Merge pull request #9927 from liggitt/fix_ecdsa_key

Re-enable ECDSA private server key use
2015-06-18 14:30:27 -07:00 · 2015-06-18 14:30:27 -07:00 · 59876df736
parent 4bf6058919 64d61185eb
commit 59876df736
2 changed files with 11 additions and 1 deletions
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -321,7 +321,11 @@ func (s *APIServer) Run(_ []string) error {

 	// Default to the private server key for service account token signing
 	if s.ServiceAccountKeyFile == "" && s.TLSPrivateKeyFile != "" {
-		s.ServiceAccountKeyFile = s.TLSPrivateKeyFile
+		if apiserver.IsValidServiceAccountKeyFile(s.TLSPrivateKeyFile) {
+			s.ServiceAccountKeyFile = s.TLSPrivateKeyFile
+		} else {
+			glog.Warning("no RSA key provided, service account token authentication disabled")
+		}
 	}
 	authenticator, err := apiserver.NewAuthenticator(s.BasicAuthFile, s.ClientCAFile, s.TokenAuthFile, s.ServiceAccountKeyFile, s.ServiceAccountLookup, helper)
 	if err != nil {
--- a/pkg/apiserver/authn.go
+++ b/pkg/apiserver/authn.go
@ -77,6 +77,12 @@ func NewAuthenticator(basicAuthFile, clientCAFile, tokenFile, serviceAccountKeyF
 	}
 }

+// IsValidServiceAccountKeyFile returns true if a valid public RSA key can be read from the given file
+func IsValidServiceAccountKeyFile(file string) bool {
+	_, err := serviceaccount.ReadPublicKey(file)
+	return err == nil
+}
+
 // newAuthenticatorFromBasicAuthFile returns an authenticator.Request or an error
 func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Request, error) {
 	basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile)