diff --git a/lib/client/kube/kube.go b/lib/client/kube/kube.go index cb02b8ab1dfe8..ff70bdb8fc375 100644 --- a/lib/client/kube/kube.go +++ b/lib/client/kube/kube.go @@ -42,15 +42,13 @@ func CheckIfCertsAreAllowedToAccessCluster(k *client.KeyRing, rootCluster, telep if rootCluster != teleportCluster { return nil } - for k8sCluster, cred := range k.KubeTLSCredentials { - if k8sCluster != kubeCluster { - continue - } + if cred, ok := k.KubeTLSCredentials[kubeCluster]; ok { log.Debugf("Got TLS cert for Kubernetes cluster %q", k8sCluster) exist, err := checkIfCertHasKubeGroupsAndUsers(cred.Cert) if err != nil { return trace.Wrap(err) - } else if exist { + } + if exist { return nil } } diff --git a/tool/tsh/common/kube_proxy.go b/tool/tsh/common/kube_proxy.go index cfd73cb1b075f..4800f88e54a5c 100644 --- a/tool/tsh/common/kube_proxy.go +++ b/tool/tsh/common/kube_proxy.go @@ -576,7 +576,7 @@ func issueKubeCert(ctx context.Context, tc *client.TeleportClient, clusterClient requesterName = proto.UserCertsRequest_TSH_KUBE_LOCAL_PROXY_HEADLESS } - key, mfaRequired, err := clusterClient.IssueUserCertsWithMFA( + keyRing, mfaRequired, err := clusterClient.IssueUserCertsWithMFA( ctx, client.ReissueParams{ RouteToCluster: teleportCluster, @@ -599,7 +599,7 @@ func issueKubeCert(ctx context.Context, tc *client.TeleportClient, clusterClient return tls.Certificate{}, trace.Wrap(err) } if err := kubeclient.CheckIfCertsAreAllowedToAccessCluster( - key, + keyRing, rootClusterName, teleportCluster, kubeCluster); err != nil { @@ -608,12 +608,12 @@ func issueKubeCert(ctx context.Context, tc *client.TeleportClient, clusterClient // Save it if MFA was not required. if mfaRequired == proto.MFARequired_MFA_REQUIRED_NO { - if err := tc.LocalAgent().AddKubeKeyRing(key); err != nil { + if err := tc.LocalAgent().AddKubeKeyRing(keyRing); err != nil { return tls.Certificate{}, trace.Wrap(err) } } - cert, err := key.KubeTLSCert(kubeCluster) + cert, err := keyRing.KubeTLSCert(kubeCluster) if err != nil { return tls.Certificate{}, trace.Wrap(err) }