Merge pull request #126538 from SataQiu/validate-20240805

kubeadm: add a validation warning when the certificateValidityPeriod is more than the caCertificateValidityPeriod
2025-08-05 10:19:50 +00:00 · 2024-08-13 22:11:03 -07:00 · 2024-08-13 22:11:03 -07:00 · 62cd87e839
commit 62cd87e839
parent 5e2cead785 506d5c8966
2 changed files with 21 additions and 1 deletions
--- a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
@ -783,7 +783,7 @@ func ValidateUpgradeConfiguration(c *kubeadm.UpgradeConfiguration) field.ErrorLi
 	return allErrs
 }

-// ValidateCertValidity validates if the values for cert validity are too big
+// ValidateCertValidity validates if the values for cert validity are too big or don't match
 func ValidateCertValidity(cfg *kubeadm.ClusterConfiguration) []error {
 	var allErrs []error
 	if cfg.CertificateValidityPeriod != nil && cfg.CertificateValidityPeriod.Duration > constants.CertificateValidityPeriod {
@ -796,5 +796,12 @@ func ValidateCertValidity(cfg *kubeadm.ClusterConfiguration) []error {
 			errors.Errorf("caCertificateValidityPeriod: the value %v is more than the recommended default for CA certificate expiration: %v",
 				cfg.CACertificateValidityPeriod.Duration, constants.CACertificateValidityPeriod))
 	}
+	if cfg.CertificateValidityPeriod != nil && cfg.CACertificateValidityPeriod != nil {
+		if cfg.CertificateValidityPeriod.Duration > cfg.CACertificateValidityPeriod.Duration {
+			allErrs = append(allErrs,
+				errors.Errorf("certificateValidityPeriod: the value %v is more than the caCertificateValidityPeriod: %v",
+					cfg.CertificateValidityPeriod.Duration, cfg.CACertificateValidityPeriod.Duration))
+		}
+	}
 	return allErrs
 }
--- a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
@ -21,6 +21,7 @@ import (
 	"os"
 	"strings"
 	"testing"
+	"time"

 	"github.com/spf13/pflag"

@ -1585,6 +1586,18 @@ func TestValidateCertValidity(t *testing.T) {
 			},
 			expectedErrors: 2,
 		},
+		{
+			name: "one error from mismatched durations (CertificateValidityPeriod > CACertificateValidityPeriod) ",
+			cfg: &kubeadmapi.ClusterConfiguration{
+				CertificateValidityPeriod: &metav1.Duration{
+					Duration: time.Hour * 2,
+				},
+				CACertificateValidityPeriod: &metav1.Duration{
+					Duration: time.Hour,
+				},
+			},
+			expectedErrors: 1,
+		},
 	}

 	for _, tc := range tests {