diff --git a/cmd/dkl-local-server/ssh-secrets.go b/cmd/dkl-local-server/ssh-secrets.go
index c358c86..b830836 100644
--- a/cmd/dkl-local-server/ssh-secrets.go
+++ b/cmd/dkl-local-server/ssh-secrets.go
@@ -156,28 +156,25 @@ func sshCASign(cluster string, userPubKey []byte, principal, validity string, op
return
}
- _, identity, _, _, err := ssh.ParseAuthorizedKey(userPubKey)
+ pubkey, identity, _, _, err := ssh.ParseAuthorizedKey(bytes.TrimSpace(userPubKey))
if err != nil {
return
}
+ ak := ssh.MarshalAuthorizedKey(pubkey)
+
userPubKeyFile, err := os.CreateTemp("/tmp", "user.pub")
if err != nil {
return
}
defer os.Remove(userPubKeyFile.Name())
- _, err = io.Copy(userPubKeyFile, bytes.NewBuffer(userPubKey))
+ _, err = io.Copy(userPubKeyFile, bytes.NewBuffer(ak))
userPubKeyFile.Close()
if err != nil {
return
}
- err = os.WriteFile(userPubKeyFile.Name(), userPubKey, 0600)
- if err != nil {
- return
- }
-
serial := strconv.FormatInt(time.Now().Unix(), 10)
cmd := exec.Command("ssh-keygen", "-q", "-s", "/dev/stdin", "-I", identity, "-z", serial, "-n", principal)
diff --git a/html/ui/js/Cluster.js b/html/ui/js/Cluster.js
index 5a32b61..49a67d5 100644
--- a/html/ui/js/Cluster.js
+++ b/html/ui/js/Cluster.js
@@ -15,8 +15,8 @@ export default {
sshUserCert: null,
kubeSignReq: {
CSR: "",
- User: "anonymous",
- Group: "",
+ User: "",
+ Group: "system:masters",
},
kubeUserCert: null,
};
@@ -28,8 +28,13 @@ export default {
method: 'POST',
body: JSON.stringify({ ...this.sshSignReq, Validity: this.signReqValidity }),
headers: { 'Authorization': 'Bearer ' + this.token, 'Content-Type': 'application/json' },
- }).then((resp) => resp.blob())
- .then((cert) => { this.sshUserCert = URL.createObjectURL(cert) })
+ }).then((resp) => {
+ if (resp.ok) {
+ resp.blob().then((cert) => { this.sshUserCert = URL.createObjectURL(cert) })
+ } else {
+ resp.json().then((resp) => alert('failed to sign: '+resp.message))
+ }
+ })
.catch((e) => { alert('failed to sign: '+e); })
},
kubeCASign() {
@@ -38,8 +43,13 @@ export default {
method: 'POST',
body: JSON.stringify({ ...this.kubeSignReq, Validity: this.signReqValidity }),
headers: { 'Authorization': 'Bearer ' + this.token, 'Content-Type': 'application/json' },
- }).then((resp) => resp.blob())
- .then((cert) => { this.kubeUserCert = URL.createObjectURL(cert) })
+ }).then((resp) => {
+ if (resp.ok) {
+ resp.blob().then((cert) => { this.kubeUserCert = URL.createObjectURL(cert) })
+ } else {
+ resp.json().then((resp) => alert('failed to sign: '+resp.message))
+ }
+ })
.catch((e) => { alert('failed to sign: '+e); })
},
},
@@ -78,11 +88,12 @@ export default {
Public key (OpenSSH format):
- Principal:
+ User:
-
-
- Get certificate
+
+
+ => Get certificate
+
Grant Kubernetes API access
@@ -93,9 +104,10 @@ export default {
User:
Group:
-
-
- Get certificate
+
+
+ => Get certificate
+
`
}
diff --git a/html/ui/js/app.js b/html/ui/js/app.js
index a869e61..87fdc44 100644
--- a/html/ui/js/app.js
+++ b/html/ui/js/app.js
@@ -65,7 +65,7 @@ createApp({
(this.state.Clusters||[]).forEach((c) => views.push({type: "cluster", name: c.Name, title: `Cluster ${c.Name}`}));
(this.state.Hosts ||[]).forEach((c) => views.push({type: "host", name: c.Name, title: `Host ${c.Name}`}));
- return views.filter((v) => v.name.includes(this.viewFilter));
+ return views.filter((v) => v.type != "host" || v.name.includes(this.viewFilter));
},
viewObj() {
if (this.view) {