diff --git a/pkg/minikube/bootstrapper/certs.go b/pkg/minikube/bootstrapper/certs.go index c20582f64f..766655a5de 100644 --- a/pkg/minikube/bootstrapper/certs.go +++ b/pkg/minikube/bootstrapper/certs.go @@ -349,14 +349,12 @@ func generateProfileCerts(cfg config.ClusterConfig, n config.Node, ccs CACerts, } func generateKubeadmCerts(cmd command.Runner, cc config.ClusterConfig) error { - gt, err := guestTime(cmd) - if err != nil { - return err + if _, err := cmd.RunCmd(exec.Command("ls", path.Join(vmpath.GuestPersistentDir, "certs", "etcd"))); err != nil { + klog.Infof("certs directory doesn't exist, likely first start: %v", err) + return nil } - // add one day to the time so if the certs expire in less than a day we regenerate - gt = gt.Add(24 * time.Hour) - needsRefresh := false + expiredCerts := false certs := []string{"apiserver-etcd-client", "apiserver-kubelet-client", "etcd-server", "etcd-healthcheck-client", "etcd-peer", "front-proxy-client"} for _, cert := range certs { certPath := []string{vmpath.GuestPersistentDir, "certs"} @@ -366,11 +364,11 @@ func generateKubeadmCerts(cmd command.Runner, cc config.ClusterConfig) error { certPath = append(certPath, "etcd") } certPath = append(certPath, strings.TrimPrefix(cert, "etcd-")+".crt") - if !isKubeadmCertValid(cmd, path.Join(certPath...), gt) { - needsRefresh = true + if !isKubeadmCertValid(cmd, path.Join(certPath...)) { + expiredCerts = true } } - if !needsRefresh { + if !expiredCerts { return nil } out.WarningT("kubeadm certificates have expired. Generating new ones...") @@ -382,19 +380,6 @@ func generateKubeadmCerts(cmd command.Runner, cc config.ClusterConfig) error { return nil } -func guestTime(cmd command.Runner) (time.Time, error) { - var t time.Time - rr, err := cmd.RunCmd(exec.Command("date", "-u", "+%d-%m-%y-%T")) - if err != nil { - return t, fmt.Errorf("failed to get time on guest: %v", err) - } - t, err = time.Parse("02-01-06-15:04:05", strings.TrimSpace(rr.Stdout.String())) - if err != nil { - return t, fmt.Errorf("failed to parse time: %v", err) - } - return t, nil -} - // isValidPEMCertificate checks whether the input file is a valid PEM certificate (with at least one CERTIFICATE block) func isValidPEMCertificate(filePath string) (bool, error) { fileBytes, err := os.ReadFile(filePath) @@ -597,30 +582,10 @@ func isValid(certPath, keyPath string) bool { return true } -func isKubeadmCertValid(cmd command.Runner, certPath string, gt time.Time) bool { - rr, err := cmd.RunCmd(exec.Command("cat", certPath)) +func isKubeadmCertValid(cmd command.Runner, certPath string) bool { + _, err := cmd.RunCmd(exec.Command("openssl", "x509", "-noout", "-in", certPath, "-checkend", "86400")) if err != nil { - klog.Infof("failed to read cert file %s: %v", certPath, err) - // if reading the cert failed it's likely first start and it doesn't exist yet so mark as valid - return true + klog.Infof("%v", err) } - - certData, _ := pem.Decode(rr.Stdout.Bytes()) - if certData == nil { - klog.Infof("failed to decode cert file %s", certPath) - return false - } - - cert, err := x509.ParseCertificate(certData.Bytes) - if err != nil { - klog.Infof("failed to parse cert file %s: %v\n", certPath, err) - return false - } - - if cert.NotAfter.Before(gt) { - klog.Infof("cert expired %s: expiration: %s, now: %s", certPath, cert.NotAfter, time.Now()) - return false - } - - return true + return err == nil }