From 439920e51717c67cda172a9a92d38fd6bad65597 Mon Sep 17 00:00:00 2001 From: galal-hussein Date: Fri, 27 Sep 2019 00:35:02 +0200 Subject: [PATCH 1/2] Vendor update and go.mod update --- go.mod | 3 +-- go.sum | 2 ++ .../rancher/dynamiclistener/cert/io.go | 18 ++++++++++-------- vendor/modules.txt | 2 +- 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index e7c197b1d7..a631ce1d0c 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,6 @@ replace ( github.com/prometheus/client_model => github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910 github.com/prometheus/common => github.com/prometheus/common v0.0.0-20181126121408-4724e9255275 github.com/prometheus/procfs => github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a - github.com/rancher/dynamiclistener => github.com/erikwilson/rancher-dynamiclistener v0.0.0-20190717164634-c08b499d1719 github.com/rancher/kine => github.com/ibuildthecloud/kine v0.1.0 k8s.io/api => github.com/rancher/kubernetes/staging/src/k8s.io/api v1.16.0-k3s.1 k8s.io/apiextensions-apiserver => github.com/rancher/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.0-k3s.1 @@ -92,7 +91,7 @@ require ( github.com/opencontainers/runc v1.0.0-rc2.0.20190611121236-6cc515888830 github.com/pkg/errors v0.8.1 github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 // indirect - github.com/rancher/dynamiclistener v0.0.0-20190717164634-c08b499d1719 + github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d github.com/rancher/helm-controller v0.2.2 github.com/rancher/kine v0.0.0-00010101000000-000000000000 github.com/rancher/remotedialer v0.2.0 diff --git a/go.sum b/go.sum index 091fcf4ba6..90799902ce 100644 --- a/go.sum +++ b/go.sum @@ -558,6 +558,8 @@ github.com/rancher/containerd v1.3.0-k3s.1 h1:8dz25shb4egTLl0nOXQdtllx20LEXsuOs4 github.com/rancher/containerd v1.3.0-k3s.1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM= github.com/rancher/cri-tools v1.16.0-k3s.1 h1:cv/iVFkfvDLfpSqGFwgyQbMKLGRzcXo8AALUsd8s5qE= github.com/rancher/cri-tools v1.16.0-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8= +github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d h1:BPBA86IVuNX/S2g7Kry+jXcuftCWPRLpad1iyd1nP20= +github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d/go.mod h1:vNqDnGTkrX8tiBUevkvjZoQoiZOjaahVbMaYRIl25l0= github.com/rancher/flannel v0.11.0-k3s.1 h1:mIwnfWDafjzQgFkZeJ1AkFrrAT3EdBaA1giE0eLJKo8= github.com/rancher/flannel v0.11.0-k3s.1/go.mod h1:Hn4ZV+eq0LhLZP63xZnxdGwXEoRSxs5sxELxu27M3UA= github.com/rancher/helm-controller v0.2.2 h1:MUqisy53/Ay1EYOF2uTCYBbGpgtZLNKKrI01BdxIbQo= diff --git a/vendor/github.com/rancher/dynamiclistener/cert/io.go b/vendor/github.com/rancher/dynamiclistener/cert/io.go index a57bf09d5e..53195668ab 100644 --- a/vendor/github.com/rancher/dynamiclistener/cert/io.go +++ b/vendor/github.com/rancher/dynamiclistener/cert/io.go @@ -86,14 +86,16 @@ func WriteKey(keyPath string, data []byte) error { // LoadOrGenerateKeyFile looks for a key in the file at the given path. If it // can't find one, it will generate a new key and store it there. -func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) { - loadedData, err := ioutil.ReadFile(keyPath) - // Call verifyKeyData to ensure the file wasn't empty/corrupt. - if err == nil && verifyKeyData(loadedData) { - return loadedData, false, err - } - if !os.IsNotExist(err) { - return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err) +func LoadOrGenerateKeyFile(keyPath string, force bool) (data []byte, wasGenerated bool, err error) { + if !force { + loadedData, err := ioutil.ReadFile(keyPath) + // Call verifyKeyData to ensure the file wasn't empty/corrupt. + if err == nil && verifyKeyData(loadedData) { + return loadedData, false, err + } + if !os.IsNotExist(err) { + return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err) + } } generatedData, err := MakeEllipticPrivateKeyPEM() diff --git a/vendor/modules.txt b/vendor/modules.txt index 0443dd936e..ea147581c2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -742,7 +742,7 @@ github.com/prometheus/procfs/internal/util # github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 github.com/rakelkar/gonetsh/netroute github.com/rakelkar/gonetsh/netsh -# github.com/rancher/dynamiclistener v0.0.0-20190717164634-c08b499d1719 => github.com/erikwilson/rancher-dynamiclistener v0.0.0-20190717164634-c08b499d1719 +# github.com/rancher/dynamiclistener v0.0.0-20190926205813-e2ac9e2c193d github.com/rancher/dynamiclistener github.com/rancher/dynamiclistener/cert # github.com/rancher/helm-controller v0.2.2 From 2dc5ba5baefcd64a0be3c9fb5e53e63b91e0ed18 Mon Sep 17 00:00:00 2001 From: galal-hussein Date: Fri, 27 Sep 2019 00:38:04 +0200 Subject: [PATCH 2/2] Add certificate rotation --- pkg/daemons/control/server.go | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go index 155e645364..bd1bdf1a9f 100644 --- a/pkg/daemons/control/server.go +++ b/pkg/daemons/control/server.go @@ -569,7 +569,7 @@ func genClientCerts(config *config.Control, runtime *config.ControlRuntime) erro return err } - if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ClientKubeletKey); err != nil { + if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ClientKubeletKey, regen); err != nil { return err } @@ -614,7 +614,7 @@ func genServerCerts(config *config.Control, runtime *config.ControlRuntime) erro return err } - if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ServingKubeletKey); err != nil { + if _, _, err := certutil.LoadOrGenerateKeyFile(runtime.ServingKubeletKey, regen); err != nil { return err } @@ -638,6 +638,11 @@ func genRequestHeaderCerts(config *config.Control, runtime *config.ControlRuntim } func createClientCertKey(regen bool, commonName string, organization []string, altNames *certutil.AltNames, extKeyUsage []x509.ExtKeyUsage, caCertFile, caKeyFile, certFile, keyFile string) (bool, error) { + // check for certificate expiration + if !regen { + regen = expired(certFile) + } + if !regen { if exists(certFile, keyFile) { return false, nil @@ -663,8 +668,7 @@ func createClientCertKey(regen bool, commonName string, organization []string, a if err != nil { return false, err } - - keyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile) + keyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile, regen) if err != nil { return false, err } @@ -718,7 +722,7 @@ func createSigningCertKey(prefix, certFile, keyFile string) (bool, error) { return false, nil } - caKeyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile) + caKeyBytes, _, err := certutil.LoadOrGenerateKeyFile(keyFile, false) if err != nil { return false, err } @@ -782,3 +786,21 @@ func setupStorageBackend(argsMap map[string]string, cfg *config.Control) { argsMap["etcd-keyfile"] = cfg.Storage.KeyFile } } + +func expired(certFile string) bool { + certBytes, err := ioutil.ReadFile(certFile) + if err != nil { + return false + } + certificates, err := certutil.ParseCertsPEM(certBytes) + if err != nil { + return false + } + expirationDate := certificates[0].NotAfter + diffDays := expirationDate.Sub(time.Now()).Hours() / 24.0 + if diffDays <= 90 { + logrus.Infof("certificate %s is about to expire", certFile) + return true + } + return false +}