kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make parsed Keyset type public

This commit is contained in:
John Gardiner Myers 2021-04-11 10:59:45 -07:00
parent 6b2250a9af
commit 927b321e45
3 changed files with 100 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
upup/pkg/fi/ca.go
View File

@ -43,6 +43,20 @@ type KeystoreItem struct {
Data []byte
}
// Keyset is a parsed api.Keyset.
type Keyset struct {
LegacyFormat bool
Items map[string]*KeysetItem
Primary *KeysetItem
}
// KeysetItem is a certificate/key pair in a Keyset.
type KeysetItem struct {
Id string
Certificate *pki.Certificate
PrivateKey *pki.PrivateKey
}
// Keystore contains just the functions we need to issue keypairs, not to list / manage them
type Keystore interface {
// FindKeypair finds a cert & private key, returning nil where either is not found

60
upup/pkg/fi/clientset_castore.go
View File

@ -65,30 +65,16 @@ func NewClientsetSSHCredentialStore(cluster *kops.Cluster, clientset kopsinterna
return c
}
// keyset is a parsed Keyset
type keyset struct {
legacyFormat bool
items map[string]*keysetItem
primary *keysetItem
}
// keysetItem is a parsed KeysetItem
type keysetItem struct {
id string
certificate *pki.Certificate
privateKey *pki.PrivateKey
}
func parseKeyset(o *kops.Keyset) (*keyset, error) {
func parseKeyset(o *kops.Keyset) (*Keyset, error) {
name := o.Name
keyset := &keyset{
items: make(map[string]*keysetItem),
keyset := &Keyset{
Items: make(map[string]*KeysetItem),
}
for _, key := range o.Spec.Keys {
ki := &keysetItem{
id: key.Id,
ki := &KeysetItem{
Id: key.Id,
}
if len(key.PublicMaterial) != 0 {
cert, err := pki.ParsePEMCertificate(key.PublicMaterial)
@ -96,7 +82,7 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
klog.Warningf("key public material was %s", key.PublicMaterial)
return nil, fmt.Errorf("error loading certificate %s/%s: %v", name, key.Id, err)
}
ki.certificate = cert
ki.Certificate = cert
}
if len(key.PrivateMaterial) != 0 {
@ -104,19 +90,19 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
if err != nil {
return nil, fmt.Errorf("error loading private key %s/%s: %v", name, key.Id, err)
}
ki.privateKey = privateKey
ki.PrivateKey = privateKey
}
keyset.items[key.Id] = ki
keyset.Items[key.Id] = ki
}
keyset.primary = keyset.items[FindPrimary(o).Id]
keyset.Primary = keyset.Items[FindPrimary(o).Id]
return keyset, nil
}
// loadKeyset gets the named keyset and the format of the Keyset.
func (c *ClientsetCAStore) loadKeyset(ctx context.Context, name string) (*keyset, error) {
// loadKeyset gets the named Keyset and the format of the Keyset.
func (c *ClientsetCAStore) loadKeyset(ctx context.Context, name string) (*Keyset, error) {
o, err := c.clientset.Keysets(c.namespace).Get(ctx, name, metav1.GetOptions{})
if err != nil {
if errors.IsNotFound(err) {
@ -167,8 +153,8 @@ func (c *ClientsetCAStore) FindKeypair(name string) (*pki.Certificate, *pki.Priv
return nil, nil, false, err
}
if keyset != nil && keyset.primary != nil {
return keyset.primary.certificate, keyset.primary.privateKey, keyset.legacyFormat, nil
if keyset != nil && keyset.Primary != nil {
return keyset.Primary.Certificate, keyset.Primary.PrivateKey, keyset.LegacyFormat, nil
}
return nil, nil, false, nil
@ -182,8 +168,8 @@ func (c *ClientsetCAStore) FindCert(name string) (*pki.Certificate, error) {
return nil, err
}
if keyset != nil && keyset.primary != nil {
return keyset.primary.certificate, nil
if keyset != nil && keyset.Primary != nil {
return keyset.Primary.Certificate, nil
}
return nil, nil
@ -200,15 +186,15 @@ func (c *ClientsetCAStore) FindCertificatePool(name string) (*CertificatePool, e
pool := &CertificatePool{}
if keyset != nil {
if keyset.primary != nil {
pool.Primary = keyset.primary.certificate
if keyset.Primary != nil {
pool.Primary = keyset.Primary.Certificate
}
for id, item := range keyset.items {
if id == keyset.primary.id {
for id, item := range keyset.Items {
if id == keyset.Primary.Id {
continue
}
pool.Secondary = append(pool.Secondary, item.certificate)
pool.Secondary = append(pool.Secondary, item.Certificate)
}
}
return pool, nil
@ -305,8 +291,8 @@ func (c *ClientsetCAStore) FindPrivateKey(name string) (*pki.PrivateKey, error)
return nil, err
}
if keyset != nil && keyset.primary != nil {
return keyset.primary.privateKey, nil
if keyset != nil && keyset.Primary != nil {
return keyset.Primary.PrivateKey, nil
}
return nil, nil
}
@ -355,7 +341,7 @@ func (c *ClientsetCAStore) addKey(ctx context.Context, name string, keysetType k
return nil
}
// deleteKeysetItem deletes the specified key from the registry; deleting the whole keyset if it was the last one
// deleteKeysetItem deletes the specified key from the registry; deleting the whole Keyset if it was the last one.
func deleteKeysetItem(client kopsinternalversion.KeysetInterface, name string, keysetType kops.KeysetType, id string) error {
ctx := context.TODO()

126
upup/pkg/fi/vfs_castore.go
View File

@ -40,7 +40,7 @@ type VFSCAStore struct {
cluster *kops.Cluster
mutex sync.Mutex
cachedCA *keyset
cachedCA *Keyset
}
var _ CAStore = &VFSCAStore{}
@ -106,10 +106,10 @@ func (c *VFSCAStore) parseKeysetYaml(data []byte) (*kops.Keyset, bool, error) {
return keyset, gvk.Version != keysetFormatLatest, nil
}
// loadKeyset loads a keyset from the path
// loadKeyset loads a Keyset from the path.
// Returns (nil, nil) if the file is not found
// Bundles avoid the need for a list-files permission, which can be tricky on e.g. GCE
func (c *VFSCAStore) loadKeyset(p vfs.Path) (*keyset, error) {
func (c *VFSCAStore) loadKeyset(p vfs.Path) (*Keyset, error) {
bundlePath := p.Join("keyset.yaml")
data, err := bundlePath.ReadFile()
if err != nil {
@ -129,31 +129,31 @@ func (c *VFSCAStore) loadKeyset(p vfs.Path) (*keyset, error) {
return nil, fmt.Errorf("error mapping bundle %q: %v", p, err)
}
keyset.legacyFormat = legacyFormat
keyset.LegacyFormat = legacyFormat
return keyset, nil
}
func (k *keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops.Keyset, error) {
func (k *Keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops.Keyset, error) {
o := &kops.Keyset{}
o.Name = name
o.Spec.Type = kops.SecretTypeKeypair
for _, ki := range k.items {
for _, ki := range k.Items {
oki := kops.KeysetItem{
Id: ki.id,
Id: ki.Id,
}
if ki.certificate != nil {
if ki.Certificate != nil {
var publicMaterial bytes.Buffer
if _, err := ki.certificate.WriteTo(&publicMaterial); err != nil {
if _, err := ki.Certificate.WriteTo(&publicMaterial); err != nil {
return nil, err
}
oki.PublicMaterial = publicMaterial.Bytes()
}
if includePrivateKeyMaterial && ki.privateKey != nil {
if includePrivateKeyMaterial && ki.PrivateKey != nil {
var privateMaterial bytes.Buffer
if _, err := ki.privateKey.WriteTo(&privateMaterial); err != nil {
if _, err := ki.PrivateKey.WriteTo(&privateMaterial); err != nil {
return nil, err
}
@ -162,14 +162,14 @@ func (k *keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops
o.Spec.Keys = append(o.Spec.Keys, oki)
}
if k.primary != nil {
o.Spec.PrimaryId = k.primary.id
if k.Primary != nil {
o.Spec.PrimaryId = k.Primary.Id
}
return o, nil
}
// writeKeysetBundle writes a keyset bundle to VFS
func (c *VFSCAStore) writeKeysetBundle(p vfs.Path, name string, keyset *keyset, includePrivateKeyMaterial bool) error {
// writeKeysetBundle writes a Keyset bundle to VFS.
func (c *VFSCAStore) writeKeysetBundle(p vfs.Path, name string, keyset *Keyset, includePrivateKeyMaterial bool) error {
p = p.Join("keyset.yaml")
o, err := keyset.ToAPIObject(name, includePrivateKeyMaterial)
@ -189,7 +189,7 @@ func (c *VFSCAStore) writeKeysetBundle(p vfs.Path, name string, keyset *keyset,
return p.WriteFile(bytes.NewReader(objectData), acl)
}
// serializeKeysetBundle converts a keyset bundle to yaml, for writing to VFS
// serializeKeysetBundle converts a Keyset bundle to yaml, for writing to VFS.
func serializeKeysetBundle(o *kops.Keyset) ([]byte, error) {
var objectData bytes.Buffer
codecs := kopscodecs.Codecs
@ -281,8 +281,8 @@ func (c *VFSCAStore) findCert(name string) (*pki.Certificate, bool, error) {
return nil, false, fmt.Errorf("error in 'FindCert' attempting to load cert %q: %v", name, err)
}
if certs != nil && certs.primary != nil {
return certs.primary.certificate, certs.legacyFormat, nil
if certs != nil && certs.Primary != nil {
return certs.Primary.Certificate, certs.LegacyFormat, nil
}
return nil, false, nil
@ -294,7 +294,7 @@ func (c *VFSCAStore) FindCert(name string) (*pki.Certificate, error) {
}
func (c *VFSCAStore) FindCertificatePool(name string) (*CertificatePool, error) {
var certs *keyset
var certs *Keyset
var err error
p := c.buildCertificatePoolPath(name)
@ -306,18 +306,18 @@ func (c *VFSCAStore) FindCertificatePool(name string) (*CertificatePool, error)
pool := &CertificatePool{}
if certs != nil {
if certs.primary != nil {
pool.Primary = certs.primary.certificate
if certs.Primary != nil {
pool.Primary = certs.Primary.Certificate
}
for k, cert := range certs.items {
if certs.primary != nil && k == certs.primary.id {
for k, cert := range certs.Items {
if certs.Primary != nil && k == certs.Primary.Id {
continue
}
if cert.certificate == nil {
if cert.Certificate == nil {
continue
}
pool.Secondary = append(pool.Secondary, cert.certificate)
pool.Secondary = append(pool.Secondary, cert.Certificate)
}
}
return pool, nil
@ -462,7 +462,7 @@ func (c *VFSCAStore) MirrorTo(basedir vfs.Path) error {
return nil
}
// mirrorKeyset writes keyset bundles for the certificates & privatekeys
// mirrorKeyset writes Keyset bundles for the certificates & privatekeys.
func mirrorKeyset(cluster *kops.Cluster, basedir vfs.Path, keyset *kops.Keyset) error {
primary := FindPrimary(keyset)
if primary == nil {
@ -536,10 +536,10 @@ func mirrorSSHCredential(cluster *kops.Cluster, basedir vfs.Path, sshCredential
func (c *VFSCAStore) StoreKeypair(name string, cert *pki.Certificate, privateKey *pki.PrivateKey) error {
serial := cert.Certificate.SerialNumber.String()
ki := &keysetItem{
id: serial,
certificate: cert,
privateKey: privateKey,
ki := &KeysetItem{
Id: serial,
Certificate: cert,
PrivateKey: privateKey,
}
{
@ -568,9 +568,9 @@ func (c *VFSCAStore) AddCert(name string, cert *pki.Certificate) error {
p := c.buildCertificatePath(name, serial)
ki := &keysetItem{
id: serial,
certificate: cert,
ki := &KeysetItem{
Id: serial,
Certificate: cert,
}
err := c.storeCertificate(name, ki)
if err != nil {
@ -582,8 +582,8 @@ func (c *VFSCAStore) AddCert(name string, cert *pki.Certificate) error {
return err
}
func (c *VFSCAStore) findPrivateKeyset(id string) (*keyset, error) {
var keys *keyset
func (c *VFSCAStore) findPrivateKeyset(id string) (*Keyset, error) {
var keys *Keyset
var err error
if id == CertificateIDCA {
c.mutex.Lock()
@ -623,8 +623,8 @@ func (c *VFSCAStore) FindPrivateKey(id string) (*pki.PrivateKey, error) {
}
var key *pki.PrivateKey
if keys != nil && keys.primary != nil {
key = keys.primary.privateKey
if keys != nil && keys.Primary != nil {
key = keys.Primary.PrivateKey
}
return key, nil
}
@ -643,8 +643,8 @@ func (c *VFSCAStore) FindPrivateKeyset(name string) (*kops.Keyset, error) {
return o, nil
}
func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
if ki.privateKey == nil {
func (c *VFSCAStore) storePrivateKey(name string, ki *KeysetItem) error {
if ki.PrivateKey == nil {
return fmt.Errorf("privateKey not provided to storeCertificate")
}
@ -657,13 +657,13 @@ func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
}
if ks == nil {
ks = &keyset{}
ks = &Keyset{}
}
if ks.items == nil {
ks.items = make(map[string]*keysetItem)
if ks.Items == nil {
ks.Items = make(map[string]*KeysetItem)
}
ks.items[ki.id] = ki
ks.primary = ki
ks.Items[ki.Id] = ki
ks.Primary = ki
if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
return fmt.Errorf("error writing bundle: %v", err)
@ -674,11 +674,11 @@ func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
// Write the data
{
var data bytes.Buffer
if _, err := ki.privateKey.WriteTo(&data); err != nil {
if _, err := ki.PrivateKey.WriteTo(&data); err != nil {
return err
}
p := c.buildPrivateKeyPath(name, ki.id)
p := c.buildPrivateKeyPath(name, ki.Id)
acl, err := acls.GetACL(p, c.cluster)
if err != nil {
return err
@ -687,8 +687,8 @@ func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
}
}
func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error {
if ki.certificate == nil {
func (c *VFSCAStore) storeCertificate(name string, ki *KeysetItem) error {
if ki.Certificate == nil {
return fmt.Errorf("certificate not provided to storeCertificate")
}
@ -701,13 +701,13 @@ func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error {
}
if ks == nil {
ks = &keyset{}
ks = &Keyset{}
}
if ks.items == nil {
ks.items = make(map[string]*keysetItem)
if ks.Items == nil {
ks.Items = make(map[string]*KeysetItem)
}
ks.items[ki.id] = ki
ks.primary = ki
ks.Items[ki.Id] = ki
ks.Primary = ki
if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
return fmt.Errorf("error writing bundle: %v", err)
@ -718,11 +718,11 @@ func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error {
// Write the data
{
var data bytes.Buffer
if _, err := ki.certificate.WriteTo(&data); err != nil {
if _, err := ki.Certificate.WriteTo(&data); err != nil {
return err
}
p := c.buildCertificatePath(name, ki.id)
p := c.buildCertificatePath(name, ki.Id)
acl, err := acls.GetACL(p, c.cluster)
if err != nil {
return err
@ -749,12 +749,12 @@ func (c *VFSCAStore) deletePrivateKey(name string, id string) (bool, error) {
return false, err
}
if ks == nil || ks.items[id] == nil {
if ks == nil || ks.Items[id] == nil {
return false, nil
}
delete(ks.items, id)
if ks.primary != nil && ks.primary.id == id {
ks.primary = nil
delete(ks.Items, id)
if ks.Primary != nil && ks.Primary.Id == id {
ks.Primary = nil
}
if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
@ -782,12 +782,12 @@ func (c *VFSCAStore) deleteCertificate(name string, id string) (bool, error) {
return false, err
}
if ks == nil || ks.items[id] == nil {
if ks == nil || ks.Items[id] == nil {
return false, nil
}
delete(ks.items, id)
if ks.primary != nil && ks.primary.id == id {
ks.primary = nil
delete(ks.Items, id)
if ks.Primary != nil && ks.Primary.Id == id {
ks.Primary = nil
}
if err := c.writeKeysetBundle(p, name, ks, false); err != nil {