kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rename the service account key

This commit is contained in:
John Gardiner Myers 2020-07-12 16:23:19 -07:00
parent d95cf44cd9
commit fdc61b4bdb
5 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nodeup/pkg/model/kubelet_test.go
View File

@ -283,7 +283,7 @@ func RunGoldenTest(t *testing.T, basedir string, key string, builder func(*Nodeu
"kube-controller-manager": mustParsePrivateKey(dummyKey), "kube-controller-manager": mustParsePrivateKey(dummyKey),
"kube-proxy": mustParsePrivateKey(dummyKey), "kube-proxy": mustParsePrivateKey(dummyKey),
"kube-scheduler": mustParsePrivateKey(dummyKey), "kube-scheduler": mustParsePrivateKey(dummyKey),
"master": mustParsePrivateKey(dummyKey), "service-account": mustParsePrivateKey(dummyKey),
} }
keystore.certs = map[string]*pki.Certificate{ keystore.certs = map[string]*pki.Certificate{
"ca": mustParseCertificate(dummyCertificate), "ca": mustParseCertificate(dummyCertificate),

2
nodeup/pkg/model/secrets.go
View File

@ -146,7 +146,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
} }
} }
if err := b.BuildPrivateKeyTask(c, "master", "service-account.key", nil); err != nil { if err := b.BuildPrivateKeyTask(c, "service-account", "service-account.key", nil); err != nil {
return err return err
} }

4
pkg/model/awsmodel/oidc_provider.go
View File

@ -70,9 +70,9 @@ func (b *OIDCProviderBuilder) Build(c *fi.ModelBuilderContext) error {
return err return err
} }
signingKeyTaskObject, found := c.Tasks["Keypair/master"] signingKeyTaskObject, found := c.Tasks["Keypair/service-account"]
if !found { if !found {
return fmt.Errorf("keypair/master task not found") return fmt.Errorf("keypair/service-account task not found")
} }
fingerprints := getFingerprints() fingerprints := getFingerprints()

3
pkg/model/pki.go
View File

@ -152,8 +152,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
{ {
serviceAccount := &fitasks.Keypair{ serviceAccount := &fitasks.Keypair{
// We only need the private key, but it's easier to create a certificate as well. // We only need the private key, but it's easier to create a certificate as well.
// The strange name is because Kops prior to 1.19 used the api-server TLS key for this. Name: fi.String("service-account"),
Name: fi.String("master"),
Lifecycle: b.Lifecycle, Lifecycle: b.Lifecycle,
Subject: "cn=service-account", Subject: "cn=service-account",
Type: "ca", Type: "ca",

8
upup/pkg/fi/vfs_castore.go
View File

@ -256,6 +256,14 @@ func (c *VFSCAStore) loadOneCertificate(p vfs.Path) (*pki.Certificate, error) {
func (c *VFSCAStore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, bool, error) { func (c *VFSCAStore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, bool, error) {
cert, legacyFormat, err := c.findCert(id) cert, legacyFormat, err := c.findCert(id)
if os.IsNotExist(err) && id == "service-account" {
// The strange name is because Kops prior to 1.19 used the api-server TLS key for this.
id = "master"
cert, _, err = c.findCert(id)
legacyFormat = true
}
if err != nil { if err != nil {
return nil, nil, false, err return nil, nil, false, err
} }