github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

allow individual ca bundles to be empty in union

Browse Source
This commit is contained in:
David Eads 2019-11-12 12:44:53 -05:00
parent e44352f31a
commit 758f2ce44f
3 changed files with 7 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/tlsconfig.go
View File

@ -103,10 +103,9 @@ func (c *DynamicServingCertificateController) newTLSContent() (*dynamicCertifica
if c.clientCA != nil { if c.clientCA != nil {
currClientCABundle := c.clientCA.CurrentCABundleContent() currClientCABundle := c.clientCA.CurrentCABundleContent()
// don't remove all content. The value was configured at one time, so continue using that. // we allow removing all client ca bundles because the server is still secure when this happens. it just means
if len(currClientCABundle) == 0 { // that there isn't a hint to clients about which client-cert to used. this happens when there is no client-ca
return nil, fmt.Errorf("not loading an empty client ca bundle from %q", c.clientCA.Name()) // yet known for authentication, which can happen in aggregated apiservers and some kube-apiserver deployment modes.
}
newContent.clientCA = caBundleContent{caBundle: currClientCABundle} newContent.clientCA = caBundleContent{caBundle: currClientCABundle}
} }
@ -152,7 +151,7 @@ func (c *DynamicServingCertificateController) syncCerts() error {
newClientCAPool := x509.NewCertPool() newClientCAPool := x509.NewCertPool()
newClientCAs, err := cert.ParseCertsPEM(newContent.clientCA.caBundle) newClientCAs, err := cert.ParseCertsPEM(newContent.clientCA.caBundle)
if err != nil { if err != nil {
return fmt.Errorf("unable to load client CA file: %v", err) return fmt.Errorf("unable to load client CA file %q: %v", string(newContent.clientCA.caBundle), err)
} }
for i, cert := range newClientCAs { for i, cert := range newClientCAs {
klog.V(2).Infof("loaded client CA [%d/%q]: %s", i, c.clientCA.Name(), GetHumanCertDetail(cert)) klog.V(2).Infof("loaded client CA [%d/%q]: %s", i, c.clientCA.Name(), GetHumanCertDetail(cert))

6
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/tlsconfig_test.go
View File

@ -99,12 +99,6 @@ func TestNewStaticCertKeyContent(t *testing.T) {
sniCerts: []sniCertKeyContent{{certKeyContent: certKeyContent{cert: serverCert, key: serverKey}, sniNames: []string{"foo"}}}, sniCerts: []sniCertKeyContent{{certKeyContent: certKeyContent{cert: serverCert, key: serverKey}, sniNames: []string{"foo"}}},
}, },
}, },
{
name: "missingCA",
clientCA: &staticCAContent{name: "test-ca", caBundle: &caBundleAndVerifier{caBundle: []byte("")}},
expected: nil,
expectedErr: `not loading an empty client ca bundle from "test-ca"`,
},
{ {
name: "nil", name: "nil",
expected: &dynamicCertificateContent{clientCA: caBundleContent{}, servingCert: certKeyContent{}}, expected: &dynamicCertificateContent{clientCA: caBundleContent{}, servingCert: certKeyContent{}},

4
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/union_content.go
View File

@ -48,7 +48,9 @@ func (c unionCAContent) Name() string {
func (c unionCAContent) CurrentCABundleContent() []byte { func (c unionCAContent) CurrentCABundleContent() []byte {
caBundles := [][]byte{} caBundles := [][]byte{}
for _, curr := range c { for _, curr := range c {
caBundles = append(caBundles, curr.CurrentCABundleContent()) if currCABytes := curr.CurrentCABundleContent(); len(currCABytes) > 0 {
caBundles = append(caBundles, []byte(strings.TrimSpace(string(currCABytes))))
}
} }
return bytes.Join(caBundles, []byte("\n")) return bytes.Join(caBundles, []byte("\n"))