bundlePath := p.Join("keyset.yaml") bundlePath := p.Join("keyset.yaml")
data, err := bundlePath.ReadFile() data, err := bundlePath.ReadFile()
if err != nil { if err != nil {
@ -129,31 +129,31 @@ func (c *VFSCAStore) loadKeyset(p vfs.Path) (*keyset, error) {
return nil, fmt.Errorf("error mapping bundle %q: %v", p, err) return nil, fmt.Errorf("error mapping bundle %q: %v", p, err)
} }
keyset.legacyFormat = legacyFormat keyset.LegacyFormat = legacyFormat
return keyset, nil return keyset, nil
} }
func (k *keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops.Keyset, error) { func (k *Keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops.Keyset, error) {
o := &kops.Keyset{} o := &kops.Keyset{}
o.Name = name o.Name = name
o.Spec.Type = kops.SecretTypeKeypair o.Spec.Type = kops.SecretTypeKeypair
for _, ki := range k.items { for _, ki := range k.Items {
oki := kops.KeysetItem{ oki := kops.KeysetItem{
Id: ki.id, Id: ki.Id,
} }
if ki.certificate != nil { if ki.Certificate != nil {
var publicMaterial bytes.Buffer var publicMaterial bytes.Buffer
if _, err := ki.certificate.WriteTo(&publicMaterial); err != nil { if _, err := ki.Certificate.WriteTo(&publicMaterial); err != nil {
return nil, err return nil, err
} }
oki.PublicMaterial = publicMaterial.Bytes() oki.PublicMaterial = publicMaterial.Bytes()
} }
if includePrivateKeyMaterial && ki.privateKey != nil { if includePrivateKeyMaterial && ki.PrivateKey != nil {
var privateMaterial bytes.Buffer var privateMaterial bytes.Buffer
if _, err := ki.privateKey.WriteTo(&privateMaterial); err != nil { if _, err := ki.PrivateKey.WriteTo(&privateMaterial); err != nil {
return nil, err return nil, err
} }
@ -162,14 +162,14 @@ func (k *keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops
o.Spec.Keys = append(o.Spec.Keys, oki) o.Spec.Keys = append(o.Spec.Keys, oki)
} }
if k.primary != nil { if k.Primary != nil {
o.Spec.PrimaryId = k.primary.id o.Spec.PrimaryId = k.Primary.Id
} }
return o, nil return o, nil
} }
// writeKeysetBundle writes a keyset bundle to VFS // writeKeysetBundle writes a Keyset bundle to VFS.
func (c *VFSCAStore) writeKeysetBundle(p vfs.Path, name string, keyset *keyset, includePrivateKeyMaterial bool) error { func (c *VFSCAStore) writeKeysetBundle(p vfs.Path, name string, keyset *Keyset, includePrivateKeyMaterial bool) error {
p = p.Join("keyset.yaml") p = p.Join("keyset.yaml")
o, err := keyset.ToAPIObject(name, includePrivateKeyMaterial) o, err := keyset.ToAPIObject(name, includePrivateKeyMaterial)
@ -189,7 +189,7 @@ func (c *VFSCAStore) writeKeysetBundle(p vfs.Path, name string, keyset *keyset,
return p.WriteFile(bytes.NewReader(objectData), acl) return p.WriteFile(bytes.NewReader(objectData), acl)
} }
// serializeKeysetBundle converts a keyset bundle to yaml, for writing to VFS // serializeKeysetBundle converts a Keyset bundle to yaml, for writing to VFS.
func serializeKeysetBundle(o *kops.Keyset) ([]byte, error) { func serializeKeysetBundle(o *kops.Keyset) ([]byte, error) {
var objectData bytes.Buffer var objectData bytes.Buffer
codecs := kopscodecs.Codecs codecs := kopscodecs.Codecs
@ -281,8 +281,8 @@ func (c *VFSCAStore) findCert(name string) (*pki.Certificate, bool, error) {
return nil, false, fmt.Errorf("error in 'FindCert' attempting to load cert %q: %v", name, err) return nil, false, fmt.Errorf("error in 'FindCert' attempting to load cert %q: %v", name, err)
} }
if certs != nil && certs.primary != nil { if certs != nil && certs.Primary != nil {
return certs.primary.certificate, certs.legacyFormat, nil return certs.Primary.Certificate, certs.LegacyFormat, nil
} }
return nil, false, nil return nil, false, nil
@ -294,7 +294,7 @@ func (c *VFSCAStore) FindCert(name string) (*pki.Certificate, error) {
} }
func (c *VFSCAStore) FindCertificatePool(name string) (*CertificatePool, error) { func (c *VFSCAStore) FindCertificatePool(name string) (*CertificatePool, error) {
var certs *keyset var certs *Keyset
var err error var err error
p := c.buildCertificatePoolPath(name) p := c.buildCertificatePoolPath(name)
@ -306,18 +306,18 @@ func (c *VFSCAStore) FindCertificatePool(name string) (*CertificatePool, error)
pool := &CertificatePool{} pool := &CertificatePool{}
if certs != nil { if certs != nil {
if certs.primary != nil { if certs.Primary != nil {
pool.Primary = certs.primary.certificate pool.Primary = certs.Primary.Certificate
} }
for k, cert := range certs.items { for k, cert := range certs.Items {
if certs.primary != nil && k == certs.primary.id { if certs.Primary != nil && k == certs.Primary.Id {
continue continue
} }
if cert.certificate == nil { if cert.Certificate == nil {
continue continue
} }
pool.Secondary = append(pool.Secondary, cert.certificate) pool.Secondary = append(pool.Secondary, cert.Certificate)
} }
} }
return pool, nil return pool, nil
@ -462,7 +462,7 @@ func (c *VFSCAStore) MirrorTo(basedir vfs.Path) error {
return nil return nil
} }
// mirrorKeyset writes keyset bundles for the certificates & privatekeys // mirrorKeyset writes Keyset bundles for the certificates & privatekeys.
func mirrorKeyset(cluster *kops.Cluster, basedir vfs.Path, keyset *kops.Keyset) error { func mirrorKeyset(cluster *kops.Cluster, basedir vfs.Path, keyset *kops.Keyset) error {
primary := FindPrimary(keyset) primary := FindPrimary(keyset)
if primary == nil { if primary == nil {
@ -536,10 +536,10 @@ func mirrorSSHCredential(cluster *kops.Cluster, basedir vfs.Path, sshCredential
func (c *VFSCAStore) StoreKeypair(name string, cert *pki.Certificate, privateKey *pki.PrivateKey) error { func (c *VFSCAStore) StoreKeypair(name string, cert *pki.Certificate, privateKey *pki.PrivateKey) error {
serial := cert.Certificate.SerialNumber.String() serial := cert.Certificate.SerialNumber.String()
ki := &keysetItem{ ki := &KeysetItem{
id: serial, Id: serial,
certificate: cert, Certificate: cert,
privateKey: privateKey, PrivateKey: privateKey,
} }
{ {
@ -568,9 +568,9 @@ func (c *VFSCAStore) AddCert(name string, cert *pki.Certificate) error {
p := c.buildCertificatePath(name, serial) p := c.buildCertificatePath(name, serial)
ki := &keysetItem{ ki := &KeysetItem{
id: serial, Id: serial,
certificate: cert, Certificate: cert,
} }
err := c.storeCertificate(name, ki) err := c.storeCertificate(name, ki)
if err != nil { if err != nil {
@ -582,8 +582,8 @@ func (c *VFSCAStore) AddCert(name string, cert *pki.Certificate) error {
return err return err
} }
func (c *VFSCAStore) findPrivateKeyset(id string) (*keyset, error) { func (c *VFSCAStore) findPrivateKeyset(id string) (*Keyset, error) {
var keys *keyset var keys *Keyset
var err error var err error
if id == CertificateIDCA { if id == CertificateIDCA {
c.mutex.Lock() c.mutex.Lock()
@ -623,8 +623,8 @@ func (c *VFSCAStore) FindPrivateKey(id string) (*pki.PrivateKey, error) {
} }
var key *pki.PrivateKey var key *pki.PrivateKey
if keys != nil && keys.primary != nil { if keys != nil && keys.Primary != nil {
key = keys.primary.privateKey key = keys.Primary.PrivateKey
} }
return key, nil return key, nil
} }
@ -643,8 +643,8 @@ func (c *VFSCAStore) FindPrivateKeyset(name string) (*kops.Keyset, error) {
return o, nil return o, nil
} }
func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error { func (c *VFSCAStore) storePrivateKey(name string, ki *KeysetItem) error {
if ki.privateKey == nil { if ki.PrivateKey == nil {
return fmt.Errorf("privateKey not provided to storeCertificate") return fmt.Errorf("privateKey not provided to storeCertificate")
} }
@ -657,13 +657,13 @@ func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
} }
if ks == nil { if ks == nil {
ks = &keyset{} ks = &Keyset{}
} }
if ks.items == nil { if ks.Items == nil {
ks.items = make(map[string]*keysetItem) ks.Items = make(map[string]*KeysetItem)
} }
ks.items[ki.id] = ki ks.Items[ki.Id] = ki
ks.primary = ki ks.Primary = ki
if err := c.writeKeysetBundle(p, name, ks, true); err != nil { if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
return fmt.Errorf("error writing bundle: %v", err) return fmt.Errorf("error writing bundle: %v", err)
@ -674,11 +674,11 @@ func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
// Write the data // Write the data
{ {
var data bytes.Buffer var data bytes.Buffer
if _, err := ki.privateKey.WriteTo(&data); err != nil { if _, err := ki.PrivateKey.WriteTo(&data); err != nil {
return err return err
} }
p := c.buildPrivateKeyPath(name, ki.id) p := c.buildPrivateKeyPath(name, ki.Id)
acl, err := acls.GetACL(p, c.cluster) acl, err := acls.GetACL(p, c.cluster)
if err != nil { if err != nil {
return err return err
@ -687,8 +687,8 @@ func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
} }
} }
func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error { func (c *VFSCAStore) storeCertificate(name string, ki *KeysetItem) error {
if ki.certificate == nil { if ki.Certificate == nil {
return fmt.Errorf("certificate not provided to storeCertificate") return fmt.Errorf("certificate not provided to storeCertificate")
} }
@ -701,13 +701,13 @@ func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error {
} }
if ks == nil { if ks == nil {
ks = &keyset{} ks = &Keyset{}
} }
if ks.items == nil { if ks.Items == nil {
ks.items = make(map[string]*keysetItem) ks.Items = make(map[string]*KeysetItem)
} }
ks.items[ki.id] = ki ks.Items[ki.Id] = ki
ks.primary = ki ks.Primary = ki
if err := c.writeKeysetBundle(p, name, ks, false); err != nil { if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
return fmt.Errorf("error writing bundle: %v", err) return fmt.Errorf("error writing bundle: %v", err)
@ -718,11 +718,11 @@ func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error {
// Write the data // Write the data
{ {
var data bytes.Buffer var data bytes.Buffer
if _, err := ki.certificate.WriteTo(&data); err != nil { if _, err := ki.Certificate.WriteTo(&data); err != nil {
return err return err
} }
p := c.buildCertificatePath(name, ki.id) p := c.buildCertificatePath(name, ki.Id)
acl, err := acls.GetACL(p, c.cluster) acl, err := acls.GetACL(p, c.cluster)
if err != nil { if err != nil {
return err return err
@ -749,12 +749,12 @@ func (c *VFSCAStore) deletePrivateKey(name string, id string) (bool, error) {
return false, err return false, err
} }
if ks == nil || ks.items[id] == nil { if ks == nil || ks.Items[id] == nil {
return false, nil return false, nil
} }
delete(ks.items, id) delete(ks.Items, id)
if ks.primary != nil && ks.primary.id == id { if ks.Primary != nil && ks.Primary.Id == id {
ks.primary = nil ks.Primary = nil
} }
if err := c.writeKeysetBundle(p, name, ks, true); err != nil { if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
@ -782,12 +782,12 @@ func (c *VFSCAStore) deleteCertificate(name string, id string) (bool, error) {
return false, err return false, err
} }
if ks == nil || ks.items[id] == nil { if ks == nil || ks.Items[id] == nil {
return false, nil return false, nil
} }
delete(ks.items, id) delete(ks.Items, id)
if ks.primary != nil && ks.primary.id == id { if ks.Primary != nil && ks.Primary.Id == id {
ks.primary = nil ks.Primary = nil
} }
if err := c.writeKeysetBundle(p, name, ks, false); err != nil { if err := c.writeKeysetBundle(p, name, ks, false); err != nil {