self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-21 01:34:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make sure all needed credentials are present in kubeconfig.Update

Browse source 
If TLS client key/cert or CA cert are missing, the kubeconfig ends up
generated successfully, but with those fields empty. For a user, this
looks like a successful `tsh login` with `kubectl` not working
afterwards with cryptic x509 errors.

We should always have the necessary fields provided. If not, `tsh login`
should say exactly what was missing.
This commit is contained in:
Andrew Lytvynov 2020-04-23 14:45:59 -07:00 committed by Andrew Lytvynov
parent 64edb20ea1
commit a6994db3f8
1 changed files with 14 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lib/kube/kubeconfig/kubeconfig.go
View file

@ -68,13 +68,26 @@ func Update(path string, v Values) error {
return trace.Wrap(err)
}
cas := bytes.Join(v.Credentials.TLSCAs(), []byte("\n"))
// Validate the provided credentials, to avoid partially-populated
// kubeconfig.
if len(v.Credentials.Priv) == 0 {
return trace.BadParameter("private key missing in provided credentials")
}
if len(v.Credentials.TLSCert) == 0 {
return trace.BadParameter("TLS certificate missing in provided credentials")
}
if len(cas) == 0 {
return trace.BadParameter("TLS trusted CAs missing in provided credentials")
}
config.AuthInfos[v.Name] = &clientcmdapi.AuthInfo{
ClientCertificateData: v.Credentials.TLSCert,
ClientKeyData: v.Credentials.Priv,
}
config.Clusters[v.Name] = &clientcmdapi.Cluster{
Server: v.ClusterAddr,
CertificateAuthorityData: bytes.Join(v.Credentials.TLSCAs(), []byte("\n")),
CertificateAuthorityData: cas,
}
lastContext := config.Contexts[v.Name]