Add PrimaryId field to KeysetSpec

2021-04-10 22:14:42 -07:00 · 2021-04-10 22:14:42 -07:00 · b21370d118
parent 91852b9313
commit b21370d118
5 changed files with 26 additions and 22 deletions
--- a/pkg/apis/kops/keyset.go
+++ b/pkg/apis/kops/keyset.go
@ -67,6 +67,9 @@ type KeysetSpec struct {
 	// Type is the type of the Keyset (PKI keypair, or secret token)
 	Type KeysetType `json:"type,omitempty"`

+	// PrimaryId is the id of the key used to mint new things.
+	PrimaryId string `json:"primaryId,omitempty"`
+
 	// Keys is the set of keys that make up the keyset
 	Keys []KeysetItem `json:"keys,omitempty"`
 }
--- a/pkg/apis/kops/v1alpha2/keyset.go
+++ b/pkg/apis/kops/v1alpha2/keyset.go
@ -68,6 +68,9 @@ type KeysetSpec struct {
 	// Type is the type of the Keyset (PKI keypair, or secret token)
 	Type KeysetType `json:"type,omitempty"`

+	// PrimaryId is the id of the key used to mint new things.
+	PrimaryId string `json:"primaryId,omitempty"`
+
 	// Keys is the set of keys that make up the keyset
 	Keys []KeysetItem `json:"keys,omitempty"`
 }
--- a/upup/pkg/fi/ca.go
+++ b/upup/pkg/fi/ca.go
@ -52,7 +52,7 @@ type Keystore interface {
 	// task to convert a Legacy Keypair to the new Keypair API format.
 	FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, bool, error)

-	// StoreKeypair writes the keypair to the store
+	// StoreKeypair writes the keypair to the store, making it the primary.
 	StoreKeypair(id string, cert *pki.Certificate, privateKey *pki.PrivateKey) error

 	// MirrorTo will copy secrets to a vfs.Path, which is often easier for a machine to read
--- a/upup/pkg/fi/clientset_castore.go
+++ b/upup/pkg/fi/clientset_castore.go
@ -110,7 +110,7 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
 		keyset.items[key.Id] = ki
 	}

-	keyset.primary = keyset.findPrimary()
+	keyset.primary = keyset.items[FindPrimary(o).Id]

 	return keyset, nil
 }
@ -132,30 +132,13 @@ func (c *ClientsetCAStore) loadKeyset(ctx context.Context, name string) (*keyset
 	return keyset, nil
 }

-// findPrimary returns the primary keysetItem in the keyset
-func (k *keyset) findPrimary() *keysetItem {
-	var primary *keysetItem
-	var primaryVersion *big.Int
-
-	for _, item := range k.items {
-		version, ok := big.NewInt(0).SetString(item.id, 10)
-		if !ok {
-			klog.Warningf("Ignoring key item with non-integer version: %q", item.id)
-			continue
-		}
-
-		if primaryVersion == nil || version.Cmp(primaryVersion) > 0 {
-			primary = item
-			primaryVersion = version
-		}
-	}
-	return primary
-}
-
 // FindPrimary returns the primary KeysetItem in the Keyset
 func FindPrimary(keyset *kops.Keyset) *kops.KeysetItem {
 	var primary *kops.KeysetItem
 	var primaryVersion *big.Int
+
+	primaryId := keyset.Spec.PrimaryId
+
 	for i := range keyset.Spec.Keys {
 		item := &keyset.Spec.Keys[i]
 		version, ok := big.NewInt(0).SetString(item.Id, 10)
@ -164,6 +147,10 @@ func FindPrimary(keyset *kops.Keyset) *kops.KeysetItem {
 			continue
 		}

+		if item.Id == primaryId {
+			return item
+		}
+
 		if primaryVersion == nil || version.Cmp(primaryVersion) > 0 {
 			primary = item
 			primaryVersion = version
--- a/upup/pkg/fi/vfs_castore.go
+++ b/upup/pkg/fi/vfs_castore.go
@ -162,6 +162,9 @@ func (k *keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops

 		o.Spec.Keys = append(o.Spec.Keys, oki)
 	}
+	if k.primary != nil {
+		o.Spec.PrimaryId = k.primary.id
+	}
 	return o, nil
 }

@ -660,6 +663,7 @@ func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
 			ks.items = make(map[string]*keysetItem)
 		}
 		ks.items[ki.id] = ki
+		ks.primary = ki

 		if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
 			return fmt.Errorf("error writing bundle: %v", err)
@ -703,6 +707,7 @@ func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error {
 			ks.items = make(map[string]*keysetItem)
 		}
 		ks.items[ki.id] = ki
+		ks.primary = ki

 		if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
 			return fmt.Errorf("error writing bundle: %v", err)
@ -748,6 +753,9 @@ func (c *VFSCAStore) deletePrivateKey(name string, id string) (bool, error) {
 			return false, nil
 		}
 		delete(ks.items, id)
+		if ks.primary != nil && ks.primary.id == id {
+			ks.primary = nil
+		}

 		if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
 			return false, fmt.Errorf("error writing bundle: %v", err)
@ -778,6 +786,9 @@ func (c *VFSCAStore) deleteCertificate(name string, id string) (bool, error) {
 			return false, nil
 		}
 		delete(ks.items, id)
+		if ks.primary != nil && ks.primary.id == id {
+			ks.primary = nil
+		}

 		if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
 			return false, fmt.Errorf("error writing bundle: %v", err)