github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #71152 from liztio/no-csr-ca 

Don't allow --csr-only for CA certs or all
pull/58/head
k8s-ci-robot 2018-11-16 18:22:33 -08:00 committed by GitHub
parent 4821291398 440a5ad7cb
commit bf0e6d14ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 60 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/kubeadm/app/cmd/phases/certs.go
View File

@ -91,7 +91,6 @@ func newCertSubPhases() []workflow.Phase {
Short: "Generates all certificates", Short: "Generates all certificates",
InheritFlags: getCertPhaseFlags("all"), InheritFlags: getCertPhaseFlags("all"),
RunAllSiblings: true, RunAllSiblings: true,
LocalFlags: localFlags(),
} }
subPhases = append(subPhases, allPhase) subPhases = append(subPhases, allPhase)
@ -104,6 +103,7 @@ func newCertSubPhases() []workflow.Phase {
for _, cert := range certList { for _, cert := range certList {
certPhase := newCertSubPhase(cert, runCertPhase(cert, ca)) certPhase := newCertSubPhase(cert, runCertPhase(cert, ca))
certPhase.LocalFlags = localFlags()
subPhases = append(subPhases, certPhase) subPhases = append(subPhases, certPhase)
} }
} }
@ -133,7 +133,6 @@ func newCertSubPhase(certSpec *certsphase.KubeadmCert, run func(c workflow.RunDa
), ),
Run: run, Run: run,
InheritFlags: getCertPhaseFlags(certSpec.Name), InheritFlags: getCertPhaseFlags(certSpec.Name),
LocalFlags: localFlags(),
} }
return phase return phase
} }

1
cmd/kubeadm/test/cmd/BUILD
View File

@ -36,6 +36,7 @@ go_test(
"//cmd/kubeadm/app/phases/certs:go_default_library", "//cmd/kubeadm/app/phases/certs:go_default_library",
"//cmd/kubeadm/app/util/pkiutil:go_default_library", "//cmd/kubeadm/app/util/pkiutil:go_default_library",
"//cmd/kubeadm/test:go_default_library", "//cmd/kubeadm/test:go_default_library",
"//vendor/github.com/pkg/errors:go_default_library",
"//vendor/github.com/renstrom/dedent:go_default_library", "//vendor/github.com/renstrom/dedent:go_default_library",
"//vendor/sigs.k8s.io/yaml:go_default_library", "//vendor/sigs.k8s.io/yaml:go_default_library",
], ],

73
cmd/kubeadm/test/cmd/init_test.go
View File

@ -17,8 +17,11 @@ limitations under the License.
package kubeadm package kubeadm
import ( import (
"os/exec"
"strings"
"testing" "testing"
"github.com/pkg/errors"
"github.com/renstrom/dedent" "github.com/renstrom/dedent"
"k8s.io/kubernetes/cmd/kubeadm/app/phases/certs" "k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil" "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
@ -200,24 +203,62 @@ func TestCmdInitCertPhaseCSR(t *testing.T) {
t.Skip() t.Skip()
} }
csrDir := testutil.SetupTempDir(t) tests := []struct {
name string
cert := &certs.KubeadmCertKubeletClient baseName string
kubeadmPath := getKubeadmPath() expectedError string
_, _, err := RunCmd(kubeadmPath, }{
"init", {
"phase", name: "generate CSR",
"certs", baseName: certs.KubeadmCertKubeletClient.BaseName,
cert.BaseName, },
"--csr-only", {
"--csr-dir="+csrDir, name: "fails on CSR",
) baseName: certs.KubeadmCertRootCA.BaseName,
if err != nil { expectedError: "unknown flag: --csr-only",
t.Fatalf("couldn't run kubeadm: %v", err) },
{
name: "fails on all",
baseName: "all",
expectedError: "unknown flag: --csr-only",
},
} }
if _, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(csrDir, cert.BaseName); err != nil { for _, test := range tests {
t.Fatalf("couldn't load certificate %q: %v", cert.BaseName, err) t.Run(test.name, func(t *testing.T) {
csrDir := testutil.SetupTempDir(t)
cert := &certs.KubeadmCertKubeletClient
kubeadmPath := getKubeadmPath()
_, stderr, err := RunCmd(kubeadmPath,
"init",
"phase",
"certs",
test.baseName,
"--csr-only",
"--csr-dir="+csrDir,
)
if test.expectedError != "" {
cause := errors.Cause(err)
_, ok := cause.(*exec.ExitError)
if !ok {
t.Fatalf("expected exitErr: got %T (%v)", cause, err)
}
if !strings.Contains(stderr, test.expectedError) {
t.Errorf("expected %q to contain %q", stderr, test.expectedError)
}
return
}
if err != nil {
t.Fatalf("couldn't run kubeadm: %v", err)
}
if _, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(csrDir, cert.BaseName); err != nil {
t.Fatalf("couldn't load certificate %q: %v", cert.BaseName, err)
}
})
} }
} }

2
cmd/kubeadm/test/cmd/util.go
View File

@ -43,7 +43,7 @@ func runCmdNoWrap(command string, args ...string) (string, string, error) {
func RunCmd(command string, args ...string) (string, string, error) { func RunCmd(command string, args ...string) (string, string, error) {
stdout, stderr, err := runCmdNoWrap(command, args...) stdout, stderr, err := runCmdNoWrap(command, args...)
if err != nil { if err != nil {
return "", "", errors.Wrapf(err, "error running %s %v; \nstdout %q, \nstderr %q, \ngot error", return stdout, stderr, errors.Wrapf(err, "error running %s %v; \nstdout %q, \nstderr %q, \ngot error",
command, args, stdout, stderr) command, args, stdout, stderr)
} }
return stdout, stderr, nil return stdout, stderr, nil