github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-25 04:11:46 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #94504 from neolit123/1.20-warning-cert-bounds-client-side

Browse Source 
kubeadm: print warnings on invalid cert period instead of erroring out
This commit is contained in:
Kubernetes Prow Robot
2020-09-29 02:49:25 -07:00
committed by GitHub
parent 55be3c063a b5b9698fbf
commit 604569482f
6 changed files with 74 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/kubeadm/app/phases/certs/certlist.go
View File

@@ -124,6 +124,9 @@ func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error {
caCert, err := pkiutil.TryLoadCertFromDisk(ic.CertificatesDir, ca.BaseName)
if err == nil {
// Validate period
CheckCertificatePeriodValidity(ca.BaseName, caCert)
// Cert exists already, make sure it's valid
if !caCert.IsCA {
return errors.Errorf("certificate %q is not a CA", ca.Name)

37
cmd/kubeadm/app/phases/certs/certs.go
View File

@@ -22,6 +22,7 @@ import (
"fmt"
"os"
"path/filepath"
"sync"
"github.com/pkg/errors"
"k8s.io/client-go/util/keyutil"
@@ -32,6 +33,12 @@ import (
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
)
var (
// certPeriodValidation is used to store if period validation was done for a certificate
certPeriodValidationMutex sync.Mutex
certPeriodValidation = map[string]struct{}{}
)
// CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane.
// If the PKI assets already exists in the target folder, they are used only if evaluated equal; otherwise an error is returned.
func CreatePKIAssets(cfg *kubeadmapi.InitConfiguration) error {
@@ -166,6 +173,8 @@ func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate
if err != nil {
return nil, nil, errors.Wrapf(err, "failure loading %s certificate authority", baseName)
}
// Validate period
CheckCertificatePeriodValidity(baseName, caCert)
// Make sure the loaded CA cert actually is a CA
if !caCert.IsCA {
@@ -189,6 +198,8 @@ func writeCertificateAuthorityFilesIfNotExist(pkiDir string, baseName string, ca
if err != nil {
return errors.Wrapf(err, "failure loading %s certificate", baseName)
}
// Validate period
CheckCertificatePeriodValidity(baseName, caCert)
// Check if the existing cert is a CA
if !caCert.IsCA {
@@ -223,6 +234,8 @@ func writeCertificateFilesIfNotExist(pkiDir string, baseName string, signingCert
if err != nil {
return errors.Wrapf(err, "failure loading %s certificate", baseName)
}
// Validate period
CheckCertificatePeriodValidity(baseName, signedCert)
// Check if the existing cert is signed by the given CA
if err := signedCert.CheckSignatureFrom(signingCert); err != nil {
@@ -365,6 +378,8 @@ func validateCACert(l certKeyLocation) error {
if err != nil {
return errors.Wrapf(err, "failure loading certificate for %s", l.uxName)
}
// Validate period
CheckCertificatePeriodValidity(l.uxName, caCert)
// Check if cert is a CA
if !caCert.IsCA {
@@ -395,6 +410,8 @@ func validateSignedCert(l certKeyLocation) error {
if err != nil {
return errors.Wrapf(err, "failure loading certificate authority for %s", l.uxName)
}
// Validate period
CheckCertificatePeriodValidity(l.uxName, caCert)
return validateSignedCertWithCA(l, caCert)
}
@@ -406,6 +423,8 @@ func validateSignedCertWithCA(l certKeyLocation, caCert *x509.Certificate) error
if err != nil {
return errors.Wrapf(err, "failure loading certificate for %s", l.uxName)
}
// Validate period
CheckCertificatePeriodValidity(l.uxName, signedCert)
// Check if the cert is signed by the CA
if err := signedCert.CheckSignatureFrom(caCert); err != nil {
@@ -439,3 +458,21 @@ func validateCertificateWithConfig(cert *x509.Certificate, baseName string, cfg
}
return nil
}
// CheckCertificatePeriodValidity takes a certificate and prints a warning if its period
// is not valid related to the current time. It does so only if the certificate was not validated already
// by keeping track with a cache.
func CheckCertificatePeriodValidity(baseName string, cert *x509.Certificate) {
certPeriodValidationMutex.Lock()
if _, exists := certPeriodValidation[baseName]; exists {
certPeriodValidationMutex.Unlock()
return
}
certPeriodValidation[baseName] = struct{}{}
certPeriodValidationMutex.Unlock()
klog.V(5).Infof("validating certificate period for %s certificate", baseName)
if err := pkiutil.ValidateCertPeriod(cert, 0); err != nil {
klog.Warningf("WARNING: could not validate bounds for certificate %s: %v", baseName, err)
}
}