From 2dc5ba5baefcd64a0be3c9fb5e53e63b91e0ed18 Mon Sep 17 00:00:00 2001 From: galal-hussein Date: Fri, 27 Sep 2019 00:38:04 +0200 Subject: [PATCH] Add certificate rotation --- pkg/daemons/control/server.go | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go index 155e645364..bd1bdf1a9f 100644 --- a/pkg/daemons/control/server.go +++ b/pkg/daemons/control/server.go @@ -569,7 +569,7 @@ func genClientCerts(config *config.Control, runtime *config.ControlRuntime) erro return err } - if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ClientKubeletKey); err != nil { + if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ClientKubeletKey, regen); err != nil { return err } @@ -614,7 +614,7 @@ func genServerCerts(config *config.Control, runtime *config.ControlRuntime) erro return err } - if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ServingKubeletKey); err != nil { + if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ServingKubeletKey, regen); err != nil { return err } @@ -638,6 +638,11 @@ func genRequestHeaderCerts(config *config.Control, runtime *config.ControlRuntim } func createClientCertKey(regen bool, commonName string, organization []string, altNames *certutil.AltNames, extKeyUsage []x509.ExtKeyUsage, caCertFile, caKeyFile, certFile, keyFile string) (bool, error) { + // check for certificate expiration + if !regen { + regen = expired(certFile) + } + if !regen { if exists(certFile, keyFile) { return false, nil @@ -663,8 +668,7 @@ func createClientCertKey(regen bool, commonName string, organization []string, a if err != nil { return false, err } - - keyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile) + keyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile, regen) if err != nil { return false, err } @@ -718,7 +722,7 @@ func createSigningCertKey(prefix, certFile, keyFile string) (bool, error) { return false, nil } - caKeyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile) + caKeyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile, false) if err != nil { return false, err } @@ -782,3 +786,21 @@ func setupStorageBackend(argsMap map[string]string, cfg *config.Control) { argsMap["etcd-keyfile"] = cfg.Storage.KeyFile } } + +func expired(certFile string) bool { + certBytes, err := ioutil.ReadFile(certFile) + if err != nil { + return false + } + certificates, err := certutil.ParseCertsPEM(certBytes) + if err != nil { + return false + } + expirationDate := certificates[0].NotAfter + diffDays := expirationDate.Sub(time.Now()).Hours() / 24.0 + if diffDays <= 90 { + logrus.Infof("certificate %s is about to expire", certFile) + return true + } + return false +}