mirror of https://github.com/kubernetes/kops.git
Add PrimaryId field to KeysetSpec
This commit is contained in:
John Gardiner Myers
parent
91852b9313
commit
b21370d118
|
|
@ -67,6 +67,9 @@ type KeysetSpec struct {
|
||||||
// Type is the type of the Keyset (PKI keypair, or secret token)
|
// Type is the type of the Keyset (PKI keypair, or secret token)
|
||||||
Type KeysetType `json:"type,omitempty"`
|
Type KeysetType `json:"type,omitempty"`
|
||||||
|
|
||||||
|
// PrimaryId is the id of the key used to mint new things.
|
||||||
|
PrimaryId string `json:"primaryId,omitempty"`
|
||||||
|
|
||||||
// Keys is the set of keys that make up the keyset
|
// Keys is the set of keys that make up the keyset
|
||||||
Keys []KeysetItem `json:"keys,omitempty"`
|
Keys []KeysetItem `json:"keys,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -68,6 +68,9 @@ type KeysetSpec struct {
|
||||||
// Type is the type of the Keyset (PKI keypair, or secret token)
|
// Type is the type of the Keyset (PKI keypair, or secret token)
|
||||||
Type KeysetType `json:"type,omitempty"`
|
Type KeysetType `json:"type,omitempty"`
|
||||||
|
|
||||||
|
// PrimaryId is the id of the key used to mint new things.
|
||||||
|
PrimaryId string `json:"primaryId,omitempty"`
|
||||||
|
|
||||||
// Keys is the set of keys that make up the keyset
|
// Keys is the set of keys that make up the keyset
|
||||||
Keys []KeysetItem `json:"keys,omitempty"`
|
Keys []KeysetItem `json:"keys,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,7 @@ type Keystore interface {
|
||||||
// task to convert a Legacy Keypair to the new Keypair API format.
|
// task to convert a Legacy Keypair to the new Keypair API format.
|
||||||
FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, bool, error)
|
FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, bool, error)
|
||||||
|
|
||||||
// StoreKeypair writes the keypair to the store
|
// StoreKeypair writes the keypair to the store, making it the primary.
|
||||||
StoreKeypair(id string, cert *pki.Certificate, privateKey *pki.PrivateKey) error
|
StoreKeypair(id string, cert *pki.Certificate, privateKey *pki.PrivateKey) error
|
||||||
|
|
||||||
// MirrorTo will copy secrets to a vfs.Path, which is often easier for a machine to read
|
// MirrorTo will copy secrets to a vfs.Path, which is often easier for a machine to read
|
||||||
|
|
|
||||||
|
|
@ -110,7 +110,7 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
|
||||||
keyset.items[key.Id] = ki
|
keyset.items[key.Id] = ki
|
||||||
}
|
}
|
||||||
|
|
||||||
keyset.primary = keyset.findPrimary()
|
keyset.primary = keyset.items[FindPrimary(o).Id]
|
||||||
|
|
||||||
return keyset, nil
|
return keyset, nil
|
||||||
}
|
}
|
||||||
|
|
@ -132,30 +132,13 @@ func (c *ClientsetCAStore) loadKeyset(ctx context.Context, name string) (*keyset
|
||||||
return keyset, nil
|
return keyset, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// findPrimary returns the primary keysetItem in the keyset
|
|
||||||
func (k *keyset) findPrimary() *keysetItem {
|
|
||||||
var primary *keysetItem
|
|
||||||
var primaryVersion *big.Int
|
|
||||||
|
|
||||||
for _, item := range k.items {
|
|
||||||
version, ok := big.NewInt(0).SetString(item.id, 10)
|
|
||||||
if !ok {
|
|
||||||
klog.Warningf("Ignoring key item with non-integer version: %q", item.id)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
if primaryVersion == nil || version.Cmp(primaryVersion) > 0 {
|
|
||||||
primary = item
|
|
||||||
primaryVersion = version
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return primary
|
|
||||||
}
|
|
||||||
|
|
||||||
// FindPrimary returns the primary KeysetItem in the Keyset
|
// FindPrimary returns the primary KeysetItem in the Keyset
|
||||||
func FindPrimary(keyset *kops.Keyset) *kops.KeysetItem {
|
func FindPrimary(keyset *kops.Keyset) *kops.KeysetItem {
|
||||||
var primary *kops.KeysetItem
|
var primary *kops.KeysetItem
|
||||||
var primaryVersion *big.Int
|
var primaryVersion *big.Int
|
||||||
|
|
||||||
|
primaryId := keyset.Spec.PrimaryId
|
||||||
|
|
||||||
for i := range keyset.Spec.Keys {
|
for i := range keyset.Spec.Keys {
|
||||||
item := &keyset.Spec.Keys[i]
|
item := &keyset.Spec.Keys[i]
|
||||||
version, ok := big.NewInt(0).SetString(item.Id, 10)
|
version, ok := big.NewInt(0).SetString(item.Id, 10)
|
||||||
|
|
@ -164,6 +147,10 @@ func FindPrimary(keyset *kops.Keyset) *kops.KeysetItem {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if item.Id == primaryId {
|
||||||
|
return item
|
||||||
|
}
|
||||||
|
|
||||||
if primaryVersion == nil || version.Cmp(primaryVersion) > 0 {
|
if primaryVersion == nil || version.Cmp(primaryVersion) > 0 {
|
||||||
primary = item
|
primary = item
|
||||||
primaryVersion = version
|
primaryVersion = version
|
||||||
|
|
|
||||||
|
|
@ -162,6 +162,9 @@ func (k *keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops
|
||||||
|
|
||||||
o.Spec.Keys = append(o.Spec.Keys, oki)
|
o.Spec.Keys = append(o.Spec.Keys, oki)
|
||||||
}
|
}
|
||||||
|
if k.primary != nil {
|
||||||
|
o.Spec.PrimaryId = k.primary.id
|
||||||
|
}
|
||||||
return o, nil
|
return o, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -660,6 +663,7 @@ func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
|
||||||
ks.items = make(map[string]*keysetItem)
|
ks.items = make(map[string]*keysetItem)
|
||||||
}
|
}
|
||||||
ks.items[ki.id] = ki
|
ks.items[ki.id] = ki
|
||||||
|
ks.primary = ki
|
||||||
|
|
||||||
if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
|
if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
|
||||||
return fmt.Errorf("error writing bundle: %v", err)
|
return fmt.Errorf("error writing bundle: %v", err)
|
||||||
|
|
@ -703,6 +707,7 @@ func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error {
|
||||||
ks.items = make(map[string]*keysetItem)
|
ks.items = make(map[string]*keysetItem)
|
||||||
}
|
}
|
||||||
ks.items[ki.id] = ki
|
ks.items[ki.id] = ki
|
||||||
|
ks.primary = ki
|
||||||
|
|
||||||
if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
|
if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
|
||||||
return fmt.Errorf("error writing bundle: %v", err)
|
return fmt.Errorf("error writing bundle: %v", err)
|
||||||
|
|
@ -748,6 +753,9 @@ func (c *VFSCAStore) deletePrivateKey(name string, id string) (bool, error) {
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
delete(ks.items, id)
|
delete(ks.items, id)
|
||||||
|
if ks.primary != nil && ks.primary.id == id {
|
||||||
|
ks.primary = nil
|
||||||
|
}
|
||||||
|
|
||||||
if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
|
if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
|
||||||
return false, fmt.Errorf("error writing bundle: %v", err)
|
return false, fmt.Errorf("error writing bundle: %v", err)
|
||||||
|
|
@ -778,6 +786,9 @@ func (c *VFSCAStore) deleteCertificate(name string, id string) (bool, error) {
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
delete(ks.items, id)
|
delete(ks.items, id)
|
||||||
|
if ks.primary != nil && ks.primary.id == id {
|
||||||
|
ks.primary = nil
|
||||||
|
}
|
||||||
|
|
||||||
if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
|
if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
|
||||||
return false, fmt.Errorf("error writing bundle: %v", err)
|
return false, fmt.Errorf("error writing bundle: %v", err)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue