Use new admin template for K8ssa and admin-OIDC provisioners.
This change replaces the .Insecure.CR template to one that sets all the SANs, but uses key usages and extended key usages for regular TLS certificates.
This commit is contained in:
parent
309d9ddcc4
commit
4c8bf87dc1
4 changed files with 5 additions and 5 deletions
|
@ -221,7 +221,7 @@ func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
|||
|
||||
// Certificate templates: on K8sSA the default template is the certificate
|
||||
// request.
|
||||
templateOptions, err := CustomTemplateOptions(p.Options, data, x509util.CertificateRequestTemplate)
|
||||
templateOptions, err := CustomTemplateOptions(p.Options, data, x509util.DefaultAdminLeafTemplate)
|
||||
if err != nil {
|
||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign")
|
||||
}
|
||||
|
|
|
@ -327,7 +327,7 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
|
|||
// an admin, in that case we will use the CR template.
|
||||
defaultTemplate := x509util.DefaultLeafTemplate
|
||||
if !o.Options.GetX509Options().HasTemplate() && o.IsAdmin(claims.Email) {
|
||||
defaultTemplate = x509util.CertificateRequestTemplate
|
||||
defaultTemplate = x509util.DefaultAdminLeafTemplate
|
||||
}
|
||||
|
||||
templateOptions, err := CustomTemplateOptions(o.Options, data, defaultTemplate)
|
||||
|
|
2
go.mod
2
go.mod
|
@ -19,7 +19,7 @@ require (
|
|||
github.com/smallstep/cli v0.15.0
|
||||
github.com/smallstep/nosql v0.3.0
|
||||
github.com/urfave/cli v1.22.2
|
||||
go.step.sm/crypto v0.6.0
|
||||
go.step.sm/crypto v0.6.1
|
||||
golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de
|
||||
golang.org/x/net v0.0.0-20200202094626-16171245cfb2
|
||||
google.golang.org/api v0.15.0
|
||||
|
|
4
go.sum
4
go.sum
|
@ -546,8 +546,8 @@ go.step.sm/crypto v0.0.0-20200805202904-ec18b6df3cf0 h1:FymMl8TrXGxFf80BWpO0CnkS
|
|||
go.step.sm/crypto v0.0.0-20200805202904-ec18b6df3cf0/go.mod h1:8VYxmvSKt5yOTBx3MGsD2Gk4F1Es/3FIxrjnfeYWE8U=
|
||||
go.step.sm/crypto v0.1.1 h1:xg3kUS30hEnwgbxtKwq9a4MJaeiU616HSug60LU9B2E=
|
||||
go.step.sm/crypto v0.1.1/go.mod h1:cIoSWTfTQ5xqvwTeZH9ZXZzi6jdMepjK4A/TDWMUvw8=
|
||||
go.step.sm/crypto v0.6.0 h1:fbGUG5VJmDetC+RQ/T0tb6Sx0wCOgqKZcZYzTpUa7eo=
|
||||
go.step.sm/crypto v0.6.0/go.mod h1:AKS4yMZVZD4EGjpSkY4eibuMenrvKCscb+BpWMet8c0=
|
||||
go.step.sm/crypto v0.6.1 h1:nJoRFGrGNf/mKVVMdWnfLbBfIFt/z4NdJlSL5nipQMQ=
|
||||
go.step.sm/crypto v0.6.1/go.mod h1:AKS4yMZVZD4EGjpSkY4eibuMenrvKCscb+BpWMet8c0=
|
||||
go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
|
||||
go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
|
||||
go.uber.org/atomic v1.5.1/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
|
||||
|
|
Loading…
Reference in a new issue