github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

kubeadm: improve the error messages when validating discovery CA hash

Browse Source 
The error messages when the user feeds an invalid discovery token CA
hash are vague. Make sure to:
- Print the list of supported hash formats (currently only "sha256").
- Wrap the error from pubKeyPins.Allow() with a descriptive message.
This commit is contained in:
Lubomir I. Ivanov 2020-12-14 20:13:36 +02:00
parent ac101cbdda
commit 429b7e2272
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/kubeadm/app/discovery/token/token.go
View File

@ -62,7 +62,7 @@ func retrieveValidatedConfigInfo(client clientset.Interface, cfg *kubeadmapi.Dis
// Load the CACertHashes into a pubkeypin.Set // Load the CACertHashes into a pubkeypin.Set
pubKeyPins := pubkeypin.NewSet() pubKeyPins := pubkeypin.NewSet()
if err = pubKeyPins.Allow(cfg.BootstrapToken.CACertHashes...); err != nil { if err = pubKeyPins.Allow(cfg.BootstrapToken.CACertHashes...); err != nil {
return nil, err return nil, errors.Wrap(err, "invalid discovery token CA certificate hash")
} }
duration := cfg.Timeout.Duration duration := cfg.Timeout.Duration

12
cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
View File

@ -32,6 +32,11 @@ const (
formatSHA256 = "sha256" formatSHA256 = "sha256"
) )
var (
// supportedFormats enumerates the supported formats
supportedFormats = strings.Join([]string{formatSHA256}, ", ")
)
// Set is a set of pinned x509 public keys. // Set is a set of pinned x509 public keys.
type Set struct { type Set struct {
sha256Hashes map[string]bool sha256Hashes map[string]bool
@ -47,7 +52,8 @@ func (s *Set) Allow(pubKeyHashes ...string) error {
for _, pubKeyHash := range pubKeyHashes { for _, pubKeyHash := range pubKeyHashes {
parts := strings.Split(pubKeyHash, ":") parts := strings.Split(pubKeyHash, ":")
if len(parts) != 2 { if len(parts) != 2 {
return errors.New("invalid public key hash, expected \"format:value\"") return errors.Errorf("invalid hash, expected \"format:hex-value\". "+
"Known format(s) are: %s", supportedFormats)
} }
format, value := parts[0], parts[1] format, value := parts[0], parts[1]
@ -55,7 +61,7 @@ func (s *Set) Allow(pubKeyHashes ...string) error {
case "sha256": case "sha256":
return s.allowSHA256(value) return s.allowSHA256(value)
default: default:
return errors.Errorf("unknown hash format %q", format) return errors.Errorf("unknown hash format %q. Known format(s) are: %s", format, supportedFormats)
} }
} }
return nil return nil
@ -99,7 +105,7 @@ func (s *Set) allowSHA256(hash string) error {
// validate that the hash is valid hex // validate that the hash is valid hex
_, err := hex.DecodeString(hash) _, err := hex.DecodeString(hash)
if err != nil { if err != nil {
return err return errors.Wrap(err, "could not decode SHA-256 from hex")
} }
// in the end, just store the original hex string in memory (in lowercase) // in the end, just store the original hex string in memory (in lowercase)