diff --git a/pkg/apis/certificates/helpers.go b/pkg/apis/certificates/helpers.go index b50317df27c..9a92e67a459 100644 --- a/pkg/apis/certificates/helpers.go +++ b/pkg/apis/certificates/helpers.go @@ -62,10 +62,10 @@ var ( ) ) -func IsKubeletServingCSR(req *x509.CertificateRequest, usages sets.String, allowOmittingUsageKeyEncipherment bool) bool { - return ValidateKubeletServingCSR(req, usages, allowOmittingUsageKeyEncipherment) == nil +func IsKubeletServingCSR(req *x509.CertificateRequest, usages sets.String) bool { + return ValidateKubeletServingCSR(req, usages) == nil } -func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages sets.String, allowOmittingUsageKeyEncipherment bool) error { +func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages sets.String) error { if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) { return organizationNotSystemNodesErr } @@ -82,14 +82,8 @@ func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages sets.String, return uriSANNotAllowedErr } - if allowOmittingUsageKeyEncipherment { - if !kubeletServingRequiredUsages.Equal(usages) && !kubeletServingRequiredUsagesNoRSA.Equal(usages) { - return fmt.Errorf("usages did not match %v", kubeletServingRequiredUsages.List()) - } - } else { - if !kubeletServingRequiredUsages.Equal(usages) { - return fmt.Errorf("usages did not match %v", kubeletServingRequiredUsages.List()) - } + if !kubeletServingRequiredUsages.Equal(usages) && !kubeletServingRequiredUsagesNoRSA.Equal(usages) { + return fmt.Errorf("usages did not match %v", kubeletServingRequiredUsages.List()) } if !strings.HasPrefix(req.Subject.CommonName, "system:node:") { @@ -111,10 +105,10 @@ var ( ) ) -func IsKubeletClientCSR(req *x509.CertificateRequest, usages sets.String, allowOmittingUsageKeyEncipherment bool) bool { - return ValidateKubeletClientCSR(req, usages, allowOmittingUsageKeyEncipherment) == nil +func IsKubeletClientCSR(req *x509.CertificateRequest, usages sets.String) bool { + return ValidateKubeletClientCSR(req, usages) == nil } -func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages sets.String, allowOmittingUsageKeyEncipherment bool) error { +func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages sets.String) error { if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) { return organizationNotSystemNodesErr } @@ -136,14 +130,8 @@ func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages sets.String, return commonNameNotSystemNode } - if allowOmittingUsageKeyEncipherment { - if !kubeletClientRequiredUsages.Equal(usages) && !kubeletClientRequiredUsagesNoRSA.Equal(usages) { - return fmt.Errorf("usages did not match %v", kubeletClientRequiredUsages.List()) - } - } else { - if !kubeletClientRequiredUsages.Equal(usages) { - return fmt.Errorf("usages did not match %v", kubeletClientRequiredUsages.List()) - } + if !kubeletClientRequiredUsages.Equal(usages) && !kubeletClientRequiredUsagesNoRSA.Equal(usages) { + return fmt.Errorf("usages did not match %v", kubeletClientRequiredUsages.List()) } return nil diff --git a/pkg/apis/certificates/v1beta1/defaults.go b/pkg/apis/certificates/v1beta1/defaults.go index 4781c8f341b..14133d9df2a 100644 --- a/pkg/apis/certificates/v1beta1/defaults.go +++ b/pkg/apis/certificates/v1beta1/defaults.go @@ -56,27 +56,27 @@ func DefaultSignerNameFromSpec(obj *certificatesv1beta1.CertificateSigningReques // Set the signerName to 'legacy-unknown' as the CSR could not be // recognised. return certificatesv1beta1.LegacyUnknownSignerName - case IsKubeletClientCSR(csr, obj.Usages, false): + case IsKubeletClientCSR(csr, obj.Usages): return certificatesv1beta1.KubeAPIServerClientKubeletSignerName - case IsKubeletServingCSR(csr, obj.Usages, false): + case IsKubeletServingCSR(csr, obj.Usages): return certificatesv1beta1.KubeletServingSignerName default: return certificatesv1beta1.LegacyUnknownSignerName } } -func IsKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage, allowOmittingUsageKeyEncipherment bool) bool { - return certificates.IsKubeletServingCSR(req, usagesToSet(usages), allowOmittingUsageKeyEncipherment) +func IsKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) bool { + return certificates.IsKubeletServingCSR(req, usagesToSet(usages)) } -func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage, allowOmittingUsageKeyEncipherment bool) error { - return certificates.ValidateKubeletServingCSR(req, usagesToSet(usages), allowOmittingUsageKeyEncipherment) +func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) error { + return certificates.ValidateKubeletServingCSR(req, usagesToSet(usages)) } -func IsKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage, allowOmittingUsageKeyEncipherment bool) bool { - return certificates.IsKubeletClientCSR(req, usagesToSet(usages), allowOmittingUsageKeyEncipherment) +func IsKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) bool { + return certificates.IsKubeletClientCSR(req, usagesToSet(usages)) } -func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage, allowOmittingUsageKeyEncipherment bool) error { - return certificates.ValidateKubeletClientCSR(req, usagesToSet(usages), allowOmittingUsageKeyEncipherment) +func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) error { + return certificates.ValidateKubeletClientCSR(req, usagesToSet(usages)) } func usagesToSet(usages []certificatesv1beta1.KeyUsage) sets.String { diff --git a/pkg/apis/certificates/v1beta1/defaults_test.go b/pkg/apis/certificates/v1beta1/defaults_test.go index 82e2599fbbb..e059b5a037f 100644 --- a/pkg/apis/certificates/v1beta1/defaults_test.go +++ b/pkg/apis/certificates/v1beta1/defaults_test.go @@ -40,27 +40,19 @@ func TestIsKubeletServingCSR(t *testing.T) { return csr } tests := map[string]struct { - req *x509.CertificateRequest - usages []capi.KeyUsage - allowOmittingUsageKeyEncipherment bool - exp bool + req *x509.CertificateRequest + usages []capi.KeyUsage + exp bool }{ "defaults for kubelet-serving": { req: newCSR(kubeletServerPEMOptions), usages: kubeletServerUsages, exp: true, }, - "defaults without key encipherment for kubelet-serving if allow omitting key encipherment": { - req: newCSR(kubeletServerPEMOptions), - usages: kubeletServerUsagesNoRSA, - allowOmittingUsageKeyEncipherment: true, - exp: true, - }, - "defaults for kubelet-serving if allow omitting key encipherment": { - req: newCSR(kubeletServerPEMOptions), - usages: kubeletServerUsages, - allowOmittingUsageKeyEncipherment: true, - exp: true, + "defaults without key encipherment for kubelet-serving": { + req: newCSR(kubeletServerPEMOptions), + usages: kubeletServerUsagesNoRSA, + exp: true, }, "does not default to kube-apiserver-client-kubelet if org is not 'system:nodes'": { req: newCSR(kubeletServerPEMOptions, pemOptions{org: "not-system:nodes"}), @@ -82,17 +74,6 @@ func TestIsKubeletServingCSR(t *testing.T) { usages: kubeletServerUsages[1:], exp: false, }, - "does not default to kubelet-serving if it is missing an expected usage if allow omitting key encipherment": { - req: newCSR(kubeletServerPEMOptions), - usages: kubeletServerUsagesNoRSA[1:], - allowOmittingUsageKeyEncipherment: true, - exp: false, - }, - "does not default to kubelet-serving if it is missing an expected usage withou key encipherment": { - req: newCSR(kubeletServerPEMOptions), - usages: kubeletServerUsagesNoRSA, - exp: false, - }, "does not default to kubelet-serving if it does not specify any dnsNames or ipAddresses": { req: newCSR(kubeletServerPEMOptions, pemOptions{ipAddresses: []net.IP{}, dnsNames: []string{}}), usages: kubeletServerUsages[1:], @@ -111,7 +92,7 @@ func TestIsKubeletServingCSR(t *testing.T) { } for name, test := range tests { t.Run(name, func(t *testing.T) { - got := IsKubeletServingCSR(test.req, test.usages, test.allowOmittingUsageKeyEncipherment) + got := IsKubeletServingCSR(test.req, test.usages) if test.exp != got { t.Errorf("unexpected IsKubeletClientCSR output: exp=%v, got=%v", test.exp, got) } @@ -129,10 +110,9 @@ func TestIsKubeletClientCSR(t *testing.T) { return csr } tests := map[string]struct { - req *x509.CertificateRequest - usages []capi.KeyUsage - allowOmittingUsageKeyEncipherment bool - exp bool + req *x509.CertificateRequest + usages []capi.KeyUsage + exp bool }{ "defaults for kube-apiserver-client-kubelet": { req: newCSR(kubeletClientPEMOptions), @@ -180,27 +160,19 @@ func TestIsKubeletClientCSR(t *testing.T) { exp: false, }, "does not default to kube-apiserver-client-kubelet if it is missing an expected usage without key encipherment": { - req: newCSR(kubeletClientPEMOptions), - usages: kubeletClientUsagesNoRSA[1:], - allowOmittingUsageKeyEncipherment: true, - exp: false, - }, - "default to kube-apiserver-client-kubelet with key encipherment": { - req: newCSR(kubeletClientPEMOptions), - usages: kubeletClientUsages, - allowOmittingUsageKeyEncipherment: true, - exp: true, + req: newCSR(kubeletClientPEMOptions), + usages: kubeletClientUsagesNoRSA[1:], + exp: false, }, "default to kube-apiserver-client-kubelet without key encipherment": { - req: newCSR(kubeletClientPEMOptions), - usages: kubeletClientUsagesNoRSA, - allowOmittingUsageKeyEncipherment: true, - exp: true, + req: newCSR(kubeletClientPEMOptions), + usages: kubeletClientUsagesNoRSA, + exp: true, }, } for name, test := range tests { t.Run(name, func(t *testing.T) { - got := IsKubeletClientCSR(test.req, test.usages, test.allowOmittingUsageKeyEncipherment) + got := IsKubeletClientCSR(test.req, test.usages) if test.exp != got { t.Errorf("unexpected IsKubeletClientCSR output: exp=%v, got=%v", test.exp, got) } diff --git a/pkg/controller/certificates/approver/sarapprove.go b/pkg/controller/certificates/approver/sarapprove.go index 5b7750402b0..d739fc783b3 100644 --- a/pkg/controller/certificates/approver/sarapprove.go +++ b/pkg/controller/certificates/approver/sarapprove.go @@ -152,7 +152,7 @@ func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific if csr.Spec.SignerName != capi.KubeAPIServerClientKubeletSignerName { return false } - return capihelper.IsKubeletClientCSR(x509cr, usagesToSet(csr.Spec.Usages), true) + return capihelper.IsKubeletClientCSR(x509cr, usagesToSet(csr.Spec.Usages)) } func isSelfNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool { diff --git a/pkg/controller/certificates/signer/signer.go b/pkg/controller/certificates/signer/signer.go index c81445f84b2..588912801c8 100644 --- a/pkg/controller/certificates/signer/signer.go +++ b/pkg/controller/certificates/signer/signer.go @@ -248,14 +248,14 @@ func isKubeletServing(req *x509.CertificateRequest, usages []capi.KeyUsage, sign if signerName != capi.KubeletServingSignerName { return false, nil } - return true, capihelper.ValidateKubeletServingCSR(req, usagesToSet(usages), true) + return true, capihelper.ValidateKubeletServingCSR(req, usagesToSet(usages)) } func isKubeletClient(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) (bool, error) { if signerName != capi.KubeAPIServerClientKubeletSignerName { return false, nil } - return true, capihelper.ValidateKubeletClientCSR(req, usagesToSet(usages), true) + return true, capihelper.ValidateKubeletClientCSR(req, usagesToSet(usages)) } func isKubeAPIServerClient(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) (bool, error) { diff --git a/pkg/kubelet/certificate/bootstrap/bootstrap.go b/pkg/kubelet/certificate/bootstrap/bootstrap.go index 0db0f1dc3f4..2caea4c24f3 100644 --- a/pkg/kubelet/certificate/bootstrap/bootstrap.go +++ b/pkg/kubelet/certificate/bootstrap/bootstrap.go @@ -19,6 +19,7 @@ package bootstrap import ( "context" "crypto" + "crypto/rsa" "crypto/sha512" "crypto/x509" "crypto/x509/pkix" @@ -329,9 +330,11 @@ func requestNodeCertificate(ctx context.Context, client clientset.Interface, pri usages := []certificatesv1.KeyUsage{ certificatesv1.UsageDigitalSignature, - certificatesv1.UsageKeyEncipherment, certificatesv1.UsageClientAuth, } + if _, ok := privateKey.(*rsa.PrivateKey); ok { + usages = append(usages, certificatesv1.UsageKeyEncipherment) + } // The Signer interface contains the Public() method to get the public key. signer, ok := privateKey.(crypto.Signer) diff --git a/pkg/kubelet/certificate/kubelet.go b/pkg/kubelet/certificate/kubelet.go index d2777755447..8293894acea 100644 --- a/pkg/kubelet/certificate/kubelet.go +++ b/pkg/kubelet/certificate/kubelet.go @@ -105,23 +105,10 @@ func NewKubeletServerCertificateManager(kubeClient clientset.Interface, kubeCfg } m, err := certificate.NewManager(&certificate.Config{ - ClientsetFn: clientsetFn, - GetTemplate: getTemplate, - SignerName: certificates.KubeletServingSignerName, - Usages: []certificates.KeyUsage{ - // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - // - // Digital signature allows the certificate to be used to verify - // digital signatures used during TLS negotiation. - certificates.UsageDigitalSignature, - // KeyEncipherment allows the cert/key pair to be used to encrypt - // keys, including the symmetric keys negotiated during TLS setup - // and used for data transfer. - certificates.UsageKeyEncipherment, - // ServerAuth allows the cert to be used by a TLS server to - // authenticate itself to a TLS client. - certificates.UsageServerAuth, - }, + ClientsetFn: clientsetFn, + GetTemplate: getTemplate, + SignerName: certificates.KubeletServingSignerName, + GetUsages: certificate.DefaultKubeletServingGetUsages, CertificateStore: certificateStore, CertificateRotation: certificateRotationAge, CertificateRenewFailure: certificateRenewFailure, @@ -230,22 +217,7 @@ func NewKubeletClientCertificateManager( }, }, SignerName: certificates.KubeAPIServerClientKubeletSignerName, - Usages: []certificates.KeyUsage{ - // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - // - // DigitalSignature allows the certificate to be used to verify - // digital signatures including signatures used during TLS - // negotiation. - certificates.UsageDigitalSignature, - // KeyEncipherment allows the cert/key pair to be used to encrypt - // keys, including the symmetric keys negotiated during TLS setup - // and used for data transfer.. - certificates.UsageKeyEncipherment, - // ClientAuth allows the cert to be used by a TLS client to - // authenticate itself to the TLS server. - certificates.UsageClientAuth, - }, - + GetUsages: certificate.DefaultKubeletClientGetUsages, // For backwards compatibility, the kubelet supports the ability to // provide a higher privileged certificate as initial data that will // then be rotated immediately. This code path is used by kubeadm on diff --git a/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go b/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go index dee21cf3089..b4dcb0b8490 100644 --- a/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go +++ b/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go @@ -21,9 +21,11 @@ import ( "crypto/ecdsa" "crypto/elliptic" cryptorand "crypto/rand" + "crypto/rsa" "crypto/tls" "crypto/x509" "encoding/pem" + "errors" "fmt" "reflect" "sync" @@ -32,7 +34,7 @@ import ( "k8s.io/klog/v2" certificates "k8s.io/api/certificates/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" @@ -42,9 +44,76 @@ import ( "k8s.io/client-go/util/keyutil" ) -// certificateWaitTimeout controls the amount of time we wait for certificate -// approval in one iteration. -var certificateWaitTimeout = 15 * time.Minute +var ( + // certificateWaitTimeout controls the amount of time we wait for certificate + // approval in one iteration. + certificateWaitTimeout = 15 * time.Minute + + kubeletServingUsagesWithEncipherment = []certificates.KeyUsage{ + // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + // + // Digital signature allows the certificate to be used to verify + // digital signatures used during TLS negotiation. + certificates.UsageDigitalSignature, + // KeyEncipherment allows the cert/key pair to be used to encrypt + // keys, including the symmetric keys negotiated during TLS setup + // and used for data transfer. + certificates.UsageKeyEncipherment, + // ServerAuth allows the cert to be used by a TLS server to + // authenticate itself to a TLS client. + certificates.UsageServerAuth, + } + kubeletServingUsagesNoEncipherment = []certificates.KeyUsage{ + // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + // + // Digital signature allows the certificate to be used to verify + // digital signatures used during TLS negotiation. + certificates.UsageDigitalSignature, + // ServerAuth allows the cert to be used by a TLS server to + // authenticate itself to a TLS client. + certificates.UsageServerAuth, + } + DefaultKubeletServingGetUsages = func(privateKey interface{}) []certificates.KeyUsage { + switch privateKey.(type) { + case *rsa.PrivateKey: + return kubeletServingUsagesWithEncipherment + default: + return kubeletServingUsagesNoEncipherment + } + } + kubeletClientUsagesWithEncipherment = []certificates.KeyUsage{ + // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + // + // Digital signature allows the certificate to be used to verify + // digital signatures used during TLS negotiation. + certificates.UsageDigitalSignature, + // KeyEncipherment allows the cert/key pair to be used to encrypt + // keys, including the symmetric keys negotiated during TLS setup + // and used for data transfer. + certificates.UsageKeyEncipherment, + // ClientAuth allows the cert to be used by a TLS client to + // authenticate itself to the TLS server. + certificates.UsageClientAuth, + } + kubeletClientUsagesNoEncipherment = []certificates.KeyUsage{ + // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + // + // Digital signature allows the certificate to be used to verify + // digital signatures used during TLS negotiation. + certificates.UsageDigitalSignature, + // ClientAuth allows the cert to be used by a TLS client to + // authenticate itself to the TLS server. + certificates.UsageClientAuth, + } + DefaultKubeletClientGetUsages = func(privateKey interface{}) []certificates.KeyUsage { + switch privateKey.(type) { + case *rsa.PrivateKey: + return kubeletClientUsagesWithEncipherment + default: + return kubeletClientUsagesNoEncipherment + } + } +) // Manager maintains and updates the certificates in use by this certificate // manager. In the background it communicates with the API server to get new @@ -94,8 +163,12 @@ type Config struct { // the issued certificate is not guaranteed as the signer may choose to ignore the request. RequestedCertificateLifetime *time.Duration // Usages is the types of usages that certificates generated by the manager - // can be used for. + // can be used for. It is mutually exclusive with GetUsages. Usages []certificates.KeyUsage + // GetUsages is dynamic way to get the types of usages that certificates generated by the manager + // can be used for. If Usages is not nil, GetUsages has to be nil, vice versa. + // It is mutually exclusive with Usages. + GetUsages func(privateKey interface{}) []certificates.KeyUsage // CertificateStore is a persistent store where the current cert/key is // kept and future cert/key pairs will be persisted after they are // generated. @@ -192,7 +265,7 @@ type manager struct { dynamicTemplate bool signerName string requestedCertificateLifetime *time.Duration - usages []certificates.KeyUsage + getUsages func(privateKey interface{}) []certificates.KeyUsage forceRotation bool certStore Store @@ -235,6 +308,18 @@ func NewManager(config *Config) (Manager, error) { getTemplate = func() *x509.CertificateRequest { return config.Template } } + if config.GetUsages != nil && config.Usages != nil { + return nil, errors.New("cannot specify both GetUsages and Usages") + } + if config.GetUsages == nil && config.Usages == nil { + return nil, errors.New("either GetUsages or Usages should be specified") + } + var getUsages func(interface{}) []certificates.KeyUsage + if config.GetUsages != nil { + getUsages = config.GetUsages + } else { + getUsages = func(interface{}) []certificates.KeyUsage { return config.Usages } + } m := manager{ stopCh: make(chan struct{}), clientsetFn: config.ClientsetFn, @@ -242,7 +327,7 @@ func NewManager(config *Config) (Manager, error) { dynamicTemplate: config.GetTemplate != nil, signerName: config.SignerName, requestedCertificateLifetime: config.RequestedCertificateLifetime, - usages: config.Usages, + getUsages: getUsages, certStore: config.CertificateStore, cert: cert, forceRotation: forceRotation, @@ -256,8 +341,9 @@ func NewManager(config *Config) (Manager, error) { name = m.signerName } if len(name) == 0 { + usages := getUsages(nil) switch { - case hasKeyUsage(config.Usages, certificates.UsageClientAuth): + case hasKeyUsage(usages, certificates.UsageClientAuth): name = string(certificates.UsageClientAuth) default: name = "certificate" @@ -416,7 +502,7 @@ func getCurrentCertificateOrBootstrap( bootstrapCert.Leaf = certs[0] if _, err := store.Update(bootstrapCertificatePEM, bootstrapKeyPEM); err != nil { - utilruntime.HandleError(fmt.Errorf("Unable to set the cert/key pair to the bootstrap certificate: %v", err)) + utilruntime.HandleError(fmt.Errorf("unable to set the cert/key pair to the bootstrap certificate: %v", err)) } return &bootstrapCert, true, nil @@ -464,9 +550,14 @@ func (m *manager) rotateCerts() (bool, error) { return false, nil } + getUsages := m.getUsages + if m.getUsages == nil { + getUsages = DefaultKubeletClientGetUsages + } + usages := getUsages(privateKey) // Call the Certificate Signing Request API to get a certificate for the - // new private key. - reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.requestedCertificateLifetime, m.usages, privateKey) + // new private key + reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.requestedCertificateLifetime, usages, privateKey) if err != nil { utilruntime.HandleError(fmt.Errorf("%s: Failed while requesting a signed certificate from the control plane: %v", m.name, err)) if m.certificateRenewFailure != nil { @@ -622,17 +713,17 @@ func (m *manager) updateServerError(err error) error { m.certAccessLock.Lock() defer m.certAccessLock.Unlock() switch { - case errors.IsUnauthorized(err): + case apierrors.IsUnauthorized(err): // SSL terminating proxies may report this error instead of the master m.serverHealth = true - case errors.IsUnexpectedServerError(err): + case apierrors.IsUnexpectedServerError(err): // generally indicates a proxy or other load balancer problem, rather than a problem coming // from the master m.serverHealth = false default: // Identify known errors that could be expected for a cert request that // indicate everything is working normally - m.serverHealth = errors.IsNotFound(err) || errors.IsForbidden(err) + m.serverHealth = apierrors.IsNotFound(err) || apierrors.IsForbidden(err) } return nil } diff --git a/staging/src/k8s.io/client-go/util/certificate/certificate_manager_test.go b/staging/src/k8s.io/client-go/util/certificate/certificate_manager_test.go index 291c72452be..df1fd1d5b85 100644 --- a/staging/src/k8s.io/client-go/util/certificate/certificate_manager_test.go +++ b/staging/src/k8s.io/client-go/util/certificate/certificate_manager_test.go @@ -276,7 +276,6 @@ func TestSetRotationDeadline(t *testing.T) { }, }, getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} }, - usages: []certificatesv1.KeyUsage{}, now: func() time.Time { return now }, logf: t.Logf, } @@ -472,7 +471,6 @@ func TestRotateCertCreateCSRError(t *testing.T) { }, }, getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} }, - usages: []certificatesv1.KeyUsage{}, clientsetFn: func(_ *tls.Certificate) (clientset.Interface, error) { return newClientset(fakeClient{failureType: createError}), nil }, @@ -497,7 +495,6 @@ func TestRotateCertWaitingForResultError(t *testing.T) { }, }, getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} }, - usages: []certificatesv1.KeyUsage{}, clientsetFn: func(_ *tls.Certificate) (clientset.Interface, error) { return newClientset(fakeClient{failureType: watchError}), nil },