kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

promote-keypair: Block items without certificates 

Forbid the "kops promote keypair" command from promoting a key pair
item that lacks an associated X.509 certificate.

Along with that prohibition, refuse to store a key set in a VFS whose
primary key pair lacks a certificate. This allows us to continue
storing such key pairs, but we will never allow them to serve as the
primary key pair within the containing key set.
This commit is contained in:
Steven E. Harris 2022-10-17 12:12:16 -04:00
parent a6ee86d1f7
commit 95f98896c7
No known key found for this signature in database
GPG Key ID: 61AFFC7EE94A9DB2
2 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cmd/kops/promote_keypair.go
View File

@ -162,17 +162,17 @@ func promoteKeypair(out io.Writer, name string, keypairID string, keyStore fi.CA
}
if keypairID == "" {
highestTrustedId := big.NewInt(0)
highestCandidateId := big.NewInt(0)
for id, item := range keyset.Items {
if item.PrivateKey != nil && item.DistrustTimestamp == nil {
if item.PrivateKey != nil && item.DistrustTimestamp == nil && item.Certificate != nil {
itemId, ok := big.NewInt(0).SetString(id, 10)
if ok && highestTrustedId.Cmp(itemId) < 0 {
highestTrustedId = itemId
if ok && highestCandidateId.Cmp(itemId) < 0 {
highestCandidateId = itemId
}
}
}
keypairID = highestTrustedId.String()
keypairID = highestCandidateId.String()
if keypairID == keyset.Primary.Id {
fmt.Fprintf(out, "No %s keypair newer than current primary %s\n", name, keypairID)
return nil
@ -184,6 +184,9 @@ func promoteKeypair(out io.Writer, name string, keypairID string, keyStore fi.CA
if item.PrivateKey == nil {
return fmt.Errorf("keypair has no private key")
}
if item.Certificate == nil {
return fmt.Errorf("keypair has no certificate")
}
} else {
return fmt.Errorf("keypair not found")
}

3
upup/pkg/fi/vfs_castore.go
View File

@ -347,6 +347,9 @@ func (c *VFSCAStore) StoreKeyset(name string, keyset *Keyset) error {
if keyset.Items[primaryId].PrivateKey == nil {
return fmt.Errorf("keyset's primary id %q must have a private key", primaryId)
}
if keyset.Items[primaryId].Certificate == nil {
return fmt.Errorf("keyset's primary id %q must have a certificate", primaryId)
}
{
p := c.buildPrivateKeyPoolPath(name)