Remove node requirement to access private ca key in S3

kubernetes · Aug 11, 2017 · c6848be · c6848be
1 parent cd14941
commit c6848be
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 31 deletions.
diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
@@ -314,7 +314,6 @@ func addS3Permissions(p *IAMPolicy, iamPrefix string, s3Path *vfs.S3Path, role a
 				strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/instancegroup/*"}, ""),
 				strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/issued/*"}, ""),
 				strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/ssh/*"}, ""),
-				strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/ca/*"}, ""),
 				strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/master/*"}, ""),
 				strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/kube-proxy/*"}, ""),
 				strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/kubelet/*"}, ""),

diff --git a/pkg/model/iam/iam_builder_test.go b/pkg/model/iam/iam_builder_test.go
@@ -126,7 +126,6 @@ func TestS3PolicyGeneration(t *testing.T) {
 						"arn:aws:s3:::bucket-name/cluster-name.k8s.local/instancegroup/*",
 						"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/issued/*",
 						"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/ssh/*",
-						"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/private/ca/*",
 						"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/private/master/*",
 						"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/private/kube-proxy/*",
 						"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/private/kubelet/*",

diff --git a/upup/pkg/fi/vfs_castore.go b/upup/pkg/fi/vfs_castore.go
@@ -24,14 +24,16 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
-	"github.com/golang/glog"
-	"golang.org/x/crypto/ssh"
-	"k8s.io/kops/util/pkg/vfs"
 	"math/big"
 	"os"
 	"strings"
 	"sync"
 	"time"
+
+	"github.com/golang/glog"
+	"golang.org/x/crypto/ssh"
+
+	"k8s.io/kops/util/pkg/vfs"
 )
 
 type VFSCAStore struct {
@@ -300,19 +302,11 @@ func (c *VFSCAStore) FindKeypair(id string) (*Certificate, *PrivateKey, error) {
 func (c *VFSCAStore) FindCert(id string) (*Certificate, error) {
 	var certs *certificates
 
-	if id == CertificateId_CA {
-		caCertificates, _, err := c.readCAKeypairs()
-		if err != nil {
-			return nil, err
-		}
-		certs = caCertificates
-	} else {
-		var err error
-		p := c.buildCertificatePoolPath(id)
-		certs, err = c.loadCertificates(p)
-		if err != nil {
-			return nil, err
-		}
+	var err error
+	p := c.buildCertificatePoolPath(id)
+	certs, err = c.loadCertificates(p)
+	if err != nil {
+		return nil, fmt.Errorf("error in 'FindCert' attempting to load cert %q: %v", id, err)
 	}
 
 	var cert *Certificate
@@ -326,19 +320,11 @@ func (c *VFSCAStore) FindCert(id string) (*Certificate, error) {
 func (c *VFSCAStore) FindCertificatePool(id string) (*CertificatePool, error) {
 	var certs *certificates
 
-	if id == CertificateId_CA {
-		caCertificates, _, err := c.readCAKeypairs()
-		if err != nil {
-			return nil, err
-		}
-		certs = caCertificates
-	} else {
-		var err error
-		p := c.buildCertificatePoolPath(id)
-		certs, err = c.loadCertificates(p)
-		if err != nil {
-			return nil, err
-		}
+	var err error
+	p := c.buildCertificatePoolPath(id)
+	certs, err = c.loadCertificates(p)
+	if err != nil {
+		return nil, fmt.Errorf("error in 'FindCertificatePool' attempting to load cert %q: %v", id, err)
 	}
 
 	pool := &CertificatePool{}