use openssl to check for expired certs
Steven Powell
parent
5c186e25a7
commit
0313e8dd90
|
|
@ -349,14 +349,12 @@ func generateProfileCerts(cfg config.ClusterConfig, n config.Node, ccs CACerts,
|
|||
}
|
||||
|
||||
func generateKubeadmCerts(cmd command.Runner, cc config.ClusterConfig) error {
|
||||
gt, err := guestTime(cmd)
|
||||
if err != nil {
|
||||
return err
|
||||
if _, err := cmd.RunCmd(exec.Command("ls", path.Join(vmpath.GuestPersistentDir, "certs", "etcd"))); err != nil {
|
||||
klog.Infof("certs directory doesn't exist, likely first start: %v", err)
|
||||
return nil
|
||||
}
|
||||
// add one day to the time so if the certs expire in less than a day we regenerate
|
||||
gt = gt.Add(24 * time.Hour)
|
||||
|
||||
needsRefresh := false
|
||||
expiredCerts := false
|
||||
certs := []string{"apiserver-etcd-client", "apiserver-kubelet-client", "etcd-server", "etcd-healthcheck-client", "etcd-peer", "front-proxy-client"}
|
||||
for _, cert := range certs {
|
||||
certPath := []string{vmpath.GuestPersistentDir, "certs"}
|
||||
|
|
@ -366,11 +364,11 @@ func generateKubeadmCerts(cmd command.Runner, cc config.ClusterConfig) error {
|
|||
certPath = append(certPath, "etcd")
|
||||
}
|
||||
certPath = append(certPath, strings.TrimPrefix(cert, "etcd-")+".crt")
|
||||
if !isKubeadmCertValid(cmd, path.Join(certPath...), gt) {
|
||||
needsRefresh = true
|
||||
if !isKubeadmCertValid(cmd, path.Join(certPath...)) {
|
||||
expiredCerts = true
|
||||
}
|
||||
}
|
||||
if !needsRefresh {
|
||||
if !expiredCerts {
|
||||
return nil
|
||||
}
|
||||
out.WarningT("kubeadm certificates have expired. Generating new ones...")
|
||||
|
|
@ -382,19 +380,6 @@ func generateKubeadmCerts(cmd command.Runner, cc config.ClusterConfig) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func guestTime(cmd command.Runner) (time.Time, error) {
|
||||
var t time.Time
|
||||
rr, err := cmd.RunCmd(exec.Command("date", "-u", "+%d-%m-%y-%T"))
|
||||
if err != nil {
|
||||
return t, fmt.Errorf("failed to get time on guest: %v", err)
|
||||
}
|
||||
t, err = time.Parse("02-01-06-15:04:05", strings.TrimSpace(rr.Stdout.String()))
|
||||
if err != nil {
|
||||
return t, fmt.Errorf("failed to parse time: %v", err)
|
||||
}
|
||||
return t, nil
|
||||
}
|
||||
|
||||
// isValidPEMCertificate checks whether the input file is a valid PEM certificate (with at least one CERTIFICATE block)
|
||||
func isValidPEMCertificate(filePath string) (bool, error) {
|
||||
fileBytes, err := os.ReadFile(filePath)
|
||||
|
|
@ -597,30 +582,10 @@ func isValid(certPath, keyPath string) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
func isKubeadmCertValid(cmd command.Runner, certPath string, gt time.Time) bool {
|
||||
rr, err := cmd.RunCmd(exec.Command("cat", certPath))
|
||||
func isKubeadmCertValid(cmd command.Runner, certPath string) bool {
|
||||
_, err := cmd.RunCmd(exec.Command("openssl", "x509", "-noout", "-in", certPath, "-checkend", "86400"))
|
||||
if err != nil {
|
||||
klog.Infof("failed to read cert file %s: %v", certPath, err)
|
||||
// if reading the cert failed it's likely first start and it doesn't exist yet so mark as valid
|
||||
return true
|
||||
klog.Infof("%v", err)
|
||||
}
|
||||
|
||||
certData, _ := pem.Decode(rr.Stdout.Bytes())
|
||||
if certData == nil {
|
||||
klog.Infof("failed to decode cert file %s", certPath)
|
||||
return false
|
||||
}
|
||||
|
||||
cert, err := x509.ParseCertificate(certData.Bytes)
|
||||
if err != nil {
|
||||
klog.Infof("failed to parse cert file %s: %v\n", certPath, err)
|
||||
return false
|
||||
}
|
||||
|
||||
if cert.NotAfter.Before(gt) {
|
||||
klog.Infof("cert expired %s: expiration: %s, now: %s", certPath, cert.NotAfter, time.Now())
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
return err == nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue