Not validating front proxy CA Key when using External CA.

2025-09-14 13:45:06 +00:00 · 2018-04-16 20:16:47 +08:00
parent e36fa85ec2
commit 511ac8a064
3 changed files with 23 additions and 12 deletions
--- a/cmd/kubeadm/app/phases/certs/certs.go
+++ b/cmd/kubeadm/app/phases/certs/certs.go
@@ -611,8 +611,9 @@ type certKeyLocation struct {
 	uxName     string
 }
-// UsingExternalCA determines whether the user is relying on an external CA.  We currently implicitly determine this is the case when the CA Cert
+// UsingExternalCA determines whether the user is relying on an external CA.  We currently implicitly determine this is the case
-// is present but the CA Key is not. This allows us to, e.g., skip generating certs or not start the csr signing controller.
+// when both the CA Cert and the front proxy CA Cert are present but the CA Key and front proxy CA Key are not.
 // This allows us to, e.g., skip generating certs or not start the csr signing controller.
 func UsingExternalCA(cfg *kubeadmapi.MasterConfiguration) (bool, error) {
 	if err := validateCACert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, "", "CA"}); err != nil {
@@ -621,7 +622,7 @@ func UsingExternalCA(cfg *kubeadmapi.MasterConfiguration) (bool, error) {
 	caKeyPath := filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName)
 	if _, err := os.Stat(caKeyPath); !os.IsNotExist(err) {
-		return false, fmt.Errorf("ca.key exists")
+		return false, fmt.Errorf("%s exists", kubeadmconstants.CAKeyName)
 	}
 	if err := validateSignedCert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, kubeadmconstants.APIServerCertAndKeyBaseName, "API server"}); err != nil {
@@ -636,10 +637,15 @@ func UsingExternalCA(cfg *kubeadmapi.MasterConfiguration) (bool, error) {
 		return false, err
 	}
-	if err := validateCACertAndKey(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertAndKeyBaseName, "", "front-proxy CA"}); err != nil {
+	if err := validateCACert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertAndKeyBaseName, "", "front-proxy CA"}); err != nil {
 		return false, err
 	}
 	frontProxyCAKeyPath := filepath.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyCAKeyName)
 	if _, err := os.Stat(frontProxyCAKeyPath); !os.IsNotExist(err) {
 		return false, fmt.Errorf("%s exists", kubeadmconstants.FrontProxyCAKeyName)
 	}
 	if err := validateSignedCert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertAndKeyBaseName, kubeadmconstants.FrontProxyClientCertAndKeyBaseName, "front-proxy client"}); err != nil {
 		return false, err
 	}
--- a/cmd/kubeadm/app/phases/certs/certs_test.go
+++ b/cmd/kubeadm/app/phases/certs/certs_test.go
@@ -466,6 +466,7 @@ func TestUsingExternalCA(t *testing.T) {
 			setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{
 				CreatePKIAssets,
 				deleteCAKey,
 				deleteFrontProxyCAKey,
 			},
 			expected: true,
 		},
@@ -583,16 +584,17 @@ func TestValidateMethods(t *testing.T) {
 }
 func deleteCAKey(cfg *kubeadmapi.MasterConfiguration) error {
-	if err := os.Remove(filepath.Join(cfg.CertificatesDir, "ca.key")); err != nil {
+	if err := os.Remove(filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName)); err != nil {
-		return fmt.Errorf("failed removing ca.key: %v", err)
+		return fmt.Errorf("failed removing %s: %v", kubeadmconstants.CAKeyName, err)
 	}
 	return nil
 }
-func assertIsCa(t *testing.T, cert *x509.Certificate) {
+func deleteFrontProxyCAKey(cfg *kubeadmapi.MasterConfiguration) error {
-	if !cert.IsCA {
+	if err := os.Remove(filepath.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyCAKeyName)); err != nil {
-		t.Error("cert is not a valida CA")
+		return fmt.Errorf("failed removing %s: %v", kubeadmconstants.FrontProxyCAKeyName, err)
 	}
 	return nil
 }
 func TestCreateCertificateFilesMethods(t *testing.T) {
--- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go
+++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go
@@ -967,10 +967,13 @@ func TestGetControllerManagerCommandExternalCA(t *testing.T) {
 			t.Errorf("failed creating pki assets: %v", err)
 		}
-		// delete ca.key if test.caKeyPresent is false
+		// delete ca.key and front-proxy-ca.key if test.caKeyPresent is false
 		if !test.caKeyPresent {
-			if err := os.Remove(filepath.Join(test.cfg.CertificatesDir, "ca.key")); err != nil {
+			if err := os.Remove(filepath.Join(test.cfg.CertificatesDir, kubeadmconstants.CAKeyName)); err != nil {
-				t.Errorf("failed removing ca.key: %v", err)
+				t.Errorf("failed removing %s: %v", kubeadmconstants.CAKeyName, err)
 			}
 			if err := os.Remove(filepath.Join(test.cfg.CertificatesDir, kubeadmconstants.FrontProxyCAKeyName)); err != nil {
 				t.Errorf("failed removing %s: %v", kubeadmconstants.FrontProxyCAKeyName, err)
 			}
 		}