kubeadm: improve the error messages when validating discovery CA hash

The error messages when the user feeds an invalid discovery token CA hash are vague. Make sure to: - Print the list of supported hash formats (currently only "sha256"). - Wrap the error from pubKeyPins.Allow() with a descriptive message.
2025-07-23 11:50:44 +00:00 · 2020-12-14 20:13:36 +02:00 · 2020-12-14 20:13:36 +02:00 · 429b7e2272
commit 429b7e2272
parent ac101cbdda
2 changed files with 10 additions and 4 deletions
--- a/cmd/kubeadm/app/discovery/token/token.go
+++ b/cmd/kubeadm/app/discovery/token/token.go
@ -62,7 +62,7 @@ func retrieveValidatedConfigInfo(client clientset.Interface, cfg *kubeadmapi.Dis
 	// Load the CACertHashes into a pubkeypin.Set
 	pubKeyPins := pubkeypin.NewSet()
 	if err = pubKeyPins.Allow(cfg.BootstrapToken.CACertHashes...); err != nil {
-		return nil, err
+		return nil, errors.Wrap(err, "invalid discovery token CA certificate hash")
 	}

 	duration := cfg.Timeout.Duration
--- a/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
+++ b/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
@ -32,6 +32,11 @@ const (
 	formatSHA256 = "sha256"
 )

+var (
+	// supportedFormats enumerates the supported formats
+	supportedFormats = strings.Join([]string{formatSHA256}, ", ")
+)
+
 // Set is a set of pinned x509 public keys.
 type Set struct {
 	sha256Hashes map[string]bool
@ -47,7 +52,8 @@ func (s *Set) Allow(pubKeyHashes ...string) error {
 	for _, pubKeyHash := range pubKeyHashes {
 		parts := strings.Split(pubKeyHash, ":")
 		if len(parts) != 2 {
-			return errors.New("invalid public key hash, expected \"format:value\"")
+			return errors.Errorf("invalid hash, expected \"format:hex-value\". "+
+				"Known format(s) are: %s", supportedFormats)
 		}
 		format, value := parts[0], parts[1]

@ -55,7 +61,7 @@ func (s *Set) Allow(pubKeyHashes ...string) error {
 		case "sha256":
 			return s.allowSHA256(value)
 		default:
-			return errors.Errorf("unknown hash format %q", format)
+			return errors.Errorf("unknown hash format %q. Known format(s) are: %s", format, supportedFormats)
 		}
 	}
 	return nil
@ -99,7 +105,7 @@ func (s *Set) allowSHA256(hash string) error {
 	// validate that the hash is valid hex
 	_, err := hex.DecodeString(hash)
 	if err != nil {
-		return err
+		return errors.Wrap(err, "could not decode SHA-256 from hex")
 	}

 	// in the end, just store the original hex string in memory (in lowercase)