From 64d61185eb826e606810e8e117e0c877b02caab6 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 16 Jun 2015 23:02:54 -0400 Subject: [PATCH] Re-enable ECDSA private server key use --- cmd/kube-apiserver/app/server.go | 6 +++++- pkg/apiserver/authn.go | 6 ++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index cd12dc777fb..b40d659ec7d 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -321,7 +321,11 @@ func (s *APIServer) Run(_ []string) error { // Default to the private server key for service account token signing if s.ServiceAccountKeyFile == "" && s.TLSPrivateKeyFile != "" { - s.ServiceAccountKeyFile = s.TLSPrivateKeyFile + if apiserver.IsValidServiceAccountKeyFile(s.TLSPrivateKeyFile) { + s.ServiceAccountKeyFile = s.TLSPrivateKeyFile + } else { + glog.Warning("no RSA key provided, service account token authentication disabled") + } } authenticator, err := apiserver.NewAuthenticator(s.BasicAuthFile, s.ClientCAFile, s.TokenAuthFile, s.ServiceAccountKeyFile, s.ServiceAccountLookup, helper) if err != nil { diff --git a/pkg/apiserver/authn.go b/pkg/apiserver/authn.go index 99359c92501..c9a172aa25d 100644 --- a/pkg/apiserver/authn.go +++ b/pkg/apiserver/authn.go @@ -77,6 +77,12 @@ func NewAuthenticator(basicAuthFile, clientCAFile, tokenFile, serviceAccountKeyF } } +// IsValidServiceAccountKeyFile returns true if a valid public RSA key can be read from the given file +func IsValidServiceAccountKeyFile(file string) bool { + _, err := serviceaccount.ReadPublicKey(file) + return err == nil +} + // newAuthenticatorFromBasicAuthFile returns an authenticator.Request or an error func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Request, error) { basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile)