From 5cc5a936f9c7c685f89fdad466326d3718349d28 Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Sun, 12 Nov 2017 18:36:11 -0500 Subject: [PATCH] Force nodeup to use the bundle We disable fallback entirely for nodeup, so we can still share code, but won't accidentally be using the wrong code path. --- cmd/kops/util/factory.go | 5 ++++- examples/kops-api-example/apply.go | 3 ++- examples/kops-api-example/up.go | 3 ++- pkg/client/simple/vfsclientset/clientset.go | 10 ++++++---- upup/pkg/fi/cloudup/populatecluster_test.go | 2 +- upup/pkg/fi/nodeup/command.go | 2 +- upup/pkg/fi/vfs_castore.go | 21 ++++++++++++++++----- 7 files changed, 32 insertions(+), 14 deletions(-) diff --git a/cmd/kops/util/factory.go b/cmd/kops/util/factory.go index 43cb7ccbc2..2b933f9cae 100644 --- a/cmd/kops/util/factory.go +++ b/cmd/kops/util/factory.go @@ -108,7 +108,10 @@ func (f *Factory) Clientset() (simple.Clientset, error) { return nil, field.Invalid(field.NewPath("State Store"), registryPath, INVALID_STATE_ERROR) } - f.clientset = vfsclientset.NewVFSClientset(basePath) + // For kops CLI / controller, we do allow vfs list (unlike nodeup!) + allowVFSList := true + + f.clientset = vfsclientset.NewVFSClientset(basePath, allowVFSList) } } diff --git a/examples/kops-api-example/apply.go b/examples/kops-api-example/apply.go index 44dd89ee9c..ce68332ec9 100644 --- a/examples/kops-api-example/apply.go +++ b/examples/kops-api-example/apply.go @@ -22,7 +22,8 @@ import ( ) func apply() error { - clientset := vfsclientset.NewVFSClientset(registryBase) + allowList := true + clientset := vfsclientset.NewVFSClientset(registryBase, allowList) cluster, err := clientset.GetCluster(clusterName) if err != nil { diff --git a/examples/kops-api-example/up.go b/examples/kops-api-example/up.go index 4743aa1d5b..8d5348c2dc 100644 --- a/examples/kops-api-example/up.go +++ b/examples/kops-api-example/up.go @@ -28,7 +28,8 @@ import ( ) func up() error { - clientset := vfsclientset.NewVFSClientset(registryBase) + allowList := true + clientset := vfsclientset.NewVFSClientset(registryBase, allowList) cluster := &api.Cluster{} cluster.ObjectMeta.Name = clusterName diff --git a/pkg/client/simple/vfsclientset/clientset.go b/pkg/client/simple/vfsclientset/clientset.go index 3c3e359831..c5da07fb50 100644 --- a/pkg/client/simple/vfsclientset/clientset.go +++ b/pkg/client/simple/vfsclientset/clientset.go @@ -31,7 +31,8 @@ import ( ) type VFSClientset struct { - basePath vfs.Path + basePath vfs.Path + allowList bool } var _ simple.Clientset = &VFSClientset{} @@ -107,7 +108,7 @@ func (c *VFSClientset) KeyStore(cluster *kops.Cluster) (fi.CAStore, error) { return nil, err } basedir := configBase.Join("pki") - return fi.NewVFSCAStore(cluster, basedir), nil + return fi.NewVFSCAStore(cluster, basedir, c.allowList), nil } func (c *VFSClientset) SSHCredentialStore(cluster *kops.Cluster) (fi.SSHCredentialStore, error) { @@ -168,9 +169,10 @@ func (c *VFSClientset) DeleteCluster(cluster *kops.Cluster) error { return DeleteAllClusterState(configBase) } -func NewVFSClientset(basePath vfs.Path) simple.Clientset { +func NewVFSClientset(basePath vfs.Path, allowList bool) simple.Clientset { vfsClientset := &VFSClientset{ - basePath: basePath, + basePath: basePath, + allowList: allowList, } return vfsClientset } diff --git a/upup/pkg/fi/cloudup/populatecluster_test.go b/upup/pkg/fi/cloudup/populatecluster_test.go index 39bcbe864b..c477864e2e 100644 --- a/upup/pkg/fi/cloudup/populatecluster_test.go +++ b/upup/pkg/fi/cloudup/populatecluster_test.go @@ -109,7 +109,7 @@ func mockedPopulateClusterSpec(c *api.Cluster) (*api.Cluster, error) { if err != nil { return nil, fmt.Errorf("error building vfspath: %v", err) } - clientset := vfsclientset.NewVFSClientset(basePath) + clientset := vfsclientset.NewVFSClientset(basePath, true) return PopulateClusterSpec(clientset, c, assetBuilder) } diff --git a/upup/pkg/fi/nodeup/command.go b/upup/pkg/fi/nodeup/command.go index d3e147fb62..0d5311a674 100644 --- a/upup/pkg/fi/nodeup/command.go +++ b/upup/pkg/fi/nodeup/command.go @@ -203,7 +203,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error { return fmt.Errorf("error building key store path: %v", err) } - modelContext.KeyStore = fi.NewVFSCAStore(c.cluster, p) + modelContext.KeyStore = fi.NewVFSCAStore(c.cluster, p, false) } else { return fmt.Errorf("KeyStore not set") } diff --git a/upup/pkg/fi/vfs_castore.go b/upup/pkg/fi/vfs_castore.go index 9af4aba21e..dbfba36a26 100644 --- a/upup/pkg/fi/vfs_castore.go +++ b/upup/pkg/fi/vfs_castore.go @@ -41,8 +41,9 @@ import ( ) type VFSCAStore struct { - basedir vfs.Path - cluster *kops.Cluster + basedir vfs.Path + cluster *kops.Cluster + allowList bool mutex sync.Mutex cachedCAs map[string]*cachedEntry @@ -56,11 +57,12 @@ type cachedEntry struct { var _ CAStore = &VFSCAStore{} var _ SSHCredentialStore = &VFSCAStore{} -func NewVFSCAStore(cluster *kops.Cluster, basedir vfs.Path) CAStore { +func NewVFSCAStore(cluster *kops.Cluster, basedir vfs.Path, allowList bool) CAStore { c := &VFSCAStore{ basedir: basedir, cluster: cluster, cachedCAs: make(map[string]*cachedEntry), + allowList: allowList, } return c @@ -314,10 +316,14 @@ func (c *VFSCAStore) loadCertificates(p vfs.Path, useBundle bool) (*keyset, erro if useBundle { bundlePath := p.Join("keyset.yaml") bundle, err := c.loadKeysetBundle(bundlePath) + if !c.allowList { + return bundle, err + } + if err != nil { glog.Warningf("unable to read bundle %q, falling back to directory-list method: %v", bundlePath, err) } else if bundle == nil { - glog.Infof("no certificate bundle %q, falling back to directory-list method", bundlePath) + glog.V(2).Infof("no certificate bundle %q, falling back to directory-list method", bundlePath) } else { return bundle, nil } @@ -647,10 +653,15 @@ func (c *VFSCAStore) loadPrivateKeys(p vfs.Path, useBundle bool) (*keyset, error if useBundle { bundlePath := p.Join("keyset.yaml") bundle, err := c.loadKeysetBundle(bundlePath) + + if !c.allowList { + return bundle, err + } + if err != nil { glog.Warningf("unable to read bundle %q, falling back to directory-list method: %v", bundlePath, err) } else if bundle == nil { - glog.V(2).Infof("no certificate bundle %q, falling back to directory-list method", bundlePath) + glog.V(2).Infof("no private key bundle %q, falling back to directory-list method", bundlePath) } else { return bundle, nil }